Professional Documents
Culture Documents
System Administration
Administrator Manual
Revision history
Document/
Release date Revision remarks
Order no.
2012-02-10 09980121 Initial version intended for MasterClaw 6.3.1
2012-03-14 09980122 Corrections in Chapters 3, 5, and 7.
2012-11-28 09980123 Version updated to MC-6.4. Major changes:
Ch. 3: further details on User Administration and more applications
introduced.
Ch. 4: more details on QMON
Ch. 5: capabilites updated; qlogs sec. improved; details on interfaces
and port numbers added.
Ch. 6: Sec-linux Tool added.
2013-02-14 09980124 Version updated to MC-6.4.1. Major changes:
Add-ons in Sec. 5.5 (qmcpi-sec)
Small updates in Ch. 6 "Sec-linux tool"
"Backup procedure" added at Sec. 8.2.
2013-06-28 09980125 Ch. 4 updated; more applications related to postgreSQL
administration added in sections 3.3.1 and 3.5; more capabilities and
their usage at tables 5.1 and 5.3; OSGI console added in table 5.30;
table 5.34 updated.
2014-01-10 09980131 Overall update for MC-7.0.0
2014-03-10 09980132 Dismissed eoCompass items removed throughout whole document.
2014-06-12 09980141 Overall update to MC-7.0.1:
- Vertica user administration, sec. 2.7
- new capabilities, table 4.1
- privacy control, sec. 4.5.4
- port numbers on MC servers updated, sec. 4.6.1
- Vertica port numbers, sec. 4.6.8
- Chapter 5 Sec-linux tool updated
2014-08-08 09980142 Capabilities corrected at sec. 4.4
Universe resources corrected at table 4.25
NDAF-DWH Server, NDAF components now integrated in MC
backup (table 7.1).
2014-12-19 09980151 Overall update to MC-7.0.2:
- Updates at Tables 4.30, 4.44, 7.1.
- qmcpi-sec figures updated at sec. 4.5.3
2015-02-16 09980152 Date/time format examples for securityadmin auditreport corrected
at sec. 3.3.2.
Chapter 5 "Sec-linux" tool: improvements at sec. 5.8, 5.9, 5.10,
5.12.5
2015-04-17 09980153 "URL" and "Domain" capabilities added at Tables 4.1 and 4.3.
Port numbers added at Table 4.30.
SSL Certificate description improved, sec. 6.1.2.
2015-06-12 09980154 Cosmetic adjustments.
2015-08-14 09980155 Wrong items removed from table 4.3
2017-01-26 09980158 Cosmetic adjustments at tables 4.29 and 4.30.
2 System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 – 1
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 – 2
2.1.1 Environment Variables and the q7env Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 – 2
2.1.2 q7adm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 – 2
3 Self Surveillance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 – 1
4 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 1
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 2
4.11 IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 77
4.13 SUDO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 79
4.13.1 Disable sudo on Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 79
4.13.2 Disable sudo on Probe. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 80
5 Sec-linux Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 – 1
5.2 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 – 5
5.3 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 – 6
5.4 Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 – 7
5.10 Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 – 15
6 System Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 – 1
8 Appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 – 1
9 Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 – 1
List of Figures
Fig. 3.1 Application killed with data saving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 – 19
Fig. 3.2 Application killed with no data saving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 – 19
Fig. 4.1 MasterClaw security environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 3
Fig. 4.2 QMCPI-SEC root node – list view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 20
Fig. 4.3 QMCPI-SEC users node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 21
Fig. 4.4 QMCPI-SEC users entity node – attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 22
Fig. 4.5 QMCPI-SEC user groups node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 25
Fig. 4.6 QCMPI-SEC user groups entity node – attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 26
Fig. 4.7 QCMPI-SEC capabilities node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 27
Fig. 4.8 QMCPI-SEC capabilities entity node – attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 28
Fig. 4.9 QCMPI-SEC centres node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 29
Fig. 4.10 QCMPI-SEC centres entity node – attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 30
Fig. 4.11 QCMPI-SEC signalling linkset node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 31
Fig. 4.12 QCMPI-SEC signalling linkset entity node – attributes . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 32
Fig. 4.13 QCMPI-SEC security policies node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 33
Fig. 4.14 QCMPI-SEC security policies entity node – account lockout . . . . . . . . . . . . . . . . . . . . 4 – 34
Fig. 4.15 QCMPI-SEC security policies entity node – password . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 35
Fig. 4.16 QCMPI-SEC Resources node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 36
Fig. 4.17 QCMPI-SEC Resources entity node - attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 37
Fig. 4.18 QCMPI-SEC DBOs node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 40
Fig. 4.19 QCMPI-SEC DBOs entity node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 41
Fig. 4.20 Example of a network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 – 70
Installing a new While Chapter 2. System Administration describes commands and utilities
software release for installing a new software, and Chapter 8. Appendix describes the directory
structure and the required configuration files, you may not find this document
relevant for installation of a new software release.
Instead, for information on installation of the current software release, please
refer to the MasterClaw installation and configuration guides.
Caution: A type of note that advises users that failure to take or avoid a
specified action could result in loss of data or damage of
equipment.
Procedures A procedure that tells you how to perform a task looks like this:
Step What to do
1. Select and open the object by double-clicking the icon
2. Place the instrument in its carrying case and close it.
Lists In a list that summarises a number of facts, each item is preceded by a • like
this:
● One fact
● Another fact
● Yet another fact
Keyboard keys A KEYBOARD KEY is represented by the name of the key in capitals, like
SHIFT+F3.
Buttons, icons, boxes, All these items are represented by their name or label text, like this; in the
dialogues, etc. Instrument Setup dialogue, click Load.
Links or cross- Links and cross-references are written in italic. Links to Web sites are written
references in blue and underlined.
2.1 Introduction
This Chapter describes the commands for general MasterClaw system
administration.
Please refer to the release notes for each package for detailed information
about how to install and configure MasterClaw.
Please refer to Chapter 8. Appendix for more information about environment
variables, directory structure, and configuration files.
2.1.2 q7adm
The q7adm command is used for all administration of MasterClaw. The
q7adm command can perform the following operations:
● Start all server processes used within MasterClaw
● Stop these server processes
● Load a new package into the current MasterClaw system
● Install a loaded package
● Uninstall a previously installed package
● Unload a previously loaded package
The q7adm command can only be used from the root account.
The q7adm command is called as:
# q7adm [command-options…] SUB-COMMAND [sub-command-
options…] ARGUMENTS
Each of the possible sub-commands and their special options are described
below.
help To see a short description of all available q7adm commands, use the
command:
% q7adm help
start and stop To start all installed services use the command:
% q7adm start
To start services of a specific set of packages, use the command:
% q7adm start package…
When no packages are specified (the first example), the qbase, qns and
TOPO packages are started before any other packages. The rest of the
packages are handled in alphabetical order.
The packages are stopped in the reverse sequence.
Note: The support for start and stop is implemented in the individual
packages; please refer to the release notes for the different packages
for further information.
Option Description
-u Update a currently installed package.
For example:
% q7adm install qstc-1.1.2
.
qxts-if-2.1.0 (installed as 'qxts-if')
sdlt-4.0.8.3 (installed as 'sdlt')
temip-register-3.0.3 (installed as 'temip-register')
Some more words on Remember that the password is the weak link in the security chain in any Unix
passwords system.
● Never have your password written on a piece of paper or hidden under
the keyboard, in a drawer or anywhere near the keyboard – passwords
are meant to be remembered!
● Choose a password that is easily remembered but hard to guess.
2.3.1 Linux
The following Linux accounts are present in a MasterClaw system and they
should not be blocked since they are used to administer and run the
applications:
● root
● mclaw
● qpm (only on probes and info servers)
● ipsec-listen (optional)
● oracle
● rainstor
● vertica
Optional user mclawxdr is also present for letting third part download
TDRs. This user can be blocked.
All other users can be disabled (or removed) by using the sec-linux tool. See
Chapter 5. Sec-linux Tool for details.
Changing password The password can be changed on a host using standard linux command:
> passwd
It is also possible to change the password on several hosts from the Central
Server and the mclaw account at the same time, using the change
password tool (changepass, provided that the listed hosts have the same
password. If needed, the tool can update probe configuration files for qpm
and ipsec-listen accounts (see more info further down in this section).
Changing expiring The expiring date can be modified with the standard linux command chage:
date To show the current setting for a user:
> chage -l <user name>
Force password It is possible to force the password change with the standard linux command
change chage:
> chage <user name> -d 0
Key generation for ssh For NDAF it is mandatory to create keys for ssh authentication by executing
the following command, that uses RSA by default:
> ssh-keygen
If you need to change the algorithm using rsa1, rsa or dsa, execute:
> ssh-keygen -t <rsa1|rsa|dsa>
Cyphering Length
Algorithm
RSA1 2048
RSA 2048
DSA 1024
Personal accounts On Linux host, the personal account (which is by default not needed) can be
created using the following commands executed as root:
# useradd <account name>
# passwd <account name>
The following command can be used to become root (or mclaw) and to
perform the administrative task that requires the given account:
> su -
or
> su - mclaw
Seldom, the root account may also be needed to perform some other
administrative tasks:
● System probe software installation/upgrade(uses sudo rpm)
● Probe ntp configuration (uses sudo ntp_copy.sh)
● Ipsec deployment (uses sudo ipsec-config)
● MC Selfmon agent deployment (uses sudo rpm)
● MC Selfmon services start/stop/administration
● MC backup installation/administration
MCSelf Monitoring
MC Self Monitoring is started and stopped using the linux command
service on:
● nagios (only on selfmon machine)
● mysqld (only on selfmon machine)
● httpd (only on selfmon machine)
● nrpe (only on monitored machines)
root is also needed to change the nagiosadmin user through the apache
htpasswd command.
Disabling login
It is possible to disable direct root login from outside; in this case, the
administrator shall log on the system using another account, and then
becoming root.
Depending on the security level requested by the customer, you can:
● Use mclaw account also as login account
● Use personal accounts as login account
To disable the root account, you should use the sec-linux tool by choosing
the plugin that implements the Customer requirement, to:
● Permit root login only from console
● Completely disable root login.
Note: The home directories are not preserved in case of platform upgrade.
Moreover, the personal accounts could be locked in some cases (e.g.
expired password, too many failed logins…) so the risk exists that the
administrator cannot logon remotely.
mclaw User mclaw is available on all platforms on which the plugins PRO, SRV
and CLU have been installed. This is the main MasterClaw account and it is
used by almost all services.
The default password is: mclaw..
Note: If there are any applications installed on the system which use mclaw
account, they shall be reconfigured with the new password. Examples:
● dwh backend downloading DR from a mediation server
● qxdrs delivering DR to eoFinder Browse
● eoFinderBrowse Server to install tablespaces
mclawxdr The user mclawxdr is available on all platforms on which the plugins PRO
and SRV have been installed.
This account can be used to let third party applications download TDRs from
a host. This ensures that the mclaw password is not communicated to those
that aren’t Master Claw administrator.
Its default passwords are:
On server: mclawxdr..
On probe: mclawxdr..
qpm User qpm is available on all platforms on which the plugins PRO has been
installed. This account is reserved for probe software installation.
The default password is: qpm
If this password is changed, then the qpm-server.nin on the Central
Server has to be updated with the new password.
ipsec-listen The ipsec-listen user is available on all platforms on which the ULP
platform has been installed. This account is reserved for ipsec configuration.
The default password is: ipsec..
If this password is changed, then the ipsec.nin on the Central Server has
to be updated accordingly.
postgres User postgres is available on all platforms on which the Postgres package
has been installed. This account is used by:
● PostgreSQL RDBMS
● eoFinderBrowse during the installation phase (e.g. to create
tablespaces).
● eoLive
● cdb
● qdash
● qalarms
● security
● portal
● qfds
Rainstor User mclaw is available on all platforms on which the Rainstor package has
been installed. This account is used by:
● rainstor DBMS
● eoFinder Browse during installation and at runtime to manage tablespaces
● Various MasterClaw applications during their installation phase (e.g. to
create the directories hosting the tablespaces).
The default password is: mclaw..
If the password is changed, then the configuration for the following
applications has to be updated as well:
● eoFinder Browse Server
● eoFinder Browse Loader
Vertica User dbadmin is available on all platforms on which the Vertica package has
been installed. This account is used by:
● Vertica RDBMS
● DWH- NDAF ETL during installation and at runtime to manage
tablespaces
apache User apache is available on all platforms on which the MC Self Monitoring
has been installed. This account is used by the Apache web server used to
deliver the MC Self Monitoring web interface.
The account is blocked on MC Self Mon server.
nagios User nagios is available on all platforms on which the MC Self Mon has
been installed. This account is used by the MC Self Mon server.
The account is blocked on MC Self Mon server.
2.4.1 Oracle
Changing password Passwords of oracle accounts can be changed using the following
procedure.
or
> sqlplus /as sysdba
SQL> ALTER USER system IDENTIFIED BY newpassword;
prompt
prompt Table privileges RECEIVED:
prompt ==========================
select privilege pr,
'ON',
owner||'.'||table_name tn,
'FROM',
grantor gr,
decode(grantable,'YES','+GRANT OPT')
from sys.dba_tab_privs
where grantee = upper('&person');
prompt
prompt
prompt Column privileges GIVEN:
prompt ========================
select privilege pr,
'ON',
owner||'.'||table_name||'('||column_name||')' tn2,
'-->',
grantee gr,
decode(grantable,'YES','+GRANT OPT')
from sys.dba_col_privs
where owner = upper('&person');
prompt
prompt Column privileges RECEIVED:
prompt ===========================
select privilege pr,
'ON',
owner||'.'||table_name||'('||column_name||')' tn2,
'FROM',
grantor gr,
decode(grantable,'YES','+GRANT OPT')
from sys.dba_col_privs
where grantee = upper('&person');
set head on
set verify on
set feed on
Administration sys
Oracle user sys is available on all platforms on which the Oracle package
has been installed. Its password can be changed.
The default password is: manager
If you change the password, you must also update the configuration of the
Self-Monitoring application.
The password should be updated in:
Oracle_Database_password, section credentials_APP_deploy in auto-
conf.nin file present under /opt/anritsu/selfmon/auto-conf on selfmon server
Refer to Self Monitoring Installation and Configuration Manual for further
information.
system
Oracle user system is available on all platforms on which the Oracle
package has been installed. Its password can be changed.
The default password is: manager
If you change the password, you must also update the configuration of the
following applications:
Applications CDB
Oracle user cdb is available on the Oracle server used by cdb. Its password
can be changed.
The default password is: cdb
If you change the password, you must also update the configuration of the
cdb application:
SecurityS
The oracle user mclawsecurity is available on the Oracle server used
by masterClaw security. Its password can be changed.
The default password is: testtest
If you change the password, you must also update the configuration of the
security application.
Refer to the specific application’s documentation for further information.
QDASH
The oracle user qdash is available on the Oracle server used by qdash. Its
password can be changed.
The default password is: qdash
If you change the password, you must also update the configuration of the
qdash application.
ALARMS
Oracle user event is available on the Oracle server used by qevent. Its
password can be changed.
The default password is: event
If you change the password, you must also update the configuration of the
qes application.
QFDS
Oracle user qfd is available on the Oracle server used by qfds. Its password
can be changed.
The default password is: qfd
If you change the password, you must also update the configuration of the
qfds application.
DWH
The following oracle users and passwords are available on the Oracle
servers used by the DWH:
These passwords can be changed. If you change the password, you must
also update the configuration of the given DWH application and BO.
MC Backup
The MC Backup application creates the user RMAN on the Oracle server
used by cdb (security, qevent, fraud, qdash). Its password cannot be
changed.
The default password is: CAT
Refer to MC Backup Installation Manual for further information.
Summary of Oracle Table 2.3 sums up the Oracle user accounts and the MasterClaw service(s)
Accounts that use these accounts; the third column specifies what further actions you
need to take in order for the service(s) to properly connect to Oracle (once
you have modified the password(s) in Oracle).
Username=cdb
Password=cdb
[DBconnection]
...
user=qfd
password=qfd
Table 2.3 Oracle accounts and relevant MasterClaw services (Sheet 1 of 3)
[Database]
...
OracleLogin=system/manager
QES, QCHANNEL $QUEST7_ROOT/nin/qes.nin and
$QUEST7_ROOT/nin/qchannel.nin
[Oracle]
...
oracle_login=system/manager
Table 2.3 Oracle accounts and relevant MasterClaw services (Sheet 2 of 3)
[DBconnection]
...
Oracle_sys_user=system
Oracle_sys_password=manager
Security $QUEST7_ROOT/nin/security.nin
Password changes and details for eoLive and eoFinderBrowse servers are
described in eoLive Installation and Configuration Manual and eoFinder
Browse Server Installation and Administration Manual respectively.
Changing password Passwords of PostgreSQL accounts can be changed using the following
procedure.
For the system account, i.e. postgres:
Logon as postgres and execute the command:
> psql
ALTER USER postgres WITH PASSWORD '<new password>';
For other MasterClaw accounts:
Logon as mclaw and execute the command providing the user the password
when requested:
> psql –U <masterclawdb account>
ALTER USER <masterclawdb account> WITH PASSWORD '<new
password>';
Password Expiration Passwords of PostgreSQL accounts don’t expire by default. This behavior
Time can be changed with the following procedure.
● For the system account, i.e. postgres, logon as postgres and execute:
> psql
ALTER ROLE postgres VALID UNTIL '<timestamp’>';
Where timestamp can assume one of the following structures:
-1999-01-08 04:05:06
-1999-01-08 04:05:06 -8:00 (with timezone)
● For other MasterClaw accounts, logon as mclaw and execute the below
command, providing the user with the password when requested:
> psql –U <masterclawdb account>
ALTER USER <masterclawdb account> VALID UNTIL
'<timestamp’>';
This option can be used also when changing the password for both system
and MC application accounts. E.g.:
> psql –U <masterclawdb account>
ALTER USER <masterclawdb account> WITH PASSWORD '<new
password>' VALID UNTIL '<timestamp’>';
Applications eoLive
PostgreSQL user eolive is available on the PostgreSQL server used by
eoLive. The password can be changed.
The default password is: eolive
If you change the password, you must also update the configuration of the
eoLive application.
eoFinderBrowse
PostgreSQL user eofb_user is available on the PostgreSQL server used
by eoFinderBrowse. The password can be changed.
The default password is: eofb_pass
If you change the password, you must also update the configuration of the
eoFinderBrowse application.
CDB
PostgreSQLuser cdb is available on the PostgreSQL server used by cdb.
The password can be changed.
The default password is: cdb
If you change the password, you must also update the configuration of the
cdb application.
QDASH
PostgreSQL user qdash is available on the PostgreSQL server used by
qdash. Its password can be changed.
The default password is: qdash
If you change the password, you must also update the configuration of the
qdash application.
QALARMS
PostgreSQL user event is available on the PostgreSQL server used by
qevent. Its password can be changed.
The default password is: event
If you change the password, you must also update the configuration of the
qes application.
QFDS
PostgreSQL user qfd is available on the PostgreSQL server used by qfds.
Its password can be changed.
The default password is: qfd
If you change the password, you must also update the configuration of the
qfds application.
Changing password Passwords of Rainstor accounts can be changed using the following
procedure.
Logon as mclaw and execute the below command, providing the user with the
password when requested:
Applications eoFinderBrowse
Rainstor user eofb_user is available in Rainstor DB.
The password can be changed.
The default password is: eofb_pass
If you change the password, you must also update the configuration of the
eoFinderBrowse Server and eoFinder Browse Loader applications.
Changing password Passwords of Vertica accounts can be changed using the following
procedure.
Logon as dbadmin and execute the below command, providing the user
with the password when requested:
> vsql -U<admin_username> -w<admin_password>
>\q
If you change the password for a Vertica account that is used by a
MasterClaw service, then it is highly recommended that you stop the service
(or services) before you change the password.
Note: dbadmin user can change any user's password; non-dbadmin users
can alter only their own passwords.
Applications For DWH-NDAF, see in table below the Vertica users for the applications
concerned:
2.8.1 MySQL
The MySQL RDBMS is used by the Master Claw Self Monitoring application
to store Nagios configuration and performance data.
Changing Password The password of MySQL accounts can be changed using the following
procedure:
If the password has already been set, then the following command can be
used:
Administrator The MySQL administrator user root is available on the MySQL server used
by SelfMon. The password can be changed.
By default, the password is not required when accessing the DB from
localhost or Self Monitoring server. In other circumstances, mysql cannot
be accessed with the root account.
Anonymous Accounts Anonymous accounts can be removed with a command such as:
> mysql -u root -p
Enter password: (enter root password here)
mysql> DROP USER ''@'localhost';
mysql> DROP USER ''@'host_name';
Self Monitoring The MySQL user nagios is available on the DB server used by Self
Application Monitoring. Its password cannot be changed.
The default password is: nagios
2.8.2 Portal
The MasterClaw portal is delivered by default with the two system
administrative users listed below, along with their default passwords:
User Password
mclaw mclaw..
root elmi..
Table 2.4 Portal users
2.8.5 SNMP
SNMP protocol can be secured by the following actions:
● Changing default community strings
● Disabling the not needed SNMP services
● Adding an access firewall to the MC network perimeter
● Configuring SNMP agent to accept connection for specific hosts
● Using SNMP v3 where available.
● Timeservers
LANTIME M300/GPS If SNMP has been enabled for LANTIME M300/GPS NTP Server, then you
NTP Server should follow the instructions provided in Probe Installation and
Configuration Guide, in order to:
● Change default read and read-write community strings.
● Disable not needed SNMP services.
E.g. by removing read-write community string if the device configuration
will be performed without SNMP
● Add an access firewall to the MC network perimeter.
● Configure SNMP agent to accept connection for specific hosts.
2.8.6 Timeserver
LANTIME M300 GPRS timeserver is an NTP timeserver integrating a GPS
radio clock running a simplified Linux OS.
Disable “console” It is possible to disable the front panel of the timeserver. Its configuration can
always be done using https or ssh.
More instructions are provided in Probe Installation and Configuration
Guide.
UNSET Initial state of each component. It means that QMON has no knowledge of the
component's state.
NOT_RUNNING This state signals that the component has no running process(es) in the Unix
system. This is not necessarily an error; it may be that the component has not
been started yet.
RUNNING This state denotes that the expected Unix processes are running on the
system. However, it does not necessarily mean that all is well, because a
component may be in a state where it does not respond to client requests, or
it may be deadlocked, or something else.
AVAILABLE This state follows state RUNNING, and it implies the same as RUNNING, and
in addition, it adds the constraint that the service must be responsive to client
requests (if applicable). All monitored processes should be in state
AVAILABLE during operation.
TO_BE_RESTARTED This state is used to signal that the component was previously in state
UNRESPONSIVE, and that the component is subject to restart.
RESTARTED This is the state that follows from a successful restart. It does not signal that
the component is again AVAILABLE, but merely that the expected set of Unix
processes are running.
BUGGY This state indicates that although it seems possible to start a component, the
component never seems to enter state AVAILABLE. This state indicates that
administrator intervention is necessary. When QMON is in normal mode, it
will not attempt to start a BUGGY service; however, when QMON is in
tenacious mode, it will never put a service in the BUGGY state but rather try
to (re)start the service again and again.
Assuming the QMON daemon runs on well-configured systems, the state
machine for each monitored component will undergo the following state
transitions:
UNSET --> RUNNING --> AVAILABLE
All component checks and actions to start an stop are time delimited to avoid
hanging the QMON daemon. QMON increases the amount of time that a
component is allowed to:
● start and stop
● to respond to the availability checks
When a component does not respond in time, i.e., when the permitted
duration expires, QMON increases the permissible duration, but only up to a
pre-defined upper limit of five minutes. QMON increases the timeout to
account for unpredictable factors such as machine load and system
dependent start/stop time.
If QMON cannot (re)start a component within the maximum permitted start
time, then the component is considered BUGGY.
The QMON daemon is disconnected from the components it monitors; the
daemon uses action scripts to interface with the monitored components. An
action script is usually a shell script, but it can be anything that can execute
on the host machine, e.g., an action script can be written in C or Python. An
action script must provide the following four actions:
● start start the component
● stop stop the component
● check check quickly that the component is running
● rcheck check rigidly that the component is running and responding
QMON provides some ready-to-use action scripts for the core MasterClaw
services, but you can copy and modify the scripts if you want to. You can also
write your own action script from scratch if you want to periodically execute
some check, for instance to monitor available disk resources. Some
MasterClaw components come with their own action scripts. You can use the
qmon list -l command to get a list of the monitored components and the
actions used.
Use the first synopsis to start, stop or obtain status of the monitoring daemon.
Not all users are allowed to start or stop the daemon, but all users are allowed
to view status information.
Use the second synopsis to configure the QMON daemon. Refer to
Section 3.1.2 Options for information on timing parameters.
Use the third synopsis to add to and remove from the set of monitored
services, respectively. You can specify the list to add or delete, or use the
-a option to denote all components currently known by QMON.
Use the fourth synopsis to view the list of monitored processes.
Use the fifth synopsis to display all the components installed on the specific
machine that can be monitored with qmon.
Use the sixth synopsis to reset or wake up the QMON daemon. The
subcommand restart is semantically the same as stop followed by
start. The subcommand ping wakes up the daemon as if a new cycle had
just begun.
It is permitted to configure QMON daemon both when it is stopped or running.
Any changes will take affect when the QMON daemon is started or when
commencing its next cycle.
3.1.2 Options
-d A logical flag; 0 means FALSE, 1 means TRUE, that determines whether the
daemon runs in normal or dummy mode. In normal mode (FLAG equal to
zero), QMON will try to restart faulty components, but in dummy mode (FLAG
equal to 1) automatic restart does not take place. The default value is 0
(FALSE).
-a This option denotes ‘all’, used with the subcommands add and rm.
-p Specify the TCP port number used for communicating per-host QMON status
information between multiple QMON daemon instances where each QMON
instance runs on its own host machine. This port defaults to port number
5899, but can be changed in case this number collides with other services.
Note that -p has a dual purpose: (1) it specifies the TCP port used by the
daemon to provide status information to other QMON instances, you set this
port with the config -p <port> sub-command; (2) it specifies the TCP port
used by the daemon to retrieve status information from another QMON
instance, you set this port with the sub-command add -h -p <port>. Be
aware that you must be the superuser (aka. root) to listen to a port number
below 1024. The default value for both purposes is 5899, and it is
recommended that you do not set the port number unless it is necessary.
-x The maximum timeout in seconds when invoking an action script. This value
should be larger than or equal to both the check timeout (see -k option) and
the start and stop timeout (see -s option). The default value is 300 seconds.
-s The default timeout in seconds when invoking an action script's start or stop
method. The default value is 120 seconds.
-l Provides more details for the list and find commands. The additional
information for local components is the full path of the action script, while the
additional information for remote QMON instances is the TCP port number
used to connect to the remote QMON daemon to get status information.
3.1.3 Operands
Referring to the third synopsis in Section 3.1.1 Synopsis, the operands are
either the locally monitored components or the names (or IP addresses of the
remote host) to add or delete, respectively. For instance the following will add
the name service (qnss), the statistics service (qsts), and the statistics
loader (qstldr) to the set of monitored components:
qmon add qnss qsts qstldr
Action scripts QMON uses component-specific action scripts to determine the status of
software components. These scripts are named qmon-<sub component
name>.
The sub component name could be:
● qbase Package name. E.g. cdb
● name of a sub component included in a multicomponent package. E.g.
qes included in the qalarms package.
Each MC server should have one qmon script.
QMON is supplied with a variety of action scripts templates; the scripts are
stored in $QUEST7_ROOT/installed/qmon/lib/sbin. You can list the available
action scripts:
# ls $QUEST7_ROOT/installed/qmon/lib/sbin/qmon-*
/opt/anritsu/mclaw/installed/qmon/lib/sbin/qmon-cdb
/opt/anritsu/mclaw/installed/qmon/lib/sbin/qmon-qnss
/opt/anritsu/mclaw/installed/qmon/lib/sbin/qmon-qpecs
/opt/anritsu/mclaw/installed/qmon/lib/sbin/qmon-qps
/opt/anritsu/mclaw/installed/qmon/lib/sbin/qmon-temip-
register
You can customize an action script by copying it to a pre-defined directory,
while some MasterClaw components come with ready-to-use action scripts.
QMON searches for action scripts in a number of directories in the following
sequence:
1. $QUEST7_ROOT/qmon/data/qmon/<hostname>/sbin/
2. $QUEST7_ROOT/installed/<component>/rc.d/
3. $QUEST7_ROOT/installed/qmon/lib/sbin/
2.$QUEST7_ROOT/installed/cdb/rc.d/qmon-cdb
3.$QUEST7_ROOT/installed/qmon/lib/sbin/qmon-cdb
The start and stop actions should start and stop the component, respectively.
The check action should execute quickly and consume only little CPU
resources, because check is the most frequently invoked action. The most
rigid check should lie with the rcheck action, which should guarantee that the
monitored component is up and running and, if applicable, responding to
’client’ requests. It is legal for the check and rcheck actions to be identical. All
four actions must be synchronous, i.e., they return when the action is
complete.
An action script informs the QMON monitor whether an action succeeded by
its return value. A action script’s return value must obey the simple rule:
● Return value is zero (0) if the action succeeded, or
● Return value is non-zero if the action failed
Note: If you write your own action script or modify an existing one, it is
important that you adhere to the rule.
If you do not, the QMON daemon will make wrong decisions and
possibly impede your software component. For instance if your start
action’s exit code is non-zero, the QMON daemon will kill any
processes started by your action script and will try to invoke the start
action again or give up after a number of attempts. Thus, if the start
action was in fact successful, but failed to return zero, the daemon will
kill your processes.
export QUEST7_ROOT=${QUEST7_ROOT:-/opt/anritsu/mclaw}
case $CMD in
start)
/sbin/init.d/tns_server start
status=$?
if (( status == 0 )) then
fi
exit $status
;;
stop)
/sbin/init.d/tns_server stop
status=$?
exit $status
;;
check|rcheck)
;;
*)
;;
esac
You should check that your action script works by invoking it manually.
Remember to try all four actions, and check that the return value is correct.
When it is working, tell QMON about it with the command:
qmon add component
Your component will be monitored starting from the next periodic check.
1 init
2 [keventd]
3 [ksoftirqd_CPU0]
4 [ksoftirqd_CPU1]
...
...
Each line contains the process identifier (PID) followed by a space character
and then follows the service invocation command line. The action scripts that
You can also use Netscape (or another HTML capable browser) to study a
periodically updated status view by typing the command:
netscape file:$QUEST7_ROOT/data/qmon/$HOSTNAME/
index.html
TIP If you are running a Web server on your system, you can set up your
web server so that it becomes possible to browse the status of the monitored
services from machines on your network. Set up your server so that it allows
HTTP access to the directory $QUEST7_ROOT/data/qmon/$HOSTNAME.
modi:
qnss Available
4. Suppose you are logged in to skade and the QMON daemon on modi
cannot be reached, then QMON silently ignores the unreachable host
and displays (only) information that is current, in this case information for
the local host (skade).
4. To change the port number, you must first remove the entry, then add it
again with the new port number.
qmon rm -h modi
qmon add -h -p 65432 modi
3.1.9 Files
$QUEST7_ROOT/data/qmon/$HOSTNAME/qmond.cfg
This file determines the current configuration of QMON, i.e., what processes
to monitor and the timing specifics.
$QUEST7_ROOT/data/qmon/$HOSTNAME/qmond.state
ASCII file that lists the states of monitored services. The format used is
straightforward:
proc1 proc1-state
proc2 proc2-state
This file is only updated when at least one service changes state.
$QUEST7_ROOT/data/qmon/$HOSTNAME/qmond.state.html
$QUEST7_ROOT/data/qmon/$HOSTNAME/qmond.ps-list
This file contains the process identifiers (PIDs) and command line invocations
of the processes on the host machine. QMON builds this file when it wakes
up to check service availability.
$QUEST7_ROOT/data/qmon/$HOSTNAME/event.log
This file contains QMON log entries: which services were up and down, and
which were started, re-started, or stopped. The reason for having this file is
that non-root users cannot read the system log on Linux.
Turn server power on and off (by pushing a button in the Status Summary /
Overview/ page on the bottom bar).
● Overview of server health. ILO summarizes the condition of the
monitored subsystems including overall status and redundancy (ability to
handle a failure). The subsystems may include fans, temperature
sensors, power supplies, and Voltage Regulator Modules (VRMs).
— Fans. ILO shows the state of the replaceable fans within the server
chassis. This data includes the area that is cooled by each fan and
the current fan speeds.
— Temperatures. ILO shows the conditions monitored at temperature
sensors at various locations in the server chassis. The temperature
is monitored to maintain the location temperature below the caution
threshold.
If the temperature exceeds the caution threshold, the fan speed is
increased to maximum.
If the temperature exceeds the critical temperature, a graceful server
shutdown is attempted.
If the temperature exceeds the fatal threshold, the server is
immediately turned off to prevent permanent damage.
— Power. ILO shows the present power reading. This value shows the
most recent power reading from the server and at what time the
reading was taken.
— VRMs. ILO shows the state of the VRMs. VRMs are required for each
3.3.1 Introduction
The Session Audit application is an administrative tool which enables
administrators to browse, monitor and terminate application sessions. Large
complex systems such as MasterClaw shall be protected by improper use of
the system resources that may block important work and prevent other users
from performing critical tasks. from a user perspective, the most critical
resources in a MasterClaw system is fast access to probe data: every probe
allows a limited number of sessions to browse its internal data storage, e.g.,
the eoFinder Inspect application needs a single Event-Log browser in every
probe monitored by the user, while the eoFinder Trace application needs two
or more CSDR-log browsers in every probe included in a trace.
The probes will reject browse requests, if the concurrent number of browsers
exceeds the maximum number of allowed sessions (see Table 3.1). The
MasterClaw application will detect the shortage of browser resources and
either queue the request or inform the user to try later.
With the Audit web application, an administrator can get an overview of the
number of active application sessions. It is also possible to determine the
number of resources every session has reserved, and finally it is possible to
“kill” application session if the administrator has to free resources to be used
by others.
Limitation: The Session Audit application is not able to precisely correlate an
application session with specific browser instances in the Probes. The
Session Audit is only able to indicate the number of browsers indirectly by
presenting the number of Signalling Links or Linksets monitored by the
Session Manager. The rule is that if the resource count is high, it is very
When the user receives this message and clicks Save File or Close
Application, then the application terminates and the resources are
released: at this moment only, they can be used by others. This means that
when killing the session or application, some applications will allow the user
to save the data/configuration before the application/session is finally killed.
Until the application or session is killed, the session/application will be visible
in the list of active sessions/applications.
In this situation, the user can only save the work done and try again later.
In other applications, the session is instead killed immediately i.e. the user is
not allowed to save any data (Fig. 3.2):
Listing application It is possible to list the current application sessions by issuing the command:
sessions
# securityadm auditreport [exportToCsv=<CSV file
name>] [from <date> <time>] [to <date> <time>]
[component <comp1>,<comp2>...]
The output has the following structure:
<SESSION ID> <APPLICATION> <USER> <HOST> <REMOTE START
TIME> <LOCAL START TIME> <DURATION> <STATE> <# RES>
where:
SESSION ID; the session id related to this application
APPLICATION; the application name
USER; the user name currently running the application
HOST; the host name or the IP address of the host running the
application
REMOTE START TIME; the application start time (local to application
host)
LOCAL START TIME; the application start time (local to the server
running Security)
DURATION; the application running time
STATE; The application status (Alive/Terminating)
# RES; The total number of resources held/used by the session
Querying the server The list of available sessions can be queried based on criteria.
for sessions
To search session by application name issue the command:
# securityadmin auditreport component
<comp1>,<comp2>
where <compN> is the name of the application as listed in the
‘APPLICATION’ field of the session list.
Filter Conditions
It is possible to specify a particular COMPONENT in order to get only log
records related to them. A filter condition may be used in addition to a time
condition.
Listing logs for a It is possible to list the current Activity Logging content for particular
specific component components by issuing:
# securityadm auditreport component component1,…,
componentN
where component1,…,componentN are the requested components to be
listed.
Exporting logs on file It is possible to have the resulting logs exported on file rather than being
displayed on screen, by simply adding the option exportToCsv with the
output CSV file. All the above conditions are always valid.
Example: exporting all the logs from 12 February 2015 12:00 in CSV file
# securityadm auditreport exportToCsv=sample.csv from
12/02/15 08:00
Sending commands to It is possible to kill either an entire user session, application sessions or
applications application tasks using the following commands.
To kill a user session, type:
# securityadm kill session <session-token>
The below table lists the structure of each message entry stored by the
Security audit.
Note: Each field except the LOGTIME field is set by the logging application,
thus their content is not generated by the Security server.
LOGLEVEL Used to differentiate the importance of the logged message. The possible
values are:
● LOW: low importance
● MEDIUM: medium importance
● HIGH: high importance
Logging applications may want to use this field to allow a subsequent filtering
when generating reports. The default is HIGH.
USERNAME Used to store the MasterClaw user name currently using the logging
application.
Applications set this field, and they are required to use the right user name.
MESSAGE Contains the logged message concerning the logging application activity.
There is not a policy for applications that states what should and should not
be logged. You should expect that an application logs events such as:
● Application start
● Application stop
● Application success
● Application failure
Introduction This Chapter highlights what is relevant from a security point of view, and
describes the actions needed to enforce the security at Customer site.
4.1 Introduction
Security plays a crucial role in the MasterClaw system, being MC integrated
with the Operators’ different networks, such as LAN/WAN network, office LAN
network and external networks (Internet etc.). Therefore, user authentication
and access to subscriber confidential data collected by the MC system has to
be controlled. Logging of user access is also important as well as encryption
of the data that is transported over the different networks.
As shown in Fig. 4.1, an MC system is composed of three layers:
● Presentation and reporting layer
It is related to clients on workstation:
— HTML Browser
— Java clients
Servers Access to subscriber data and third party applications as Oracle DB on the
servers are handled via the Linux security. Different levels of security could
be selected on the servers.
Probes Accesses to probes are controlled via password protection, see Section 4.4
MasterClaw Capability Security on page 4-7.
The MC system contains a security module. The functionality of this module
is based on capabilities. Users are added to groups and each group are
granted capabilities. The Capability Security (see Section 4.4 MasterClaw
Capability Security on page 4-7) deals primarily with portal end users access
rights to:
● Applications
● Capabilities (subsets of application functionality)
● Sub-sections of the monitored network
Note: Procedures and commands in this Chapter are not designed for C2
security level except if explicitly stated.
Account lockout This policy is used to prevent someone breaking into an account by quickly
policy trying different passwords. When such an attempt is detected, the account is
locked for a limited amount of time as defined in the policy.
Password policy This policy is used to enforce the use of strong passwords and control how
often a password must be changed. It defines the number or uppercase,
The division into groups serves only to increase the readability of this
document.
Table 4.1 and Table 4.2 consist of two columns:
● Capability Name specifies the capability
● Description provides the short textual description that must be used
when creating the capability in the security system.
ViewMCLS
ModifyMCLS The right to view/modify MC Lookup Service
data.
eoFinder Off- finderoff finderoff finderoff is an off-line tool that does not check for
line any capabilities; however, the finderoff capability
is required to access the application via MC
Portal.
Alarm Manager qalarm qalarm It requires the qalarm capability to run QALARM.
It requires the ViewEvents capability to view
ViewEvents alarms (and run QALARM).
It requires the ChangeEvents capability to
ChangeEvents change the status of events.
Table 4.3 Capability Usage (Sheet 1 of 7)
Application
Program Capability Comment
name
eoFinder finder, ViewTopology ViewTopology is required in order to view the
findercl topology. Access to ViewTopology is
mandatory for starting Call Trace.
AccessTopology (option) Gives access to specific topology parts.
Application
Program Capability Comment
name
eoLive eolive eoLive provides the following user profiles:
client eolivec eoLive User
He/she owns the eolivec capability: can create
personal Dataviews. Can copy charts to personal
Dataviews via “drag-and-drop” from public
Dataviews. Does not have rights to manually
create/edit charts.
eolivec_power_user eoLive Power User
He/she owns the eolivec_power_user
capability: can create, edit, rename, and delete
public Dataviews; can create, edit, rename,
delete, and publish personal Dataviews. Can
create, edit and delete charts in Dataviews for
which he/she has edit access.
eolivec_admin eoLive Administrator
He/she owns the eolivec_admin capability:
can create, edit, delete, publish, and rename
data views in all workspace; can perform
export and import operations.
ViewEndpointDetails
ViewCredentials
ViewSMSContent
ViewUSSDContent
ViewTopology
AccessTopology
ViewCompleteNumber
SpecifyCompleteNumber
ViewEoLiveResource
ChangeEoLiveResource
Realtime Fraud qrtfsc-csb qrtfsc-csb qrtfsc-csb is checked during start-up.
Sentry The capability is created during package
installation.
Alarm qptliv- qptliv-dwhalarm-cfg The right to access the DWH Alarms’
Configuration dwhalarm- Configuration Console via MC Portal.
Tool cfg
General Data qmcpi-gds qptls_admin qptls_admin : the capability to be the
Store administrator of the Portal.
Configuration qmcpi-gds qmcpi-gds and ViewGDS are checked at start-
Tool ViewGDS, up time.
ChangeGDS ChangeGDS is only required when moving/
creating and deleting entries.
Table 4.3 Capability Usage (Sheet 4 of 7)
Application
Program Capability Comment
name
qpm qpm QPM itself: The user must has access to QPM to
use the qpm
ACTIVATE: This command requires
ChangeConfiguration ChangeConfiguration for each centre
ViewConfiguration affected.
DELETE: This command requires
ChangeConfiguration and ChangeGDS for
each centre affected.
Conversely, you can display all Capabilities in effect for a specific user, for
example.
Privacy control Privacy control is the feature where control of capabilities that govern access
to privacy-related information is handled by a set of users that is separate
from the normal system administrators group, often users that are member of
Tree structure The structure of a completely unfolded tree hierarchy of QMCPI-SEC is:
● QMCPI-SEC (root)
● Users
● User entity
● User Groups
● User Group entity
● Capabilities
● Capability entity
● Centres
● Centres entity
● Signalling linksets
● Signalling linksets entity
● Security policies
● Security policies entity
● Resources
● Resources entity
● DBOs
● DBOs entity
Node operations Together with simple editing of object attributes, some operations may be
performed on tree nodes. The set of these operations is different for each
node type. Each node type provides the same operations independent of
node position in hierarchy. However, some of the operations may be disabled
in specific cases. The reason for disablement is insufficient context for
successful operation flow in those specific cases.
Actions for QMCPI-SEC root node in the pop-up menu and in the toolbar.
Users node
Displayed Description
Name System name of user
Enabled Shows if the user is enabled (Yes/No)
Locked Shows if the user has been locked (Yes/No)
Bad password count The number of times a wrong password has been entered
Expires The date and time the user login will expire and has to be
renewed, otherwise Never
Password expired Shows if the password has already expired (Yes/No)
Change password Shows if the password has been set to be changed the
next time the user logs in (Yes/No)
Password expires The date and time the password will expire and has to be
renewed, otherwise Never
Table 4.6 QCMPI-SEC users node views
Actions for QMCPI-SEC root node in the pop-up menu and in the toolbar.
Capabilities node
Capabilities entity
node
Signalling linksets
entity node
Login and password changes are governed by two policies, as in table here
below.
Name Description
Account lockout policy Set up parameters for locking out an account. This policy
is used to prevent someone breaking into an account by
quickly trying different passwords. When such an attempt
is detected the account is locked for a limited amount of
time as defined in the policy.
Password policy Set up parameters for creating and using passwords. This
policy is used to enforce the use of strong passwords and
control how often a password must be changed. It defines
the number or uppercase, lowercase, digits and
punctuation characters that a password must contain as
well as the minimum password length.
Note: the password policy is only enforced for normal
users. It does not apply to system administrators as this
would risk blocking an administrator from logging in.
Table 4.20 QCMPI-SEC security policies node views
Resources node
Rows
Name Description
displayed
Resource Id See Table 4.23
name
Type
Owner
Table 4.24 QCMPI-SEC Resources entity node views
The following table includes the BO_Universe Resources created from the
bo-model. These are needed to assign the grants for Universe usage. For
example, a user belonging to a given group can be assigned the
“BO_Customer_Report_Developer” capability as well as the “eoIP Service
KPI” Resource. Such user will be then intended as a
Network Call Performance QNCKPI Grants the right to view reports and universe of "NCKPI
KPI data warehouse DWH", You should also have at least one of the common
capabilities: BO_Customer_Report_Developer
BO_Customer_Report_Viewer
BO_PS_Report_Developer
Next Generation Network NGN data Grants the right to view reports and universe of "NGN KPI
KPI warehouse DWH", You should also have at least one of the common
capabilities: BO_Customer_Report_Developer
BO_Customer_Report_Viewer
BO_PS_Report_Developer
Roaming Statistics Roaming Statistics Grants the right to view reports and universe of "Roaming
data warehouse Statistics DWH", You should also have at least one of the
common capabilities:
BO_Customer_Report_Developer
BO_Customer_Report_Viewer
BO_PS_Report_Developer
Active Roamers KPI QARDWH data Grants the right to view reports and universe of “Active
Warehouse Roamers KPI DWH”. You should also have at least one
of the common capabilities:
BO_Customer_Report_Developer
BO_Customer_Report_Viewer
BO_PS_Report_Developer
SMS KPI SMS KPI data Grants the right to view reports and universe of "SMS KPI
warehouse DWH", You should also have at least one of the common
capabilities: BO_Customer_Report_Developer
BO_Customer_Report_Viewer
BO_PS_Report_Developer
eoLTE KPI eoLTE data Grants the right to view reports and universe of "eoLTE
warehouse DWH", You should also have at least one of the common
capabilities: BO_Customer_Report_Developer
BO_Customer_Report_Viewer
BO_PS_Report_Developer
eoGI URL KPI (option eoSign In DWH Grants the right to view reports and universe of "eoSign
available as Special In” DWH.
Customer Release)
eoIP Service KPI eoIP Service DWH Grants the right to view reports and universe of "eoIP
Service” DWH.
eoIUPS KPI eoIUPS DWH Grants the right to view reports and universe of "eoIUPS”
DWH.
eoIUCS KPI eoIUCS DWH Grants the right to view reports and universe of "eoIUCS”
DWH.
eoNGN KPI eoNGN DWH Grants the right to view reports and universe of "eoNGN”
DWH.
DBOs node
Rows
Name Description
displayed
DBO name Name See Table 4.23
DBO Type
Owner
Table 4.27 QCMPI-SEC DBOs entity node views
Enabling the first time When first enabled, the «privacy» capabilities such as ViewSMS are removed
from all user groups and a «Privacy Administrators» group is created.
A system administrator has to assign capabilities to the default privacy
administrator, “mclaw_privacy”, in order to let that user access the portal and
qmcpi-sec (when created this user only has all PRIVACY capabilities).
Changes in behaviour When privacy control is enabled, the following changes in qmcpi-sec:
● To be able to add a capability to a group the capability must be in the
same scope as the user group, and the user of qmcpi-sec must have
either ChangeSecurity (for system scoped capabilities) or
ChangePrivacy (for privacy-scoped capabilities).
● To create user groups with SYSTEM scope, a user must have
ChangeSecurity and to create groups with PRIVACY scope
ChangePrivacy is required.
● In order to change the scope of a user group, the user of qmcpi-sec must
have both of the capabilities mentioned above, and the group must not
contain any capabilities. It is forbidden to put capabilities of different
scopes in the same group when privacy control is enabled, and qmcpi-
sec enforces this.
● To be able to add users, centres, linksets, DBOs and other resources to
a user group with a certain scope, the user of qmcpi-sec must have the
appropriate capability, i.e ChangeSecurity for user groups with SYSTEM
scope, and ChangePrivacy for user groups with PRIVACY scope.
● Only members of Privacy Administrators may update the password of the
default privacy administrator “mclaw_privacy”.
Note: Only port numbers on the server side are specified here. Clients
always choose a random port number.
Note: The firewall shall be configured in a way that filters other than IP
addresses and ports are not used. E.g. Firewall should not filter the
content with deep packet inspection.
tcp/ Port
Application Protocol Note
udp Number
NTP ntp udp 123
SSH/SFTP SSL tcp 22 Customer service login, SW download, etc.
udp 500 IKEv2 (IPSec control path)
— IPsec* udp 4500 IKEv2 (IPSec control path)
tcp 50 ESP IPSec data path
* Disabled by default
This is a Special Customer Release feature only intended for customers who request it.
Table 4.28 Port numbers on MasterClaw servers
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
SFTP Data Record eoFinder Browse eoDR, Call/ SFTP tcp 22 No Yes Yes Yes
Gateway Server loader Transaction
(qxdrs) parameters
SFTP Data Record Oracle DWH DR, Call/ SFTP tcp 22 No Yes Yes Yes
Gateway Server Transaction
(qxdrs) parameters
SFTP Probe Oracle DWH DR, Call/ SFTP tcp 22 No Yes Yes Yes
Transaction
parameters, Voice
kpi
SFTP Oracle host CDB, QES, remote directory SFTP tcp 22 No No Yes Yes It applies when
QDASH, QLOG, creation Oracle is deployed
Fraud on a separate
server
SFTP eoFinder Browse eoFinder Browse Configuration SFTP tcp 22 No No No Yes
Loader Server
SSH/SFTP Probe / Infoserver Deploy server Download SFTP tcp 22 No Yes Yes Yes
software/
configuration
SSH/SFTP Nrpe agents Selfmon server Server/Service SSH/SFTP tcp 22 No Yes Yes Yes
status
SSH/SFTP Any server/probe/ Central Server Any file transfer SSH/SFTP tcp 22 No No Yes Yes
infoserver/ NDAF needed by MC
server (master & administrators
slave)
SSH/SFTP Central Server External client Any file transfer SSH/SFTP tcp 22 No Yes Yes
needed by MC
administrators
Table 4.29 Detailed interfaces and port numbers on MasterClaw servers (Sheet 1 of 2)
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
NTP time server, server Servers, probes Time NTP udp 123 No No No No
synchronization
Syslog Central log server Any Linux Host system logs. Syslog udp 514 No Yes No No Optional
Both servers shall
be CentOS/RedHat
5.5/5.8
Rsyslog Central log server Any Linux Host system logs. Rsyslog tcp 514 No Yes No No Optional
Both servers shall
be CentOS/RedHat
6.4
Table 4.29 Detailed interfaces and port numbers on MasterClaw servers (Sheet 2 of 2)
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
AGG_IN_IF Aggregator Server Data Record eoDR, Call/ TCP socket tcp Note 2 No Yes No No Configurable port.
(qxdrs) Gateway Server Transaction
(qxdrs) parameters
Table 4.30 Interfaces and port numbers used by MC applications (Sheet 1 of 7)
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
AGG_OUT_IF eoLive Server Aggregator Server KPI data TCP socket tcp Note 2 No Yes No No Configurable port.
(qxdrs)
Sensible data in
case of VIP
monitoring.
Alarm Config. IF DWH Portal Alarm HTTP tcp 8123 No Yes No No Data may
configuration comprehend
Customer network
node addresses.
Configurable port.
CDB CDB server Call Trace Server, Configuration, user CORBA tcp 8765 Yes Yes No No VIP, MC and
Data Record data for GDS Operator network
Gateway Server map
(qxdrs), rdas,
eoFinder Mediator,
DWH Server, Port configuration
qxdrs, eoLive setting in cdb.nin
Server, eoLive
Client, eoFinder
Browse Server,
eoFinder Browse
Client, eoFinder
Client, eoCCI, qes,
probe listener.
Selfmon. All other
clients available
from portal
Table 4.30 Interfaces and port numbers used by MC applications (Sheet 2 of 7)
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
EOLIVE_IF eoLive Server eoLive Client KPI data TCP socket tcp 6722 Yes Yes No No Sensible data in
case of VIP
monitoring
Configurable port.
FINDER_BROWSE eoFinder Browse eoFinder Client, eoDR, Call/ CORBA tcp Note 1 Yes Yes No No Configurable port.
_S Server eoCCI Transaction
parameters
FINDER_MM eoFinder Mediator eoFinder Client Configuration CORBA tcp Note 1 Yes No No No Configurable port.
http MC portal Web browser, java Configuration HTTP/HTTPS tcp 8000/8443 Yes Yes Yes Yes Configurable port.
clients files,KPI data
http eoCCI Web browser KPI data HTTP/HTTPS tcp 9090 Yes Yes Yes Yes Configurable port.
http eoCCI Command line KPI data HTTP/HTTPS tcp 9090 Yes No Yes No Configurable port
tools
http Map Server Java and Web Geographic data HTTP/HTTPS tcp 8080/9094 Yes Yes Yes Yes Configurable port.
browsers
https SelfMon Web browser MC Network HTTPS tcp 433 Yes No Yes Yes
configuration/
status
MICS_IF MICS Data Record MSISDN-IMSI pair TCP socket tcp 21987 No Yes No No
Gateway Server
(qxdrs)
MSISDN_IMSI_IF MICS eoFinder Client MSISDN-IMSI pair CORBA tcp Note 1 Yes Yes No No Configurable port.
PROBE_CONF_V1 Deploy server Deploy server Probe CORBA tcp Note 1 No Yes No No Configurable port.
client configuration
OSGI console OSGI OSGI, Probe text tcp 4444 No No No No Configurable port.
ipsecsync configuration
Table 4.30 Interfaces and port numbers used by MC applications (Sheet 3 of 7)
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
SECURITY Security - session Portal, all java Sessions CORBA tcp Note 1 Yes No No No Configurable port.
manager and audit clients
<DWH DWH backend qmcpi-dwh-kpi DBO KPI CORBA tcp Note 1 Yes Yes No No Configurable port.
Name>_DIMPROVI Configuration Sensible data in
DER case of VIP
monitoring
QCHANNEL Qchannel mqam - TeMIP Alarms CORBA tcp Note 1 No Yes No No Configurable port.
Access Module,
QSNMP
QCPMS QCPMS Fraud Server CDR, Call/ CORBA tcp Note 1 No No No Configurable port.
Transaction
parameters
QCS Qchannel qes, qalarm, Alams CORBA tcp Note 1 No Yes No No Configurable port.
qsnmp
QDASHS DWH dashboard server KPI data CORBA tcp Note 1 No Yes No No Sensible data in
case of VIP
monitoring
QES Qes - Event All DWH Alarms CORBA tcp Note 1 Yes Yes No No Sensible data in
Service Server Backends, eoLive case of Fraud
Server, many Java MSISDN
clients, Fraud,
probe listener.
Configurable port.
QES_QCH_IF Qes - Event qchannel Alarms CORBA tcp Note 1 No Yes No No
Service Server
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
QFDS_CPM Fraud Server Qrtfb-csb CDR, Call/ CORBA tcp Note 1 No Yes No No
Transaction
parameters
QMON_IF qmond qmond qbase application Text Tcp 5899 No No No No Configurable port.
status
QNS qnss Naming Almost all CORBA IOR CORBA tcp Note 1 Yes No No No Port configurable
Server application: java during installation
client, eoCCI, of QNSS
DWH, servers with
the exception of
probes
QPAS Protocol Analysis eoFinder Client PDU CORBA tcp Note 1 Yes Yes No No Configurable port.
Server II
QPS Protocol Server II eoFinder Client PDU, Protocol CORBA tcp Note 1 Yes Yes No No Configurable port.
help, Protocol spec
QSA_EVENT_IF Qes - Event Almost all Alarms CORBA tcp Note 1 Yes Yes No No Configurable port.
Service Server application Uses the
sending alarms application name
(e.g. probe ’MasterClaw-am’.
listener)
QXTS Call Trace Server eoFinder Client Trail Call/ CORBA tcp Note 1 No Yes No No Configurable port.
(qxts) Transaction
parameters
QXDRS ADM Data Record Command line Server/Service CORBA tcp Note 1 No No No No Configurable port.
Gateway (qxdrs) administration status/
client administration
Table 4.30 Interfaces and port numbers used by MC applications (Sheet 5 of 7)
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
QXDRS AGG Data Record Data Record KPI data TCP socket tcp 12701, Yes Yes No No Configurable port.
Gateway (qxdrs) Gateway (qxdrs) 12702,
12703,1270
4,12705,127
06,12707,12
708,12709,1
2710,12711,
12712,1271
3,12714,127
15,12716,12
717,12718,1
2719,12720,
12721,1272
2,12724,127
25
QXDRS EOLIVE eoLive server Data Record KPI data TCP socket tcp 44101,4410 Yes Yes No No Configurable port.
Gateway (qxdrs) 2,44103,441
04,44106,44
119,44107,4
4122,44117,
44109,44110
,44116,4411
7,44121,441
25,44118,44
120
RDAS Raw Data Analysis eoFinder Client Server/Service CORBA tcp Note 1 Yes Yes No No Configurable port.
Server (rdas) status/
administration /
data: Pcap files
Selfmon Nrpe agents Selfmon server Server/Service SSH/SFTP tcp 22 No Yes Yes Yes Configurable port.
status
Selfmon Nrpe agents Selfmon server Server/Service TCP socket tcp 5666 Yes Yes No No Configurable port.
status
Table 4.30 Interfaces and port numbers used by MC applications (Sheet 6 of 7)
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
SMPP Short Message Selfmon server Alarms SMPP tcp 2755 Yes Yes No Yes Configurable port.
Service Center
SNMPtrap Third party SNMP qsmnp Alarms SNMP udp 162 No Yes No No Qsnmp send
manager forward alarms to
3rd party
SNMPtrap qsmnp Third party SNMP Alarms SNMP udp 11162 No Yes No No Microtel send
manager alarms to qsnmp
SNMP qsmnp Third party SNMP Alarms SNMP udp 1161 No Yes No No
manager
key-server MICS eoFinder Client MSISDN-IMSI pair CORBA tcp Note 1 Yes Yes No No
rmiport Qes - Event QALARMS Statstics data for Java RMI tcp 2501 No No No Configurable port
Service Server selfmon interface in NIN file
rmiport Qchannel QALARMS Statstics data for Java RMI tcp 2502 No No No Configurable port
selfmon interface in NIN file
rmiport QSNMP Trap QALARMS Statstics data for Java RMI tcp 2503 No No No Configurable port
service selfmon interface in NIN file
rmiport_agent QSNMP Agent QALARMS Statstics data for Java RMI tcp 2504 No No No Configurable port
Service selfmon interface in NIN file
Service Port
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
HDFSMaster NDAF master NDAF enabled Filesystem IPC: tcp 8020 Yes Yes No No
application metadata ClientProtocol
(eoFinder Browse operations.
Loader etc)
HDFSSlaveData NDAF slave NDAF enabled DFS data transfer Custom Hadoop tcp 5001 Yes Yes No No
application Xceiver: 0
(eoFinder Browse DataNode and
Loader etc) DFSClient
HDFSSlaveMeta NDAF slave NDAF enabled Block metadata IPC: tcp 5002 Yes Yes No No
application operations and InterDatanodePro 0
(eoFinder Browse recovery tocol,
Loader etc) ClientDatanodePr
JobTracker NDAF enabled Job submission, IPC: 8021 Yes
NDAF master application task tracker JobSubmissionPr tcp Yes No No
(eoFinder Browse heartbeats. otocol,
TaskTracker NDAF slave NDAF enabled Communicating IPC: tcp Unkn Yes Yes No No
application with child jobs TaskUmbilicalProt own,
(eoFinder Browse ocol rand
WebUI NDAF master Web browser WebUI (HDFS) HTTP tcp 5007 Yes Yes No No
WebUI NDAF slave Web browser WebUI (HDFS) HTTP Tcp 5007 Yes Yes No No
WebUI NDAF master Web browser WebUI HTTP tcp 5003 Yes Yes No No
(MapReduce) 0
WebUI NDAF slave Web browser WebUI HTTP Tcp 5006 Yes Yes No No
(MapReduce) 0
Table 4.32 Detailed NDAF interfaces and port numbers (Sheet 1 of 2)
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
JMX NDAF master NDAF master Hadoop health JMX tcp 8004 No Yes No No
(Qmon script, data ,
selfmon script) 8006
Table 4.32 Detailed NDAF interfaces and port numbers (Sheet 2 of 2)
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
JDBC PostgreSQL eoFinder Browse eoDR, Call/ JDBC tcp 5432 Yes No Yes
Loader Transaction
parameters
JDBC PostgreSQL eoFinder Browse eoDR, Call/ JDBC tcp 5432 Yes No Yes
Server Transaction
parameters
Table 4.34 Detailed PostgreSQL Interfaces and port numbers (Sheet 1 of 2) (Sheet 1 of 2)
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
https BO Client KPI data HTTPS tcp 8443 x Yes Yes Yes Sensible data in
case of VIP
monitoring
ftp BO External server Report result FTP tcp 21 x Yes No Yes Sensible data in
(not MC server) case of VIP
monitoring
Table 4.35 Detailed BO Interfaces and port numbers
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
Rainstor jdbc/odbc CLU node eoFB Server KPI data JDBC/ODBC TCP 3731 Yes No Yes Sensible data in
case of VIP
monitoring
Table 4.36 Detailed Rainstor Interfaces and port numbers (Sheet 1 of 2)
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
Rainstor hsql db CLU node CLU node Instance metadata JDBC TCP 9001 No No Yes
corosync/cman CLU node CLU node reliable TCP socket UDP 5404 No No
(Cluster Manager) communications 5405
layer for high
availability clusters
dlm CLU node CLU node Distributed Lock TCP socket TCP 2106 No No
Manager 4
modclusterd CLU node CLU node provides an TCP socket TCP 1685 No No
abstraction of 1
cluster status
ricci CLU node CLU node propagates TCP socket TCP 1111 No No
updated cluster 1
information
Table 4.36 Detailed Rainstor Interfaces and port numbers (Sheet 2 of 2)
through firewall
Authentication
Port Number
Encrypted
tcp/ udp
Sensible
Name Server Client Data Type Comment
Vertica nodes Vertica Vertica node Intra cluster TCP Tcp 5434 Yes No No No Intra-cluster
nodes communicati communication
on
Vertica Vertica Vertica node DB data TCP Tcp 5444 Yes No No No Management
Management nodes Console to agent
Console connection
Vertica Vertica Vertica node DB data TCP Tcp 5450 Yes No No No Console server
Management nodes
Console
Spread Vertica Vertica node DB data TCP Tcp 4803 Yes No No No Client
nodes connections
through firewall
Authentication
Port Number
Encrypted
tcp/ udp
Sensible
Name Server Client Data Type Comment
rsync Vertica Backup DB data TCP Tcp 50000 Yes Yes No No Communication
nodes node between Vertica
nodes and
backup host
Table 4.37 Detailed Vertica Interfaces and port numbers (Sheet 2 of 2)
tcp/ Port
Application Protocol Note
udp Number
tcp/ Port
Application Protocol Note
udp Number
MEAS-IF measif tcp 65000 Majority of probes (running QMPA5 application).
Port number may vary (65000, 65020, 65030)
depending on the instance number of the probe
application
X command — tcp 65001 Majority of probes (running QMPA5 application).
Port number may vary (65001, 65021, 65031)
depending on the instance number of the probe
application
Table 4.38 Port numbers on MasterClaw probes (Sheet 2 of 2)
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
SIM_IF Probe QMPA Probe SIM PDU TCP socket tcp 1000 Yes No No Configurable port.
1-
1000
2 Can be considered
for firewall
configuration if the
SIM is not on the
same host as
QMPA.
SIM_RAWDATA_IF Probe SIM Probe QMPA PDU TCP socket tcp 1100 Yes No No Raw data.
5
SIM_INSPECT_IF Probe SIM inspect command SIM status TCP socket tcp 1100 No No No
6
X_IF Probe QMPA x command Probe status text tcp 6500 No No No Configurable port
1
Table 4.39 Detailed probe interfaces and port numbers (Sheet 2 of 2)
Table 4.38 and Table 4.39 list the ports of the first qmpa/SIM instance. Still, probes can be deployed with multiple instances of qmpa/
SIM, with each instance having its own port number.
Therefore, port numbers are assigned by default as follows:
tcp/ Port
Application Protocol Note
udp Number
tcp 11003
KEY-SERVER KSIF configurable via NIN file
udp 11004
USIM_CTXKEY_SRV KSIF tcp 11003 configurable via NIN file
11004
TMSI-IMSI-SERVER request tcp, udp 11006
configurable via NIN file
response tcp, udp 11007
through firewall
Authentication
Port Number
tcp/
Encrypted
Name Server Client Data Type Comment
Sensible
udp
TMSI_IMSI_IF IMSI TMSI Probe QMPA MSISDN, IMSI, TCP socket tcp 11006- x Yes No No
Infoserver TMSI, TMSI, 11007
Location, HO
parameters,
Procedure type
UMTS_TMSI_IMSI_IF IMSI TMSI Probe QMPA MSISDN, IMSI, (P- TCP socket tcp 11006- x Yes No No
Infoserver )TMSI, TMSI, 11007
Location
parameters,
Procedure type
Central IMSI-IMEI IMSI TMSI IMSI, IMEI(SV), TCP socket tcp x Yes No No
Infoserver/Key MSISDN
server
Central IMSI-IMEI eoFinder IMSI, IMEI(SV), CORBA tcp Note 1 x Yes No No
MSISDN
KSIF Key Infoserver Probe QMPA Ciphering TCP socket tcp 10003- x Yes No No
parameters 10004
KSIF Usim_ctxkey_srv Probe SIM Ciphering TCP socket tcp 10003 x Yes No No
parameters
MSISDN_IMSI_IF MSISDN IMSI Info eoFinder Client MSISDN-IMSI pair CORBA tcp Note 1 x Yes No No Configurable port.
server
X_IF / TI_IF Info servers x/ti command Status text tcp No No No
Table 4.42 Detailed Info servers interfaces and port numbers
Table 4.41 and Table 4.42 list the port related to the first infoserver instance. Still, infoservers can be deployed with multiple instances,
with each instance having its own port number.
Therefore, port numbers are assigned by default as follows:
tcp/ Port
Application Protocol Note
udp Number
OS HTTP tcp 2301 HP System Management:
web agent; web server
Administrative purposes (RAID controller
configuration SW)
HTTPS tcp 2381 HP System Management:
web agent; web server
Administrative purposes (RAID
controller configuration SW).
SSH tcp 22 Applies to iLO4, iLO3, iLO2
Customizable
HTTP tcp 80 Applies to iLO4, iLO3, iLO2
Customizable
HTTPS tcp 443 Applies to iLO4, iLO3, iLO2
Customizable
iLO Remote tcp 17990 Applies to iLO4, iLO3, iLO2
Console Port Customizable
Virtual tcp 17988 Applies to iLO4, iLO3, iLO2
Media Customizable
SNMP 161 Applies to iLO4
Customizable
SNMP Trap 162 Applies to iLO4
Customizable
IPMI/DCMI 623 Applies to iLO4
Table 4.44 Port numbers on HP ProLiant servers
tcp/ Port
Application Protocol Note
udp Number
SSH tcp 22 Establishes a connection to the remote Linux
Modifying Port When a user accesses MasterClaw through the Portal, applications run on
Numbers in the user’s workstation while the MasterClaw services run on remote servers.
MasterClaw The applications access the (remote) services over the network.
For example, MasterClaw clients establish CORBA connections with
MasterClaw servers like eoFinder Trace Server, Protocol Server.
To set up the communication between servers and the client, different port
numbers are assigned to different services.
MasterClaw services can use fixed or dynamic port numbers.
By default, port numbers are assigned dynamically by the CORBA
subsystem. Connection problems may be experienced when client and
servers are separated by a firewall, which allow only certain ports for
communications.
To ensure communication in such a scenario, it is possible to set the port
numbers to fixed values.
Find below how to set a fixed port number for the different MasterClaw
services. The process is slightly different for services written in C++ and for
those written in Java.
C++ servers For MasterClaw C++ servers, the port numbers configuration is made by
modifying the application nin file (or the global.nin file), located under
$QUEST7_ROOT/nin folder.
The example below shows how to configure port number 7777 (or any other
port number not in use in the system by other applications) for QXTS server:
Port number 7777 for QXTS server can also be configured by applying the
same change at the end of the global.nin file, as follows:
# global.nin file
...
[presentation]
Version=6.4
[qxts]
addr=0.0.0.0:7777
[qps2]
addr=0.0.0.0:7778
...
C++ servers are listed below:
● QXTS
● RDAS
● QPS2 (included in protocol-servers)
● QFDS
● MICS
● MCLS
Java servers For MasterClaw Java server the ORB listening TCP port number
configuration is made by configuring the CORBA Java “system property”
called ooc.iiop.port.
[server]
JAVA_VERSION=1.7.0
JAVA_OPTIONS=<options...> -Dcom.sun.CORBA.ORBServerPort=7779 -
Dcom.sun.CORBA.POA.ORBPersistentServerPort=7779
4.7.1 AGG_IN_IF
This interface is used by the DR Gateway Server to feed a DR Gateway
Server acting as an aggregator with eoDR which contains call/transaction
details.
This interface is not secure so it is needed to protect it by means of ipsec
channel/firewall.
4.7.2 AGG_OUT_IF
This interface is used by the DR Gateway Server to feed a eoLive server
with aggregated eoDR.
This interface is not secure so it is needed to protect it by means of ipsec
channel/firewall.
4.7.3 CORBA
This protocol is mostly used by:
● Java clients to communicate with servers.
● Servers to communicate with other servers (e.g. with CDB)
● Scripts to communicate with other servers (e.g. with CDB) usually during
packages installation in order to feed CDB or to administer a server.
The scripts are executed on the server where they are installed.
This ensures that the user logged on the virtual host can only see its
unencrypted CORBA traffic and cannot see CORBA traffic related to other
users.
Alternatively, the virtual hosts can be configured to accept multiple users at
the same time, but then none of them shall have the capabilities to capture
traffic from the IP interfaces.
4.7.4 EOLIVE_IF
This interface is used by eoLive Client to get KPI from eoLive Server.
This interface is not secure so it is needed to protect it by means of ipsec
channel/firewall.
4.7.5 HTTP/HTTPS
This protocol is used by the web browser to connect to the MC Portal.
It is used also by java application to download their configuration file
(encrypted).
HTTP only is to configure alarm on DWH. This interface is not secure so it is
needed to protect it by means of ipsec channel/firewall.
4.7.7 KSIF
This interface is used by key server to get cyphering parameters used in the
Telecom network.
This interface is not secure so it is needed to protect it by means of ipsec
channel/firewall.
4.7.8 Link IF
This is the interface used by the probes to get Customer traffic. It is based
on several technologies and usually it is not encrypted (exception are GB
links). This means for example that from a probe an administrator can
capture traffic from Ethernet links.
4.7.9 MEAS_IF
This protocol is used by MC servers to connect to MC probe and download
CSDR, pdus or counters.
This protocol is not secure so it must be protected by means of ipsec
channel.
4.7.10 MICS_IF
This interface is used by the DR Gateway Server to feed MICS with
MSISDN-IMSI pairs.
This interface is not secure so it is needed to protect it by means of ipsec
channel/firewall.
4.7.11 NTP
This protocol is used to synchronize the clocks of servers and probes.
4.7.12 SIM_IF
This interface is used by MC probes (QMPA) to connect to the SIMs
(Signalling Input Mediators) that collect raw traffic (signaling pdus, e.g. SIP,
or voice rtp packets).
This interface is not secure so it is needed to protect it by means of ipsec
channel/firewall.
4.7.13 Sftp
This protocol is used by:
● MC administrator to transfer files on the MC system (for example to
upgrade the system).
● MC applications to create the Oracle directory hosting the tablaspaces.
● DWH or by third party applications to download DR from MC mediation
servers or DOIP probes.
● Probe configuration software to download snapshot on probe/info
servers/key servers
● MC Self Mon for NRPE agent deployment
4.7.14 Ssh
This protocol is used by:
● MC administrator to log on the MC system.
● Probe configuration software to configure probe/info servers/key servers
● MC Self Mon NRPE agent interrogation
4.7.15 TMSI_IMSI_IF
This interface is used by IMSI-TMSI infoserver and probes to retrieve
MSISDN, IMSI, TMSI, TMSI, Location, HO parameters, Procedure type
used to fill CSDR with IMSI and/or MSISDN.
This interface is not secure so it is needed to protect it by means of ipsec
channel/firewall.
Probe Software/ The installation/upgrade of the following software packages require sudo to
Configuration be enabled on probes:
● qlinux-base
● qlinux-kernel-pfring
● apmlinux
● li-ether-sim
● li-hdlu-sim
● li-voip-sim
● li-usim
● li-usim-ip
like:
#ipsec-listen ALL=NOPASSWD:/etc/sysconfig/network-
scripts/ipsec-config
#mclaw ALL=NOPASSWD:/bin/rpm
Note that:
● To reconfigure ipsec, you need to uncomment the ipsec-listen line in
like:
# ipsec-listen ALL=NOPASSWD:/etc/sysconfig/network-
scripts/ipsec-config
# mclaw ALL=NOPASSWD:/bin/rpm, /sbin/shutdown, /
nettest/appl/bin/ntp_copy.sh
5.1 Introduction
This Chapter describes how to install a security enforcement on a MC
platform.
This is done via the Sec-Linux tool, a platform package used for Linux
enforcement.
The root account is required for installing the tool and for applying the
security enforcements.
5.1.1 Overview
The Security tool is composed of several security enforcements (plugins).
Each plugin performs a specific security enhancement –to enforce ssh
connection, for instance. Plugins may require additional configuration. For
example, the plugin that stops unneeded services could be configured to
add a service that is normally stopped, but that may be needed by a third
party application.
+-- bck
|
+-- bin
| +-- sec.sh
| +-- log_idle_users.sh/
|
+-- config
| +-- PRO
| +-- SRV
| +-- DEFAULT
| +-- CLU
| +-- 10.105.2.233
|
+-- lib
| +-- Actions
| +-- DefaultConfigFiles--DEFAULT
| +-- ScriptPlugin
| +-- Util
|
+-- log
- bin
It contains the main program, sec.sh, and a shell that if needed will
be installed in the root crontab for logging idle connections.
config
It contains various configuration files. It is structured in subdirectories each
one containing a set of configuration files to differentiate the rules per server
type.
A configuration file is searched starting from the most specific directories in
the following order:
- IP address, address of the host
- PRO, if the probe plugin is installed on the host
- SRV, if the server plugin is installed on the host
If the file has not been found then the lesser specific is used, i.e. DEFAULT.
Among the configuration files you can find the sec.nin file used to select
the security level and, if more selectivity is required, to identify which
security enforcement has to be applied.
- lib
It contains private files used by the tool.
log
It contains log files. They will be cleaned if their size exceeds the maximum
size permitted.
5.1.3 Warning
Some security issues may require a manual intervention from the
administrator to fix them. This could be the case where shell initialization
scripts build umask using variables instead of plain commands, like umask
022.
It is assumed that the system setting of the server is not altered from a
security point of view.
Note that if the ULP platform is upgraded, then the tool has to be reinstalled.
The files already configured will be preserved.
5.3 Installation
The package is installed using the platform patch manager, and it should be
the last package installed on a server (e.g. after Oracle, BO or probe
platform plugin).
If a platform plugin patch is installed afterwards, it might be necessary to
apply some of the security plugins again.
Note: The installation does not activate the security enforcements; the
administrator has to choose the security level.
To install the package, perform the following steps:
1. Copy the patch file to a directory not located into the /opt/anritsu/sec
directory.
2. Verify the checksum of the downloaded patch file:
# md5sum –c SEC_x.y.z.pkg.md5sum
SEC_x.y.z.pkg: OK
If the message does not return OK, you have to download the file again, and
repeat the above steps.
3. Install the patch using the command:
For the upgrade, follow the same procedure as installation – see Section 5.3
Installation.
● [SecurityLevelX]
Where X could be 1,2,3 or 4.
It is used to refine the security plugins, mainly to disable some
enforcement that may add excessive constraints on the system. For more
information, see Section 5.6 Enabling/Disabling Plugins.
With setting 1, a plugin is enabled, e.g.:
add_sticky_bit_on_world_writable_directories
With setting 0, a plugin is disabled.
Therefore, sec.nin prepares the tool to apply all security enforcements
belonging to level 1 and 2; see example below:
[General]
SecurityLevel=2
[SecurityLevel1]
add_sticky_bit_on_world_writable_directories=1
...
The third step is to configure each plugin, where needed. This is described
in Section 5.12 Plugins Description.
...
[SecurityLevel1]
add_sticky_bit_on_world_writable_directories=1
banner=1
crontab_protection=1
crontab_users=1
disable_ipv6=1
disable_user_mount_fs=1
enable_audit=1
enable_idle_session_logging=1
enable_remote_syslog=1
enable_accepting_remote_syslog=0
enforce_secure_connection=1
file_creation_mask=1
locate_unowned_files=1
remove_world_writable_permission_on_files=1
system_configuration_file_protection=1
enable_notification_failed_logins=1
[SecurityLevel2]
block_system_accounts=1
dos_prevention=1
enable_idle_connection_shutdown=1
enable_session_control=1
kernel_tuning=1
[SecurityLevel3]
block_usb=1
enable_boot_loader_password=1
enforce_single_mode=1
login_policies=1
remove_setuid_setgid=1
restrict_root_login_to_console=1
enable_ldap_client=0
enable_kerberos_client=0
[SecurityLevel4]
block_direct_root_access=0
block_user_failed_login=1
enable_selinux=0
Where
It will change the Linux host configuration and save the original files.
Note that the log is saved in /opt/anritsu/sec/log/<host ip address> and files
are backed up in /opt/anritsu/sec/bck/<host ip address> directory.
It should return the following output:
* Excuting: /opt/anritsu/sec/bin/sec.sh -e
* Executing plugins.
* The following plugins will be executed:
enforce_secure_connection
block_usb
login_policies
* Executing plugin enforce_secure_connection.
* Updating /etc/ssh/sshd_config.
[...]
* Skipped user hpsmh since it is blocked.
* Executing plugin login_policies. Done.
* Plugin Result
* enforce_secure_connection [s]
* block_usb [s]
* login_policies [s]
where
- [F] indicates that the plugin enforcement cannot be applied
because of some error.
Note the few plugins do not change the system but reports only
where the system doesn’t meet the pluging requirement. The admin-
istrator shall then proceed manually. This is for example the case of
unowned files that shall be removed or assigned manually to some
linux account.
- [s] indicates that the plugin check succeed, i.e. the system has
been configured to satisfy the plugin requirements.
5.12.2 Banner
Description Install login banner with advice on confidentiality of informations and on
restricted usage.
This will not disclose the OS type and version.
The permission will be set to “readonly” and the file will be owned by “root”
user/group.
The following files will be replaced:
● /etc/issue
● /etc/issue.net
Parameter Description
Customer name The name to be used in the login messages
Parameter Description
Personnel List of people that shall logon the host for
administrating each administration purposes.
host.
Configuration For each administrator, create a personal Linux account enabling su/sudo
when needed.
Risk It may happen that nobody can connect to the system, e.g. because the
password expired (if expiry option is enabled) or have been locked.
Risk Third party application that may add a system account with login capabilities
could stop working properly.
Risk It will be no longer possible to mount an usb device; this may have an impact
on system maintenance. For example, usb could be needed for patching the
platform, then grub has to be manually updated by removing nousb from the
kernel parameters in /boot/grub/grub.conf.
Open with vi /boot/grub/grub.conf and edit the kernel lines that contain
the option nousb, removing the option. For example:
[…]
title Red Hat Enterprise Linux Server (2.6.32-
358.11.1.el6.x86_64)
Save the file and restart the server to get the new configuration.
In the below example, the mclaw account is locked due too many failed
connection attempts:
# pam_tally2
Login Failures Latest failure From
root 1 08/09/13 18:07:24 172.28.35.141
mclaw 5 08/27/13 11:02:23 10.105.2.183
Prerequisites Please consider the below parameters for verifying whether the Customer
requires different rules:
Parameter Description
Where:
— deny – Number of attempts before locking the user (default: 3)
— unlock_time – Waiting time before login is allowed again (default:
900 secs). If the setting is removed, it is required the manual
administrator to unlock the account.
— even_deny_root –This setting can be added to block also root
(default: not present).
— root_unlock_time –Waiting time before allowing root login again
(default: not present). If the setting is not present, it requires the
manual administrator to unlock the account.
Risk When enabled, this option exposes the system to a denial of service attacks.
i.e. an attacker may try to login as oracle causing the oracle account to be
blocked. The oracle account will not be available even for MC system,
preventing normal operations until the account is restored.
/etc/at.allow is replaced/created
/etc/at.deny is removed.
Parameter Description
User running crontab jobs Users other than root/mclaw/oracle that use cron. These additional users
could be needed by an integrated Third party application.
Configuration It other users require crontab (e.g. for third party applications), they can be
added in the cron.allow and at.allow configuration files,in the sec-
linux configuration directory.
net.core.wmem_default=65536
net.ipv4.tcp_rmem=8388608 8388608 8388608
net.ipv4.tcp_wmem=8388608 8388608 8388608
net.ipv4.tcp_mem=8388608 8388608 8388608
net.ipv4.tcp_max_syn_backlog=2048
Risk The log space on the server hosting the central syslog daemon should have
enough space to hold logs also for remote machines. Otherwise, logs risk to
be lost.
● /etc/crontab
● /var/spool/cron/root
● /etc/anacrontab
● /etc/issue
● /etc/issue.anritsu
● /etc/issue.net
● /etc/motd
● /var/log
● /var/log/faillog
● /var/log/lastlog
● /etc/localtime
● /etc/fstab
To simplify the search for specific operations, the following keys have been
defined. They can be used to filter audit logs:
Key Description
Risk Adding too many rules may result in a low performance-system due to high
logging.
Prerequisites Please consider the below parameter in order to verify if the Customer
requires different rules:
Parameter Description
Max idle time Max session inactive time accepted before closing a
login connection.
Prerequisites
Parameter Description
Grub password Password used by the grub boot loader to unlock itself.
Risk This precaution could not be sufficient since people having physical access
to the host could boot from another source, such as DVD or USB key/disk.
To block such attempts, it is suggested to use passwords also for the BIOS.
Users having session whose idle time is greater than a specified threshold
are logged in:
/var/log/secure
The below example shows mclaw user having a session idle time of more
than 2 hours:
Feb 21 23:55:01 saturn IDLESESSION: mclaw from
(localhost.localdomain) idle time: 02:29
Prerequisites Please consider the below parameter in order to verify if the Customer
requires different rules:
Parameter Description
Idle timeout Idle sessions are logged if their idle time is longer than
this parameter.
Configuration The max idle time used to trigger the log is 5 minutes. It is possible to
change it by modifying the argument in the root crontab job in the
configuration file idle_session_log_crontab:
*/5 * * * * /opt/anritsu/sec/bin/log_idle_users.sh
5 > /dev/null 2>&1
Note that the crontab time and date fields shall be modified accordingly.
Parameter Description
Central syslog IP The ip address of the server on which a centralized
address syslog daemon is running.
Client syslog IP The ip address of the servers on which syslogd is
addresses sending its logs.
Risk The log space on the server hosting the central syslog daemon should have
enough space to hold logs also for remote machines. Otherwise, logs risk to
be lost.
Moreover, this setting may increase the amount of data transferred over the
network,and affect those services that depend on the available bandwidth
(TDR transfer, CSDR download, PDU collection,…).
mclawxdr – 8
oracle – 4
qpm – 8
postgres – 4
nagios – 4
apache – 4
mysql – 4
Any other user – 2
Prerequisites Please consider the below parameter in order to verify if the Customer
requires different rules:
Parameter Description
Cuncurrent ssh/sft/login session Maximum number of active logins per user.
Configuration By default, limits change is not needed unless requested by the Customer or
in case of third party-additional users having their own limits.
The configuration file is session_limits.conf where:
* - maxlogins 2
mclaw - maxlogins 20
Risk If the contraints are too small, the system may stop working properly, e.g. a
DWH cannot download xdr from a mediation server. Therefore, you should
consider the total number of simultaneous connections needed by all DWHs
or eoFinderBrowse loaders connected to the same mediation.
Prerequisites Please consider the below parameters in order to verify if the Customer
requires different rules:
MaxStartups
Specifies the maximum number of concurrent unauthenticated connections
to the sshd daemon. Additional connections will be dropped until
authentication succeeds or the LoginGraceTime expires for a connection.
Cipher
Specifies the ciphers allowed for protocol version 2.
MAC
Specifies the available message authentication code algorithms.
See ssd_config Linux man page for details such as a complete cipher list.
See also Section 5.12.6 Block User Failed Login, and Section 5.12.26 Login
Policies for additional settings related to the PAM module.
If you already have authorized keys that you would like to preserve, you can
copy/merge them from <user home dir>/.ssh/authorized_keys in
<user home dir>/.ssh/authorized_keys2 to avoid recreating them.
The login shell is supposed to remain unchanged; however, if the login shell
is changed, the plugin must be re-executed.
Once this plugin has been enabled, it might be necessary to install a
platform package or patch (e.g. Oracle_XXX_PA_YYY.pkg).
In such a case, it will be necessary to manually reset umask before applying
the update, as follows:
# umask 022
# platformPatchManager applyPatch <patch>
Risk It will be no longer possible to try to reboot the host, so to close the
processes in a clean manner (e.g. through the so called “REISUB” key
sequence).
This enforcement could be considered relevant if the host is not accessible
(because in such case it is possible to manually turn off the server or unplug
the power) or if the terminal is not accessible (e.g. because the host is
virtualized and only few users have the right to access it thru VMWare).
Note: Some applications may report an error because they are not able to
collect system log information. E.g.
cp: cannot open `/var/log/dmesg' for reading:
Permission denied
Such an error will not affect the normal operation of the application itself and
can be ignored.
Policies are:
● Password expiration (90 days default, note that other Customers may
Prerequisites Please consider the below parameters in order to verify if the Customer
requires different rules:
Parameter Description
Password expiration
Password expiration warning
period
Password complexity password criteria:
- minimal length
- number of lowercase characters
- number of uppercase characters
- number of digits
- number of special characters (e.g. !#)
Maximum login attempts
Password history A password cannot be reused if already present in the history.
Where:
— retry –number of failed attempts before giving up a login attempt
(default: 3)
— minlen – Minimum size of passwords (default: 14)
— lcredit – Number of lower case letters (default: 1)
— ucredit – Number of upper case letters (default: 1)
— dcredit – Number of digits (default: 1)
— ocredit – Number of other characters, e.g. #$!. (default: 1)
Password history
The password history can be configured in the pam_unix.so line of
pam_system_auth:
password sufficient pam_unix.so sha512 shadow
nullok try_first_pass use_authtok remember=12
Prerequisites Please consider the below parameter in order to verify if the Customer
requires different rules:
Parameter Description
Files with setuid/ List of files that require setuit or setid.
setgid These files are installed manually on a server, e.g.
because required for third party integration.
Configuration Edit setuid_setgid_programs adding the list of files that shall preserve the
setuid/setgid attribute.
B oprofile
K oracle
B postfix
K postgres
B qpm
K root
K rpc
K rpcuser
B saslauth
K shutdown
K spread
K sshd
K sync
B tcpdump
B tss
B uucp
B vcsa
For CLU:
K adm
B ais
B apache
B avahi
B avahi-autoipd
K bin
K daemon
B dbus
B distcache
B ftp
B haldaemon
K halt
K ipsec-listen
B luci
K mclaw
K mclawxdr
K nagios
K nfsnobody
K nobody
Prerequisites Please consider the below parameter in order to verify if the Customer
requires different rules:
Parameter Description
List of required users List of users that have to be kept (not
deleted and not blocked).
These are usually required for third party
integration.
Risk Some relevant services might stop working if the list is not correct or user
data is deleted.
Risk No remote administration is possible. This may happen for example if a user
account used to login cannot be used e.g. due to password expiration (if
expiry is enabled) or locking after too many failed access attempts.
Risk Some MasterClaw applications may stop working properly since they
depends on ping, e.g. to verify if a host can be reached (see in Selfmon if the
ping checks are enabled).
Once you have modified this file, re-enable tcp.wrappers plugin to update
the system configuration file /etc/sshd.hosts.
Successful ssh attempts are logged in authpriv syslog facility with a priority
of informational.
Failed attempts are logged in authpriv syslog facility with a priority of
notification.
The messages can be found in /var/log/secure by filtering with
FILTERSESS.
If Portmap is running, it will be restarted.
An alternative is the use of firewall, or IPsec solution which includes firewall
settings and does not require manual configuration.
Parameter Description
MC hosts address List and type of all the hosts deployed at a Customer site.
Prerequisites Please consider the below parameter in order to verify if the Customer
require different rules:
Parameter Description
List of required Additional services that are required by third party
services applications or intended as a specific Customer solution.
For each service there could be a line with two fields: service name, required
status.
The required status may assume one of the below values:
● on – the service is added and started;
● off – the service is stopped and removed;
● ignore – the service is ignored, i.e. its status is not modified.
All services not present in the list will be stopped.
If you intend to configure and use IP tables firewall, add iptables on to
the list.
If you intend to use the HP PSP service pack, add lm_sensors on to the
list.
Note that if you need to access CD-ROM or DVD, the rawdevice service
has to be manually started and stopped when it is no longer needed.
In case of MasterClaw server customization for a special customer solution
relying on additional not default services, the server_services.txt file
or server_services.centosrh6_4.txt file have to be updated with it.
Portal The Portal will use a SSL certificate placed in the keystore used by portal:
$QUEST7_ROOT/installed/portal/lib/key/mckeystore
MC Self-Monitoring Selfmon uses the Apache httpd SSL certificate. It is located by default in:
/etc/pki/tls/certs/localhost.crt
That location is defined in /etc/httpd/ conf.d/ssl.conf by the SSLCertificateFile
setting.
The ULP will create an uncertified dummy certificate at installation time. The
dummy SSL certificate is valid for one year.
To create a new self-signed certificate:
1. Execute as root:
# openssl req -new -x509 -nodes -out server.crt -keyout
server.key
2. Edit SSLCertificateFile in /etc/httpd/ conf.d/ssl.conf:
SSLCertificateFile /path/to/this/server.crt
SSLCertificateKeyFile /path/to/this/server.key
3. To add a passphrase to the key use:
# openssl rsa -des3 -in server.key -out server.key.new
2. Create a CRS (Certificate Signing Request) file, for which you will need
to enter:
— Country Name, 2 letters
— State/Province
— Location
— Organization
— Organizational Unit
— Common name (server's fully qualified domain name)
— Email
— Password
Execute command:
# openssl req -new -key server.key -out server.csr
and then submit the information listed above.
3. Submit server.csr to your CA to get the custom certificate for the server:
server.crt.
Insight Server BO uses an uncertified dummy certificate. It is not yet possible to change it.
Note: Depending on the platform installed, the three directories may stem
from the same file system, as shown below:
df -h /tmp/ /var/tmp/ $QUEST7_ROOT/
it returns:
Filesystem Size Used Avail Use% Mounted on
none 30G 5.6G 24G 20% /
none 30G 5.6G 24G 20% /
none 30G 5.6G 24G 20% /
Check the Avail and USE% columns. If you do not have sufficient disk space
available, then you must clean up. You can for instance free disk space by
deleting old log files.
If any of these criteria are not adhered to, the tool will issue a number of error
messages on standard output, and nothing will be removed from CDB.
6.4.1 Installation
Download the TZUpdater tool bundle archive from
http://www.oracle.com/technetwork/java/javase/downloads/tzupdater-
download-513681.html
and unzip it into an appropriate directory.
6.4.2 Usage
The TZUpdater tool modifies the JDK/JRE software instance that is used to
execute the tool. A single image of the JDK/JRE software is modified per
execution. To administer the tool to multiple instances of the JDK/JRE
software, see Section 6.4.3 Systemwide Usage.
You must stop any running instances of the JDK/JRE software to be operated
upon before you run the TZUpdater tool on that installed JDK/JRE software
image.
Run the TZUpdater tool with the following commands:
java -jar tzupdater.jar
options
To update timezone data successfully, you should ensure that you have
sufficient privileges to modify the JDK_HOME /jre/lib or JRE_HOME /lib
directory.
If you do not have sufficient privileges to modify these directories, contact
your system administrator.
If you do not specify any options, the usage message is displayed. To update
the timezone data, specify either the -u or -f option.
Option Description
Print the usage to stdout and exit. Other options are
-h, --help ignored if you specify this option.
Show the tool version number and the tzdata version
-V, --version numbers of the JRE software and the archive embedded in
the JAR file and exit.
Table 6.1 TZUpdater options (Sheet 1 of 2)
Option Description
Update the time zone data and perform verification tests. You
can run the verification tests separately with the -t option. If
-u, --update you specify the -h, -t, or -V options, the command displays
the usage to stdout and exits.
Force update the tzdata even if the version of the tzdata
archive is older than the JRE software's tzdata version.
-f, --force This option does not require the -u option to perform the
update. This option is not needed under normal operating
conditions.
-v, --verbose Display detailed messages to stdout.
Keep backward compatibility with the JDK version 1.1 three-
-bc, -- letter timezone IDs, "MST," EST,"and "HST." Any timezone
backwardcompa IDs that conflict with the JDK version 1.1 timezone IDs will be
tible removed from the installed timezone data. You must specify
the -bc option with the -u, -f or -t option.
Run verification tests only and exit. If the JRE has timezone
data that does not match the data in the tool, the verification
tests report errors and fail. The -f option is ignored if
-t, --test specified. If you specify the -bc option, any test cases for
timezone IDs that conflict with the JDK version 1.1timezone
IDs will be ignored.
Table 6.1 TZUpdater options (Sheet 2 of 2)
The following sections describe the procedure for backup setup and for
restoring it on various types of MC servers.
Conventions Further down in this Section, commands that shall be executed as root are
prefixed with #, e.g.
# mc_backup –e mediation-server-defaults.nin
Commands that shall be executed as mclaw are prefixed with > e.g.
> /opt/anritsu/mc_backup/bin/mc_post_install -v –c
MEDIATION_SERVER
Prerequisites ● Availability of a remote backup host with enough disk space for storing
backup files. Refer to the MC Manual for the disk dimensioning.
● Access as root and oracle to the systems.
● Knowledge and experience in installing and configuring MC applications.
Basic actions required to install applications and enable backup are listed
further down in this document, as example situations. More info as well
as other installation and backup options are described in the specific
application manuals.
Note that the optional MC Security platform package should be the last to be
(re)installed and/or (re)enabled so after restore.
7.2.1 Limitations
For more details about what is backed up for every application, please refer
to Table 7.1.
Backup does not support backup of systems other than Linux servers, such
as:
● Probes and Infoservers – They can be restored on a fresh platform by
Qbase MC Packages
Linux system files
Application
Comments
MS Mediation Server X X X Backup does not include:
(MS) -%(q7path)s/log
-%(q7path)s/data/xdr
-%(q7path)s/data/qxdrs
-%(q7path)s/data/qxdrs/DB
CS Central Server X O/P Database backup applies to:
(CS) ● cdb
● Security
● QDASHS
● event
● qfd
Qbase MC Packages
Linux system files
Application
Comments
MS DWH-NDAF Server X X X X The backup of the Vertica data is handled by
Vertica platform and not integrated in MC Backup
due to the large amount of data.
The backup of Vertica data includes:
- FULL DB
- single schema
- metadata
MS NDAF X X The backup does not include data i.e. eoDR buffer
MS NDAF-tool X X
CS/MS MC libraries X
CS/MS java-libs X X
CS/MS sdlt X X
CS options X CDB configuration covered by Central Server
Oracle or PostgreSQL backup.
CS deploy-server X X CDB configuration covered by Central Server
Oracle or PostgreSQLbackup.
CS probe-conf X
CS probe-sims X
CS qlinux-base X
CS qmpa5 X
CS qpmscans X X
Table 7.1 Application support details (Sheet 2 of 8)
Qbase MC Packages
Linux system files
Application
Comments
CS Uninorm X
CS qprotinst X
CS qpss X
CS Dialogue names X X
CS/MS qpas2 X X
CS/MS protocol-servers X X
CS enterprise-model X X CDB configuration covered by Central Server
Oracle or PostgreSQL backup.
CS qalarms X X CDB configuration and CDB model extension
covered by Central Server Oracle or PostgreSQL
backup.
CS qalarm X X
CS security X X Audit DB and CDB configuration and CDB model
extension covered by Central Server Oracle or
PostgreSQL backup.
CS qdashs X X CDB configuration and CDB model extension
covered by Central Server Oracle or PostgreSQL
backup.
CS portal X X CDB configuration and CDB model extension
covered by Central Server Oracle or PostgreSQL
backup.
Table 7.1 Application support details (Sheet 3 of 8)
Qbase MC Packages
Linux system files
Application
Comments
CS security X X CDB configuration and CDB model extension
covered by Central Server Oracle or PostgreSQL
backup.
CS documentation X
CS configtool X X CDB configuration covered by Central Server
Oracle or PostgreSQL backup.
qmon X X CDB configuration supported by CS, MS and DS
server type backup
CS probescan X X CDB configuration and CDB model extension
covered by Central Server Oracle or PostgreSQL
backup.
CS CDB and CDB X X CDB DB covered by covered by Central Server
model Oracle or PostgreSQL backup.
CS QNSS X X
CS/MS MSISDN IMSI X X MSISDN-IMSI data base content is not backed up.
Central Server
CS cdb-operator-loader X CDB DB covered by Central Server Oracle or
PostgreSQL backup.
CS cdb-ssa-it X CDB DB covered by Central Server Oracle or
PostgreSQL backup.
MS cis X X
Table 7.1 Application support details (Sheet 4 of 8)
Qbase MC Packages
Linux system files
Application
Comments
CS info-servers X
MS mcls X X
mcls-model X
qdm-cdb-dl X
qdm-device-db X
MS Data Record X X Backup includes correlation rule definition, xDR/
Gateway eoDR format definition, active generation status
Qbase MC Packages
Linux system files
Application
Comments
MC Insight X X X Backup does not include:
-%(q7path)s/log
- BO binaries and configuration files
It includes:
- reports
- scheduled reports
- users
CS eoFinder X X CDB configuration, CDB model extension, and
GDS content are covered by Central Server Oracle
or PostgreSQL backup.
MS eoFinder Browse P/R X X
CS/MS eoFinder Data X X The storage is not backed up (Manual restore is
Analysis Server needed)
CS/MS eoFinder Trace X X
Server
MS eoLive X X CDB configuration and CDB model extension e.g.
for user settings, dataviews covered by Central
Server Oracle or PostgreSQL backup.
Qbase MC Packages
Linux system files
Application
Comments
CS map-server X X CDB configuration and CDB model extension
covered by Central Server Oracle or PostgreSQL
backup.
Qbase MC Packages
Linux system files
Application
Comments
DS eoPath Commit X X
DS eoPath Device X X
Table 7.1 Application support details (Sheet 8 of 8)
● SRV plugin
● BO platform
● MC qbase applications
Or:
# mc_backup –i /opt/anritsu/mc_backup/lib/
post_install/plugins/ mcbackup-config-defaults.nin
The restore point to consider shall have the names BACKUP IDs, like these:
HOSTNAME:mcbackup-config-
defaults:YYYYmmddHHMM:YYYYmmddHHMM HOSTNAME:bo-
server-
defaults:YYYYmmddHHMM:YYYYmmddHHMM
Please notice that in the examples provided further down, it is assumed that
the system shall be recovered from 2012-12-23 11:00.
Restore on another To restore the backup on another BOAS, you can follow the above
BOAS procedure “Restore on the same BOAS” until step 5, and then continue with
steps 6-9 here below.
3. See Linux Installation and Configuration Guide and Common Data Warehouse and MC
Insight Installation & Administration Manual
# mc_backup –e central-server-defaults
Restore To restore a Central Server, you need a non corrupted functioning host with
● ULP configured with the same hostname (same IP and hostname)
● SRV
● Oracle or PostgreSQL, identical version
The following steps must be performed:
● Step 1 – Install Platform
● Step 2 – Disable qmon service
● Step 3 – Shut down MasterClaw
● Step 4 – Install MC Backup and Start Service
● Step 5 – Find Restore point
● Step 6 – Restore MC Backup Configuration backup
● Step 7 – Restore MC Backup Central Server plugin
● Step 8 – Restart the host
● Step 9 – Restore Oracle/PostgreSQL data
● Step 10 – Restart MasterClaw
● Step 11 – Enable qmon service
● Step 12 – Enable IPSec
Basically, it is needed to get the last available full backup and the whole
archive backup since then.
In the next section examples, it is however assumed that the system shall be
recovered from 2012-12-23 11:00.
Get all the needed Oracle data out of MC backup, from multiple points
backup IDs.
E.g.:
# mc_backup --restore=HOSTNAME:rman-archive-
logs:...:201301062300
# mc_backup --restore=HOSTNAME:rman-full-
backup:...:201301062300
# tar –xvjf <rman archive log backup filename> -C /
# tar –xvjf <rman full backup filename> -C /
Note that the Oracle restore point shall be consistent with the applications
installed on this host or on any other. If not, it may be required to reinstall or
reconfigure the applications.
Follow the rman restore steps described in the MC Backup Installation
Manual.
For Oracle: As oracle user, restore the data exported from backup4
For PosgreSQL: As root user, restore the data exported from backup5.
4. See MC Backup Installation Manual - Oracle section
The DWH backup procedure depends on the Oracle deployment, which can
be:
● Standard, i.e. Oracle deployed on the same DWH backend host
● ETL separation, i.e. Oracle alone on another host.
Standard Deployment
Backup setup For DWH backup, follow the instructions in Common Data Warehouse and
MC Insight Installation and Administration Manual.
The following actions must be performed to enable the backup of MC
applications on an uncorrupted and fully configured host (e.g. with ULP,
SRV, Qbase system, etc.).
Step 1 – Install MC Platform and Applications
Step 2 – Install MC Backup and Start Service
Step 3 – Enable MC Backup MCBACKUP_CONFIG plugin
Step 4 – Enable MC Backup DWH server plugin
Step 5 – Enable DWH Metamodel and Aggregation backup
# mc_backup –e mcbackup-config-defaults
Or
> /opt/anritsu/mc_backup/bin/mc_post_install -v –c
DWH_SERVER
# mc_backup –e dwh-server-defaults
6. Restart DWH
> <dwh_name> start all
Restore To restore a DWH server, you need a non-corrupted functioning host with:
● ULP, configured with the same hostname (with same IP and hostname)
● SRV
● Oracle, identical version
● DWH framework and backend with identical version
The restore point to consider have by default the names BACKUP IDs, as
follows:
HOSTNAME:mcbackup-config-
defaults:YYYYmmddHHMM:YYYYmmddHHMM
HOSTNAME:dwh-server-defaults:YYYYmmddHHMM:YYYYmmddHHMM
HOSTNAME:hour:YYYYmmddHHMM:YYYYmmddHHMM
HOSTNAME:daily:YYYYmmddHHMM:YYYYmmddHHMM
HOSTNAME:montly:YYYYmmddHHMM:YYYYmmddHHMM
HOSTNAME:metamodel:YYYYmmddHHMM:YYYYmmddHHMM
BACKUP IDs:
1* HOSTNAME:dwh-server-defaults:...:201112122300
HOSTNAME:hour:...:201112122300
HOSTNAME:metamodel:...:201112122300
2* HOSTNAME:dwh-server-defaults:...:201112222300
HOSTNAME:hour:...:201112222300
HOSTNAME:metamodel:...:201112222300
3* HOSTNAME:dwh-server-defaults:...:201301062300
HOSTNAME:hour:...:201301062300
HOSTNAME:metamodel:...:201302062300
In the above example, if on 2013-01-07 it is needed to restore a DWH data
generated before a major backend upgrade, then it is required to perform
the restore incrementally; one must also consider that DWH data must be
ingested using the same backend version that has generated it.
E.g.
1. restore DWH server and then DWH data until 2011-12-12 23:00 (next
Steps 5 and 6).
2. restore DWH server and then DWH data from 2011-12-12 23:00 to
2012-12-12 23:00 (next Steps 5 and 6).
This imply that there will be a hole in the recovered data. If the exact hour
of backend installation is known then it is possible to recover some
additional hour aggregation data.
3. restore DWH server and then DWH data from 2012-12-13 23:00 to
2013-01-06 23:00.
Get all the needed DWH data out of MC backup, by restoring data from
multiple backup points, e.g.:
# mc_backup --restore=HOSTNAME:hour:201212232300:...
...
# mc_backup --restore=HOSTNAME:hour:...:201301062300
# mc_backup --restore=HOSTNAME:metamodel:201212232300:...
...
# mc_backup --restore=HOSTNAME:metamodel:...:201301062300
<locations_r>
# <dwh_name> restore
ETL Separation
3. Start service
E.g.
# service mc_backup start
Configure Connection with remote host generating and storing RSA keys
(e.g. mc_backup generate-rsa) and then checking the connection
(e.g. mc_backup check-remote-connection)
E.g.
# /opt/anritsu/mc_backup/mc_post_install –c MCBACKUP_CONFIG
Or
# mc_backup –i /opt/anritsu/mc_backup/lib/post_install/plugins/
mcbackup-config-defaults.nin
E.g. as mclaw
> /opt/anritsu/mc_backup/bin/mc_backup –i /opt/anritsu/
mc_backup/lib/post_install/plugins/mediation-server-
defaults.nin
Or
> /opt/anritsu/mc_backup/bin/mc_post_install -v –c
MEDIATION_SERVER
# mc_backup –e mediation-server-defaults.nin
E.g.
# platformPatchManager applyPatch /root/backup-x.y.z.pkg
3. Start service
E.g.
# service mc_backup start
10. According to instructions you can find in Common ULP Installation Manual and MC Back-
up Installation Manual
Note that the restore point shall be consistent with the CDB content since
application may have extended the CDB model or updated its content. If not
application may need to be reinstalled or reconfigured.
The restore point to consider have the names BACKUP IDs like thise:
HOSTNAME:mcbackup-config-
defaults:YYYYmmddHHMM:YYYYmmddHHMM
HOSTNAME:mediation-server-
defaults:YYYYmmddHHMM:YYYYmmddHHMM
In the next section examples, it is however assumed that the system shall be
recovered from 2012-12-23 11:00.
Backup setup For every node, follow the procedure described in Section 7.2.9 Mediation
Server then follow the instruction in eoFinder Browse Installation and
Administration Manual, section “Rainstor Backup and Restore”.
Rainstor backup is integrated with mc_backup using eofb-loader plugin: for
further details, please see eoFinder Browse Installation and Administration
Manual.
PostgreSQL
The below procedure only applies to eoFinder Browse with PostgreSQL.
Backup setup For every node, follow the procedure described in Section 7.2.9 Mediation
Server, provided that you install PostgreSQL after SRV in Step 1.
Name Description
QUEST7_ROOT The root of the MasterClaw system. Set up this variable
before calling q7env if MasterClaw is not placed in
/opt/anritsu/mclaw.
PATH Path used by shells to find programs. The directory
${QUEST7_ROOT}/bin is appended if not already
present.
LD_LIBRARY_PATH Path used to search for shared libraries. The directory
${QUEST7_ROOT}/shlib is appended if not already
present.
Table 8.1 MC environment variables
You need the first command only if MasterClaw is not placed in /opt/anritsu/
mclaw/.
Add the command to the .profile of the root user and all users that should
be able to run MasterClaw applications.
To ensure that new users will automatically source the QUEST7 environment,
enter the following line in the file /usr/skel/.profile:
. ${QUEST7_ROOT}/bin/q7env
Term Definition
production system The system on which MasterClaw is running at the customer.
Third-party product on which MasterClaw depends is
assumed to be installed.
package A set of files that makes up an integrated functionality of
MasterClaw, e.g., qsa, TOPO, qpa, and qst.
A package can exist (and usually does) in more than one
version.
A package is identified by a name and a version number. Each
package can depend on a set of other packages.
loaded A package is said to be ’loaded’ on a production system if the
files of the package are physically available in the file system
of the production system (e.g., a tar file with the package has
been copied into the local file system). More than one version
of a package can be loaded simultaneously. Each package
version is placed in a separate base directory.
installed A package is said to be ’installed’ on a production system if the
functionality of the package is integrated into the operating
MasterClaw system on that production system. Except for the
qlib packages, only one version of each package can be
installed on a production system simultaneously.
public programs Programs that can be started directly by a user. In MasterClaw
only a few programs can be started directly. Most programs
are started by other programs (e.g., TeMIP).
installation script Script that is executed when a loaded MasterClaw package is
installed into the MasterClaw system.
deinstallation script The reverse of the installation script.
Table 8.2 Terms used in the directory structure
Common root All files used on the package system are placed under a common root
denoted by the environment variable QUEST7_ROOT.
The default value of this variable is /opt/anritsu/mclaw
Symbolic links Whenever possible, symbolic links are used between the installed package
and the loaded package to keep disk usage as low as possible. Symbolic
links within the ${QUEST7_ROOT} directory structure are always relative;
this ensures that the ${QUEST7_ROOT} can be moved without extensive
rework of all links.
All files in the ${QUEST7_ROOT}/packages/<name>-<version>/
{bin,shlib,shlib64, jar}, directories are installed in ${QUEST7_ROOT}/
{bin,shlib, shlib64, jar} as symbolic links when the package is installed (an
attempt to install the same name from more that one package is a fatal error).
Some packages will have files that must be installed outside the
${QUEST7_ROOT} structure. The installation and deinstallation scripts of the
packages take care of this.
Overview of directory The following files and directories are found under ${QUEST7_ROOT}:
structure
${QUEST7_ROOT}/packages/
This directory contains a subdirectory for each loaded MasterClaw package.
Each subdirectory is of the form <name>-<version>, e.g., qsa-1.1,
qpac-1.3, and qlib-3.1. More than one version of a package can be present.
All files under this directory are read-only except at the time when the files are
loaded into the production system. This is required for easy sharing of the
files between different MasterClaw production systems, either on the same
machine or on different machines (through use of NFS).
${QUEST7_ROOT}/packages/<name>-<version>/
Directory with a package. In general, each package will have the structure
described below.
${QUEST7_ROOT}/packages/<name>-<version>/bin/
All public programs of the package.
’Private programs’ are normally put in the lib directory (see below).
${QUEST7_ROOT}/packages/<name>-<version>/nin/
All NIN-files used by this package.
${QUEST7_ROOT}/packages/<name>-<version>/rc.d/
A number of shell scripts that are executed by the MasterClaw administration
command (see below) during different phases of the life cycle of a
MasterClaw system.
${QUEST7_ROOT}/packages/<name>-<version>/rc.d/install
Script executed to install the package. The script will do the following:
Install files that should not be located in:
${QUEST7_ROOT}/packages/<name>-<version>/bin or
${QUEST7_ROOT}/packages/<name>-<version>/shlib.
Examples are:
● Configuration files (so-called .NIN files) that must be edited by the
administrator. A description of the needed changes is included in the
release notes.
● TeMIP files, such as .def and .ms files.
Run the setup-links script to setup all the links needed for the new package.
${QUEST7_ROOT}/packages/<name>-<version>/rc.d/env
Korn script sourced to setup environment variables specific to this package.
${QUEST7_ROOT}/packages/<name>-<version>/rc.d/sys.start
Script executed when q7adm start is executed.
${QUEST7_ROOT}/packages/<name>-<version>/rc.d/sys.stop
Script executed when q7adm stop is executed.
${QUEST7_ROOT}/packages/<name>-<version>/lib/
All other libraries and miscellaneous files in the package.
There is no common structure below this directory.
${QUEST7_ROOT}/packages/<name>-<version>/client/
Application description used by MasterClaw Portal.
${QUEST7_ROOT}/installed/
This directory contains a symbolic link for each installed package.
${QUEST7_ROOT}/installed/<name>/
Symbolic link to ../packages/<name>-<version>. This link can be used by an
installed package to access private files in the package.
The link is also used by the MasterClaw administration command to access
files in all installed packages.
${QUEST7_ROOT}/data/
This directory contains an optional subdirectory for each installed package.
${QUEST7_ROOT}/data/<name>/
This directory can be used by an installed package for private data files that
can change during the operation of the MasterClaw system. The structure of
the files and directories under this directory is private to the package. The
installation procedure of a newer version of a package takes account of any
data files found here and converts them as needed.
Any NIN-files of the package that can be changed by the user are placed in
the ${QUEST7_ROOT}/nin/ directory described below.
Data that must be shared across several systems of MasterClaw (or even
across centres), will not be located in the file system, but rather in the general
data store.
${QUEST7_ROOT}/bin/
This directory contains the public programs of MasterClaw. Most programs
found here are symbolic links to the appropriate packages (e.g., on the form
../installed/<name>/bin/...).
${QUEST7_ROOT}/bin/q7env
Shell script that can be sourced to set up all relevant environment variables
for a Korn shell script.
${QUEST7_ROOT}/bin/q7adm
Command that is used for all management of a MasterClaw installation.
${QUEST7_ROOT}/shlib/
This directory contains all shared libraries of the installed packages. Most
files found here are symbolic links to the appropriate packages (e.g., of the
form ../installed/<name>/shlib/lib...).
${QUEST7_ROOT}/nin/
This directory contains all NIN-files that can be modified by the user.
Acronym Explanation
AAMM Anonymous Access Mobility Management
AAPDP Anonymous Access Packet Data Protocol
ACELP Algebraic Codebook Excited Linear Predictor
ADR A-interface Data Record
AGCH Access Grant Channel
APM Application Program Manager
APN Access Point Name
ARFCN Absolute Radio Frequency Channel Number
AS Application Server
ASR Answer to Seizure Ratio
ATM Asynchronous Transfer Mode
AUC Authentication Centre
BCC Base Station Colour Code
BCCH Broadcast Control Channel
BCF Base Control Function
BCH Broadcast Channels
BCS Block Check Sequence
BGCF Breakout Gateway Control Function
BHCA Busy Hour Call Attempt is the average number of calls the user
tries to initiate in one hour
BI Business Intelligence
BLCPU Business Logic CPU
Table 9.1 Acronyms (Sheet 1 of 10)
Acronym Explanation
BO Business Objects
BS Billing System
BSC Base Station Controller
BSIC Base Station Identify Code
BSS Base Station Sub-System
BSSAP BSS Application Part
BSSGP BSS GPRS Protocol
BSSMAP BSS Management Application Part, Layer 3 Protocol for
communication between MSC and BSC
BTS Base Transceiver Station
BVCI BSSGP Virtual Circuit Identifier
CA Certificate Authority
CAMEL Customised Applications for Mobile Network Enhanced Logic
CAP CAMEL Application Part
CAS Channel Associated Signalling
CBCH Cell Broadcast Channel
CC Country Code
Call Control
CCH Common Channels
CDB Configuration Database
CDBS Configuration Database Server
CDR Call Data Record
Call Detail Record
CGI Cell Global Identity
CI Cell Identity
CIC Circuit Identity Code
CIS Central IMEI Server
CKSN Cipher Key Sequence Number
CLI Command Line Interface
CM Connection Management
CMM Combined Mobility Management
CMS Control Management System
CN Core Network
CPCI Compact PCI - a dedicated physical implementation of the PCI bus.
CRC Cyclic Redundancy Check
CRS Certificate Signing Request
CS Circuit Switched / Central Server
CSC Central Surveillance Centre
CSCF Call Session Control Function
CSDR Call Sequence Data Record
CSP Communication Service Provider
CTX Context
DC Derived Counters
Table 9.1 Acronyms (Sheet 2 of 10)
Acronym Explanation
GGSN Gateway GPRS Support Node
GMM GPRS Mobility Management
GMSC Gateway Mobile Switching Centre
GMSK Gaussian Minimum Shift Keying
GPRS General Packet Radio Service
GPS Global Positioning System
GR Group
GRR GPRS Radio Resource
GSDC Generic Setup Dialogue Component
GSM Global System for Mobile Communications
GSMSCF GSM Service Control Function
GT Global Title
GTP GPRS Tunnelling Protocol
GTTP GPRS Transparent Transport Protocol
GUI Graphical User Interface
HCS Header Check Sequence
HL Header Length
HLR Home Location Register
HPLMN Home Public Land Mobile Network
HSS Home Subscriber Server
HSSL High Speed Signalling Links
HTTP HyperText Transfer Protocol
HTTPS Secure Hyper Text Transfer Protocol
HW Hardware
I-CSCF Interrogating-CSCF
IAM Initial Address Message (TUP, ISUP)
ICP Inter Connect Partner
IETF Internet Engineering Task Force
IMEI International Mobile Equipment Identity
IMS IP Multimedia Subsystem
IMSI International Mobile Subscriber Identity
IP Internet Protocol
IR Incremental Redundancy
ISDN Integrated Services Digital Network
ISUP ISDN User Part
IWF Inter-Working Function
JNLP Java Network Launch Protocol
KC Cipher Key
KPI Key Performance Indicator
KQI Key Quality Indicator
LA Location Area
LAC Location Area Code
Table 9.1 Acronyms (Sheet 4 of 10)
Acronym Explanation
MT Mobile Terminated
MTBF Mean Time Between Failures
MTP Message Transfer Part
MTP2 Message Transfer Part Level 2 (Signalling Link Level) Peer-to-
peer signalling (MSU, LSSU, FISU)
MTP3 Message Transfer Part Level 3 (Signalling Network Level), routing
of messages from an OPC to a DPC by a routing label in
Connectionless mode
MV Materialised View
N/A Not Applicable
NAT Network Address Translation
NCC Network Colour Code
NCH Notification Channel
NDC National Destination Code
NE Network Element
NER Network Efficiency Ratio
NGN Next Generation Network
NISC Network Item Selection Component
NL Number Length
NMSI National Mobile Subscriber Identity
NPDU Network Protocol Data Unit
NS Network Service
NSS Network Subsystem
NSAPI Network Service Address Point Identity
NT-APM Application Program Manager for Windows NT
NTP Network Time Protocol
O10gAS Oracle 10g Application Server
OA Onboard Administrator
OBSCR Traffic Observer Statistical Counter Record (File format)
O&M Operation and Maintenance
OMA Open Mobile Alliance
OMC Operational Management Centre
OPC Originating Point Code
OSS Operation Support Systems
OTID Originating Transaction ID
P-CSCF Proxy-CSFC
PACCH Packet Associated Control Channel
PAGCH Packet Access Grant Channel
PBCCH Packet Broadcast Control Channel
PC Personal Computer or Server
PCAP Packet Capture
PCCCH Packet Common Control Channel
PCH Paging Channel
Table 9.1 Acronyms (Sheet 6 of 10)
Acronym Explanation
QNCKPI MasterClaw Network Call KPI
QoS Quality of Service
QPA MasterClaw Protocol Analysis - old UNIX based
QPA2 MasterClaw Protocol Analysis - new Java GUI
QPAS2 MasterClaw Protocol Analysis Server
QPECC MasterClaw Protocol Event Collector Client
QPECS MasterClaw Protocol Event Collector Server
QPM MasterClaw Probe Manager
QPTL MasterClaw Portal
QRS MasterClaw Roaming Statistics
QRSDWH MasterClaw Roaming Statistics DWH
QST MasterClaw Statistics Application
QTCAPDWH MasterClaw TCAP KPI DWH application
QTOBS MasterClaw Traffic Observer
QTOBSCFG MasterClaw Traffic Observer Configuration Tool
QTRG MasterClaw Trigger
QXDRS XDR Generator Server
RA Routing Area
RAC Routing Area Code
RACH Random Access Channel
RAI Routing Area Identity
RAN Radio Access Network
RANAP Radio Access Network Application Part
RAND Random number
RAU Routing Area Update
RDBMS Relational Database Management System
RF Radio Frequency
RFQ Request For Quotation
RLC Radio Link Control
RMAN Oracle Restore Manager
RNC Radio Network Controller
RR Radio Resource
RSC Regional Surveillance Centre
RSL Radio Signalling Link, protocol at A-bis interface
RTCP Real Time protocol Control Protocol
RTT Round-trip time.
RV Release Value
RVG Release Value Group
SAC Service Area Code
S-CSCF Serving-CSCF
SABM Set Asynchronous Balanced Mode
SACCH Slow Associated Control Channel
Table 9.1 Acronyms (Sheet 8 of 10)
Acronym Explanation
TCP/IP Transmission Control Protocol/Internet Protocol
TDM Time Domain Multiplexing
TDMA Time Division Multiple Access
Transaction Data Record
TDR
TCAP Data Record
TEI Terminal Endpoint Identifiers
TEID Tunnel End-point ID. A number unique defining a tunnel ID in one
direction.
TeMIP Telecommunications Management Information Platform
TI Transaction Identifier
TID Tunnel ID. A field in the Gb release ’98 header, comprising of IMSI
and NSAPI.
TLLI Temporary Logical Link Identifier
TMSI Temporary Mobile Subscriber Identity
TOBS Traffic Observer
TOM Tunnelling of Messages
TRAU Transcoding and Rate Adaption Unit
TRX Transceiver
TT Transfer Time
UA Unnumbered Acknowledge
UDP User Datagram Protocol
UDT / UDTS The TCAP layers use exclusively the connectionless service of
SCCP (protocol class 0 and 1). The consequence is that SCCP-
UDT messages are the only candidates for transport of TCAP
messages.
UE User Equipment
UL Uplink
UMTS Universal Mobile Telecommunications System
URD User Requirement Document
USF Uplink Status Flag
UTC Coordinated Universal Time
UTRAN UMTS Terrestrial Radio Access Network
VAS Value Added Service (Location based service, SMS welcome etc.)
VDR Voice Over IP Data Record
VLDB Very Large Data Base
VLR Visitor Location Register
VoIP Voice over IP
WAN Wide Area Network
WAP Wireless Application Protocol
xDR A generic term for Data Record (may be ADR, TDR, etc.)
AAMM Anonymous Access Mobility Management
AAPDP Anonymous Access Packet Data Protocol
Table 9.1 Acronyms (Sheet 10 of 10)