|
|
Note: After adding, editing or deleting an entry in the security view, the respective security entry will be updated in the corresponding text file available under the <Your Project>/agent/bin/conf directory. |
17.3.0 What is System Access Control
17.3.1 User-Related Security View
17.3.2 Channel-Related Security View
17.3.0 What is System Access Control
System Access Control authorizes the establishment of a session (i.e., login) and its continuation until logoff.
Before granting a session, the TL1 Agent will validate and authenticate the session requester. In addition, the NE/NS also ensures that the communication path between the NE/NS and the session requester is trusted so that no intruder can enter the channel.
The main objective of System Access Control feature is to reduce the risk of unauthorized access to the NE/NS.
User-Related Security View and Channel-Related Security View, help in achieving system access control. Commands that are available for System Access Control are explained in User-Related Security View and Channel-Related Security View.
17.3.1 User-Related Security View
User-Related Security View is essential for identification and authentication of the users accessing the TL1 Agent. The User-Related Security View contains the security parameters and its values associated with all the users authorized to access the TL1 Agent.
Using the User-Related Security View system access control is possible. The user details and various other privileges associated with the user are entered in the User related Security View.
17.3.1.1 Enabling User-Related Security View
Follow the steps given below to enable User Security view in TL1 Agent
In the TL1Compiler, choose Project>>Settings from the Menu Bar or using the shortcut key CNTRL+SHIFT+S. A Dialog Box will appear with Settings tree on the left frame of the box.
Choose the node Security from the Settings tree.
Here enable Security Option. Now you can choose any of the five security views available. User Security is enabled by default
17.3.1.2 User Security Related Parameters
The following are the user detail parameters that are available in the User Related Security View.
User Name (UID): This parameter contains the User Name of the user. User Name can be a maximum of 10 Alpha Numeric characters.
Password (PID): This parameter contains the password for the corresponding user name. password will be present in encrypted format. MD5 Algorithm is used for encryption.
User Status (STATE): This parameter determines if the particular user name is functioning i.e. in service (IS) or not functioning i.e. out of service (OS).
Password Aging Time (PAGE): This is the expiry duration for the password. When an user logs in after the page period, he/she will be intimated with the details of the PCNN and PCND. The user has to change the password before the PCND or the PCNN period. The password aging time is in days. Default value is 60. Range is between 0 to 999 days.
Early warning on imminent password aging (PCND): This is the time period in number of days after the PAGE, which is allowed for the user to change his password. The unit of PCND is in days. Default value is 7. Range is between 0 to 999 days
Early warning on imminent password aging (PCNN): This is the number of times that a user can log in after PAGE limit was reached and before which the user has to change his password. Default value 3. . Range is between 0 to 999 times
Time of Last Log in (LastLoginTimeStamp): This is the last recorded Login time of a user. This time will be displayed every time a user logs in.
Password Obsolescence Interval (POINT): This is the minimum time interval that is required if the User wishes to use a password that was already used. Unit of POINT is in days. Please note that POINT has not been implemented in this release. Default value 180. Range is between 0 to 999 days
User ID Aging Interval (UOUT): This parameter specifies the aging or expiry interval of a particular User Id. At the end of this interval, the UID is disabled if during this interval it has never been used to setup a session. Default value is 90. Range is between 0 to 999 days.
Channel Identifier List (CID) : This is the list of channels (like TCP UDP etc) through which a particular user has access. Default value is TCP.
User Access Privilege (UAP): This parameter contains information about the access privileges. UAP is alphanumeric. By default the TL1 compiler takes the UAP value of "priv1".
List of Ports (LSTOI): This is the list of objects or ports (or directory numbers) that a particular user is authorized to access. The user needs to handle this parameter.
17.3.1.3 User Related Security View Commands for Authentication
1. Command for User Authentication
Following is the input message format for User Authentication.
ACT-USER::<UID>:<CTag>::<PID>;
The User Name (or User ID) has to be entered in the Access Identifier Block and the Password is to be entered in the Message payload block
e.g. Input Message.:- ACT-USER::root:1::public;
The above example Logs in the user with UID "root" and PID "public" from the TL1Agent
2. Command for logging out of the TL1 Agent
Following is the input message format for logging out.
CANC-USER::<UID>:<CTag>::;
CANC-USER just closes the connection of the user with the TL1 Agent, but the session will not be closed. UID is the Username of the user who wishes to log out.
e.g. Input Message:- CANC-USER::root:2::;
The above example Logs out the user with UID "root" from the TL1Agent
3. Command for Editing the Password
Using the below command any user can edit his/her password
ED-PID::<UID>:<CTag>::a,b;
where "a" is the old Password (PID) and "b" is the new Password (PID ). UID is the Username of the user who wishes to change the PID.
e.g.:- ED-PID::root:3::public,secret;
The above example changes the password of the user "root" from "public" to "secret"
4. Command for Retrieving the User Security Parameters.
This command can be used by a user to retrieve the Security Parameters associated with that said user (except password, which cannot be retrieved).
Following is the input message format for the command for retrieving the User Security Parameter details.
RTRV-USER-SECU:<TID>:<UID>:<CTag>::;
UID is the User ID of the user who is retrieving the security-related parameters related to that UID.
e.g. Input Message: RTRV-USER-SECU::root:12::;
The above Input command example retrieves the User Security Details of the user "root" as shown below in the Output Response
|
Response Message Received From :localhost <CR> <LF><LF> Source 02-01-09 20:25:02<CR> <LF>M 12 RTRV<CR> <LF> <LF>; |
17.3.1.4 User-Related Security View Commands for System Administration
The following commands are administrator commands. Only the root user can use the following commands. The default user name and password for the administrator are "root" and "public" respectively. The administrator cannot change the user name but can change the password using the ED-USER-SECU (Edit) command which is explained in the proceeding sections.
1. Entering New User Details into the User Security View.
Following is the input message format for entering user details in the User Security View.
ENT-USER-SECU ::<UID>:<CTag>: PID,CID,UAP : PCND,PCNN,POINT,UOUT,LSTOILIST;
Using this command, a new user and his details can be added to the User Security View. The first list in the MPB namely PID,CID and UAP are position defined and their values have to be entered in that order. The next list namely PCND, PCNN, POINT, UOUT, LSTOILIST, is keyword defined and can be entered in any sequence provided the right values are assigned to the appropriate parameters. Also please remember that only either of the two values PCNN and PCND should be given.
e.g.:-
ENT-USER-SECU::user1:13::user1,TCP,2:page=56,pcnd=8,uout=30,point=87,
lstoi=file;
The above Input command example creates a new user "user1" with User Security Parameter values shown in it.
2. Editing Existing User Details in the User Security View.
Following is the input message format for editing the user details in the User Security View.
ED-USER-SECU::<UID>:<CTag>: UID,PID,CID,UAP : PCND,PCNN,POINT,UOUT,LSTOILIST;
Using the above command, the administrator can edit and modify the details of any user in the User Security View. The first list in the MPB namely UID, PID, CID and UAP are position defined and their values have to be entered in that order. The next list in the MPB is Keyword defined and can be entered in any sequence provided the right values are assigned to the appropriate parameters.
e.g.
ED-USER-SECU::user1:13::user1,pswd,TCP,2:page=56,pcnd=4,uout=32,
point=84,lstoi=file;
The above input command example edits the User Security details of the User quot;user1" with new User Security parameter values shown in it. Please note that it is not mandatory that during editing all the MPB values should be given. Only the parameter which is to be changed can be given.
3.Deleting a User from the User Security View.
Following is the input message format for deleting a user from the User Security View.
DLT-USER-SECU ::<UID>:<CTag>::;
Using the above command, any user can be permanently removed from the User Security View by the administrator.
The User Name (UID) of the user to be removed is entered in the Access IDentifier (AID) block
e.g.:- DLT-USER-SECU::user1:14::;
The above Input command example deletes the user "user1" from the User Security view.
4. Retrieving User-Related Security View Details
The following command is used by the administrator to retrieve the User-Related Security View details of a particular user.
Following is the input message format for terminating the session of the user from the User Security View.
RTRV-USER-SECU :<TID>:<UID>:<CTag>:<GB>:;
UID s the User ID of the user whose user security details are to be retrieved.
e.g. RTRV-USER-SECU::user1:4::;
The above example retrieves the user security details of the user with User ID"user1".
|
|
Note: After adding, editing or deleting an entry in the security view, the respective security entry will be updated in the corresponding text file available under the <Your Project>/agent/bin/conf directory. |
17.3.1.5 Using User-Related Security View
This section will teach you how to use the User-Related Security View and add a new user to it.
17.3.1.5.1 Logging in and Logging Out
Logging in and Logging out can otherwise be called as Authentication. Follow the steps given below to login and logout of the TL1 Agent. Here we will be logging in as the administrator whose default user name and password are "root" and "public" respectively.
Create a Simple TL1 Agent for the TCS tl1sample.tcs as explained in section 6.0 "Creating a simple TL1 Agent"<.
Start the Agent at a specified port, say 9099, as explained in section 6.0 "Creating a Simple TL1 Agent".
Start the TL1Browser by selecting the Tools >> TL1Browser option from the Menu Bar of the TL1 Compiler. Please note that if the TL1Compiler is started from the Launcher, then the TL1Browser cannot be started from the TL1Compiler.
Load the tl1sample.tcs and tl1security.tcs file using the File>>Load option in the Menu Bar.
Choose Operations>>Connect option in the Menu Bar.
Enter the Host Name and Port Number where the agent is running in the dialog box that appears.
Click OK. Now you will be connected to the TL1 Agent.
Authenticate
into the TL1 Agent by using the Input message "ACT-USER::root:1::public;".
After typing the message, choose Operations>>Send
in the Menu Bar or using the shortcut key CTRL+N.
The Agent will respond by sending the following Autonomous
Message which can be viewed in the Autonomous Message Block.
Autonomous Message Received From :localhost
<CR>
<LF><LF> rajeshm 2002-04-11 12:22:25<CR>
<LF>** 1 REPT EVT SESSION<CR>
<LF> "rajeshm:NO"<CR>
<LF> /*NOTICE:This is a private computer system.
<LF> Unauthorised access or use may lead to prosecution*/<CR>
<LF>;
The Agent will also send the following response message
which can be viewed in the Response Message Block.
Request Sent = <CR>
ACT-USER::root:1::public;
Response Message Received From :localhost
<CR>
<LF><LF> rajeshm 2002-04-11 12:22:25<CR>
<LF>M 1 COMPLD<CR>
<LF> "root:\"2002-6-8 14:48:25\",0"<CR>
<LF>;
This means that you have successfully authenticated into
the TL1 Agent.
You can logout of the TL1 Agent anytime using
the CANC-USER command shown below
CANC-USER::root:2::;
17.3.1.5.2 Adding User-Related Security Parameter Values
Values for the User-Related Security Parameters can be added or modified in the following two ways:
From the TL1 Compiler Security Settings before code generation
From the TL1 Browser using the commands related to User Security View. This can be done only during runtime.
1. From the TL1 Compiler
Follow the steps given below to add the values for User Security View parameters. In this chapter we will be taking an example of adding a new user with user name "User1" and password "pswd" to the User Security View.
In the TL1Compiler, choose Project>>Settings from the MenuBar or using the shortcut key CNTRL+SHIFT+S. A Dialog Box will appear with Settings tree on the left frame of the box.
Choose the node Security from the Settings tree.
Here enable Security Option. Now you can choose any of the five security views available. User Security is enabled by default.
Choose User Security from the Security View option. Now the new User Security entries and values can be added or modified from the table below the "Security View" option.
Click the Add button below the table to add a new entry to the User Security View. A "Security Settings" dialog box will appear, where you will have to enter the new user details as shown below.
Please note that by default PCND is enabled in the TL1Compiler. This is achieved by giving negative value to PCNN. However the user can enable PCNN just by giving any positive value less than 999.
After adding the new entry details as shown above click the OK button. The new entry for the User Security View will be added to the table as shown below.
Now Generate and Compile the code for the loaded TCS and Start the TL1 Agent
The newly added user (User1) can now authenticate into the TL1 Agent as explained in the Logging in and Logging out section. The User Id to be passed in the AID block will be User1 and the Password will be pswd. Please remember the agent should be started from the console and the login should be done in the same console as the CID is "craft".
|
|
Note: The values of the parameters of an existing users can also be modified from this configuration table. |
2. From the TL1 Browser
New user and his/her details can also be added or the values of the parameters of the existing users can be modified from the TL1 Browser. This can be done using the Commands related to User Security View available in the tl1security.tcs file. Please follow the steps given below.
Start a Simple TL1 Agent at a specified port and connect to the Agent from the TL1 Browser.
Login as the administrator as explained in the Logging in and Logging out section. Only the Administrator has the authority to add a new user or modify the existing values of the user parameters of that user (Except PID)
To Add a new
user with user name "User1"
and password "pswd"
type the following input message in the input message block
ENT-USER-SECU :: User1:3::pswd,craft, priv1:Page=65,PCND=8,PCNN=-3,180,91,2;
ENT-USER-SECU can also be selected from the tl1security.tcs
file tree.
Now send the input message by selecting Operations >> Send from the Menu Bar or pressing the shortcut key CTRL+N.
You will find
the following message in the Response
Message block in the TL1 browser.
Request Sent = ENT-USER-SECU :: User1:3::pswd,craft, priv1:Page=65,PCND=8,PCNN=-3,180,91,2;
Response Message Received From :localhost
<CR>
<LF><LF> Source 02-01-10 13:55:46<CR>
<LF>M 3 COMPLD<CR>
<LF>;
The above response message means that the new user "User1"
and his details have been added to the User Security View.
The newly added user (User1) can now authenticate into the TL1 Agent as explained in the Logging in and Logging out section. The User Id to be passed in the AID block will be User1 and the Password will be pswd
Similarly all the other User Security Related commands such as ED-USER-SECU, DLT-USER-SECU, RTRV-USER-SECU can be used from the TL1 Browser.
17.3.2 Channel-Related Security View
The channel related security view contains details related to security for each of the protocols. Using the Channel related Security View System Access control is possible. Using this view the administrator can restrict certain channels to certain users or certain resource of a system can be made accessible only through certain channels.
The Channel-Related Security View contains the security parameters associated with all channels. Channels dealt with here are the Transport Protocols like the TCP, Craft Interface etc.
17.3.2.1 Enabling Channel Security View
Follow the steps given below to enable Channel Security View in TL1 Agent
In the TL1Compiler, choose Project>>Settings from the Menu Bar or using the shortcut key CNTRL+SHIFT+S. A Dialog Box will appear with Settings tree on the left frame of the box.
Choose the node Security from the Settings tree.
Here enable the Security Option (Which is enabled. Now you can choose any of the security views available. User Security is enabled by default.
Enable the Channel Security Option.
Now you will find the Channel Security listed in the Security View Table. You can modify the values of the Channel Security View parameters from this table. The default channel entry TCP will be listed in the table. Also if craft is selected, it will be listed in the channel security view table.
If Channel security is not enabled then session will be expired if kept idle for the duration "Session timeout". As soon as Channel security is enabled session expiry is calculated only as per TMOUT of the channel.
17.3.2.2 Channel Security Related Parameters
Channel Identity (CID): This is the key parameter that is used to identify the channel. CID can be any of the transport protocols such as TCP, UDP, Craft Interface etc. If only User security and Channel security are enabled then the user access through a channel is only with the channels specified with his CID List.
Channel Status (STATUS): This parameter determines if the particular Channel is functioning (inservice) or not functioning (outofservice).
Maximum Invalid Sessions (MXINV): This is the maximum number of invalid username & password entries that is allowed while trying to access to a particular channel. Once this value is reached, the agent will be in a state of alert. The unit of MXINV is count in the number of times. Default value is 5 and the range of MAXINV is 1 to 9.
Duration of Alert (DURAL): This is the duration in time for which the TL1 Agent will be in a state of alert after MAXINV value is reached. During this period any messages received from that particular client will not be processed till the DURAL period expires. Unit of DURAL is in minutes. While entering the values through the TL1 Browser, DURAL will have to be specified in HH-MM-SS format. Default value is one minute (00-01-00). The range of DURAL is 00-00-01 to 99-59-59.
Time Out Interval (TMOUT): This is the maximum time for which a user who is logged in through a particular channel can stay idle. After the time out value is reached, the user will be automatically logged off. TMOUT is in minutes. While entering the values through the TL1 Browser, TMOUT will have to be specified in HH-MM-SS format. If channel TMOUT is reached then Autonomous will be sent to that session specifying canceling the session "CANC". TMOUT has to be specified in HH-MM-SS format. Default value is 15 minutes and the range is upto 99 minutes.
Channel Access Privilege (CHAP): This parameter contains the set of privileges that the user of a particular channel has. The privileges include list of commands, ports etc. CHAP will have to be specified in levels of 1, 2 etc. default privilege is priv1.The privilege values can be upto 8 AN characters long with a maximum of 25 characters
17.3.2.3 Channel-Related Security View Commands
Following are the Channel-Related Security view commands that have been implemented in the TL1 Agent.
Administrator Commands
The following commands are administrator commands in Command Security View. Only the "root" User can use the following commands. The default User Name and Password for the administrator are "root" and "public" respectively.
1.Command for Entering a New Channel
This command is used by the administrator to enter the Security Parameters associated with the Channel Identifiers
The Format of the Input Command is as follows
ENT-CID-SECU : <TID> : <CID>: <CTag>:<GB>:CHAP:DURAL,MXINV,TMOUT;
The Channel ID is entered in the AID block. The first list in the MPB namely CHAP is a position defined parameter. The next list in the MPB namely DURAL, MXINV, TMOUT are Keyword defined and can be entered in any sequence provided the right values are assigned to the appropriate parameters.
e.g.
ENT-CID-SECU::craft:10::2,MXINV=5,DURAL=00-13-23,TMOUT=26;
The above example adds a new channel "craft" with privilege as 2 to the Channel Security View.
2. Command for Editing Channel-Related Security Details.
Using the following command, the administrator can edit and modify the details of any Security Parameters associated with the Channel Identifiers
The Format of the Input Command is as follows
ED-CID-SECU:<TID>:<CID>:<CTag>:<GB>:CHAP:DURAL,MXINV,TMOUT;
All parameter blocks are position defined, except DURAL, MXINV and TMOUT which are keyword defined. Only those Data Parameters that are to be edited are entered. Those that remain unaffected are omitted from the command.
e.g.
ED-CID-SECU::craft:10::1&2,MXINV=7,DURAL=00-13-23,TMOUT=26;
The above example changes the Channel Access Privilege (CHAP) and MAXINV values of the channel "craft".
3. Command for Deleting Channel Related Security Parameters.
Using the following command, the administrator can delete the Security Parameters associated with any channel identifier in the Channel Security View.
The Format of the Input Command is as follows
DLT-CID-SECU:<TID>:<CID>:<CTag>:<GB>:;
e.g. DLT-CID-SECU::craft:10::;
The above example input command deletes the Channel Craft from the Channel Security View
The Channel ID (CID) of the Channel whose security parameters are to be deleted is entered in the Access IDentifier (AID) block
4. Command for Retrieving Channel Security Parameters
This command is to retrieve the Security Parameters associated with any and all channel identifiers. (These identifiers may signify the user system interface ports of the NE/NS, or directory numbers of users authorized to have access to the NE/NS operations database.) This command al though is a administrator related command any user can retrieve the details of the cid mentioned in his cidList.
The Format of the Input Command is as follows
RTRV-CID-SECU:<TID>:<CID>:<CTag>:<GB>:;
CID is the channel identifier which may be a single CID or a block of CIDS, where the block may include all CIDS.
e.g. RTRV-CID-SECU::tcp:2::
The above example retrieves the Channel Related Security details of the channel "tcp" as shown in the response below.
Response Message Received From :localhost
<CR>
<LF><LF> Source 02-01-12 16:41:50<CR>
<LF>M 2 RTRV<CR>
<LF> "TCP:1:MXINV=5,DURAL=0-1-0,TMOUT=15"<CR>
<LF>;
|
|
Note: After adding, editing or deleting an entry in the security view, the respective security entry will be updated in the corresponding text file available under the <Your Project>/agent/bin/conf directory. |
17.3.2.4 Using Channel-Related Security View.
Adding Channel-Related Security Parameter Values
Values for the Channel-Related Security Parameters can be added or modified in the following two ways:
From the TL1 Compiler Security Settings before code generation
From the TL1 Browser using the commands related to User Security View. This can be done only during runtime.
In this chapter we will be taking an example of adding a new Channel CRAFT to the Channel Security View along with the values for the Channel Security parameters
1. From the TL1 Compiler
Follow the steps given below to add the values for Channel Security View parameters.
In the TL1Compiler, choose Project>>Settings from the Menu Bar or using the shortcut key CNTRL+SHIFT+S. A Dialog Box will appear with Settings tree on the left frame of the box.
Choose the node Security from the Settings tree.
Here enable Security Option. Now you can choose any of the five security views available. User Security is enabled by default
Choose Channel Security from the Security View option. Now the new Channel Security entries and values can be added or modified from the table below the "Security View" option
Click the Add button below the table to add a new entry to the Channel Security View. A "Security Settings" dialog box will appear, where you will have to enter the new Channel details as shown below.
After adding the new entry details as shown above click the OK button. The new entry for the Channel Security View will be added to the table as shown below.
Now Generate and Compile the code for the loaded TCS and Start the TL1 Agent
Now the new Channel namely "CRAFT" has been added to the Channel Security view.
|
|
Note: The values of the parameters of an existing Channel can also be modified from this configuration table. |
2. From the TL1 Browser
New Channel and its details can also be added or the values of the parameters of the existing channel can be modified from the TL1 Browser. This can be done using the Commands related to Channel Security View available in the tl1security.tcs file. Following the steps be below.
Start a Simple TL1 Agent at a specified port and connect to the Agent from the TL1 Browser.
Login as the administrator as explained in the Logging in and Logging out section. Only the Administrator has the authority to add a new Channel or modify the existing values of the channel parameters.
To Add a new Channel
"CRAFT" and its details
to the Channel Security View, type the following input message in the
input message block
ENT-CID-SECU::CRAFT:4::priv2,MXINV=7,DURAL=00-03-00,TMOUT=23;
ENT-CID-SECU can also be selected from the tl1security.tcs file
tree.
Now send the input message by selecting Operations >> Send from the Menu Bar or pressing the shortcut key CTRL+N.
You will find the
following message in the Response Message
block in the TL1 browser.
Request Sent = ENT-CID-SECU::CRAFT:4::priv2,MXINV=7,DURAL=00-03-00,TMOUT=23;
Response Message Received From :localhost
<CR>
<LF><LF> Source 02-01-11 11:49:29<CR>
<LF>M 4 COMPLD<CR>
<LF>;
The above response message means that you have successfully added
a new channel "CRAFT"
to the Channel Security View.
Similarly all the other Channel Security Related commands such as ED-CID-SECU, DLT-CID-SECU, CANC-CID-SECU and RTRV-CID-SECU can be used from the TL1 Browser.
