Professional Documents
Culture Documents
Security Management
DN09231593
Issue: 1-3
Security Management DN09231593 1-3 Disclaimer
The information in this document applies solely to the hardware/software product (“Product”) specified herein, and only as specified herein.
This document is intended for use by Nokia' customers (“You”) only, and it may not be used except for the purposes defined in the agreement
between You and Nokia (“Agreement”) under which this document is distributed. No part of this document may be used, copied, reproduced,
modified or transmitted in any form or means without the prior written permission of Nokia. If you have not entered into an Agreement
applicable to the Product, or if that Agreement has expired or has been terminated, You may not use this document in any manner and You
are obliged to return it to Nokia and destroy or delete any copies thereof.
The document has been prepared to be used by professional and properly trained personnel, and You assume full responsibility when using
it. Nokia welcome Your comments as part of the process of continuous development and improvement of the documentation.
This document and its contents are provided as a convenience to You. Any information or statements concerning the suitability, capacity,
fitness for purpose or performance of the Product are given solely on an “as is” and “as available” basis in this document, and Nokia reserves
the right to change any such information and statements without notice. Nokia has made all reasonable efforts to ensure that the content of
this document is adequate and free of material errors and omissions, and Nokia will correct errors that You identify in this document. But,
Nokia' total liability for any errors in the document is strictly limited to the correction of such error(s). Nokia does not warrant that the use of
the software in the Product will be uninterrupted or error-free.
This document is Nokia’ proprietary and confidential information, which may not be distributed or disclosed to any third parties without the
prior written consent of Nokia.
Nokia is a registered trademark of Nokia Corporation. Other product names mentioned in this document may be trademarks of their
respective owners, and they are mentioned for identification purposes only.
Nokia is continually striving to reduce the adverse environmental effects of its products and services. We would like to encourage you
as our customers and users to join us in working towards a cleaner, safer environment. Please recycle product packaging and follow the
recommendations for power use and proper disposal of our products and their components.
If you should have questions regarding our Environmental Policy or any of the environmental services we offer, please contact us at Nokia for
any additional information.
Security Management DN09231593 1-3 Table of Contents
Contents
1 Summary of changes...................................................................................................................................... 6
3 EdenNet passwords...................................................................................................................................... 15
4 Security updates............................................................................................................................................16
6 Security supervision..................................................................................................................................... 18
6.1 Enable IPv6 External communication..................................................................................................... 19
6.2 Force Regenerating Certificates and API Secret....................................................................................19
6.3 Security supervision on the Linux OS level............................................................................................20
6.4 Log files................................................................................................................................................... 22
6.5 Security supervision on EdenNet application level.................................................................................22
6.6 EdenNet audit logs..................................................................................................................................23
6.6.1 Syslog forwarding........................................................................................................................... 23
6.6.1.1 Enabling RHEL OS audit log forwarding............................................................................... 25
6.6.1.2 Disabling RHEL OS audit log forwarding...............................................................................27
6.6.1.3 Enabling EdenNet application audit log forwarding............................................................... 27
6.6.1.4 Disabling EdenNet application audit log forwarding...............................................................28
6.6.1.5 Reconfiguring RHEL OS audit logs forwarding......................................................................29
6.6.1.6 Reconfiguring EdenNet application audit logs forwarding......................................................30
6.6.2 Transport layer security (TLS)........................................................................................................ 30
6.6.2.1 Transport layer security certificates....................................................................................... 30
6.6.2.1.1 Signing of certificates by external CA........................................................................... 31
6.6.2.1.2 Signing of certificates by internal CA............................................................................ 32
6.6.3 Audit configuration.......................................................................................................................... 34
12 System hardening........................................................................................................................................57
12.1 Operating system hardening.................................................................................................................57
12.1.1 Executing security hardening script..............................................................................................57
12.1.2 Enabling or disabling root login.................................................................................................... 58
12.1.3 Hardening assets included in EdenNet........................................................................................ 58
12.1.4 Changing <installation_user> password.......................................................................................65
12.1.5 Changing password of enet user................................................................................................. 66
12.1.6 Configuring removal of unused packages.................................................................................... 66
12.1.7 Setting warning banner for standard log in services.................................................................... 66
12.2 Database hardening.............................................................................................................................. 67
12.2.1 Database logs............................................................................................................................... 68
12.2.2 Log rotation policy........................................................................................................................ 68
12.2.3 Management of secure database server communications...........................................................68
12.3 Web services hardening....................................................................................................................... 69
14 Security Events............................................................................................................................................82
14.1 Configuring retention period for security events................................................................................... 83
16 Appendix.....................................................................................................................................................119
1 Summary of changes
Updated section:
Updated section:
• Custom certificate
Updated sections:
• Certificate generation
• Custom certificate
• Using a custom certificate
• Firewall rules
• Virtualization security
Updated sections:
Deleted sections:
Updated sections:
• Virtualization security
• Password policy for Linux OS users
• Hardening assets included in EdenNet
• Database logs
• Spark Primary nodes
• Spark Secondary nodes
• Cassandra DB Server nodes
Updated sections:
• Database hardening
• Database logs
• Log rotation policy
• Enable IPv6 External communication
Updated sections:
• Virtualization security
• Hardening assets included in EdenNet: The list of security hard-
ening functionalities provided by secpam is updated.
• Generating or renewing SSL certificates and keys
• Security supervision
• External directory server attributes
Updated sections:
• AC Application node
• FM Service nodes
• FM DB nodes
• Hardening assets included in EdenNet
• Appendix
Removed section:
Updated sections:
Added sections:
• Virtualization security
• Management of secure database server communications
• Generating sudoers file
• Hardening assets included in EdenNet
• Troubleshooting security management
EdenNet 19 FP 1905 The Disabling RHEL OS audit log forwarding section is updated.
EdenNet 19 FP 1904 All instances of Custom modules are changed to Adapted modules
in the following section:
• Task servers
Updated sections:
• Certificate generation
• Configuring retention period for security events
• Firewall rules
• LDAP users
• Configuring removal of unused packages
Added content:
EdenNet 17 SP1 The Using a custom certificate section has been updated.
LDAP users
Modified sections:
Linux OS users
EdenNet 16 SP3 Configuring syslog forwarding and Transport layer security sections
added.
EdenNet 16 This is a new document that provides information on the security as-
pects for EdenNet.
3 EdenNet passwords
There are certain users created automatically during EdenNet installation.
Note: Nokia recommends to change the default password of users immediately after Eden-
Net installation.
Table 2: Users that require password change lists the users whose default passwords must be
changed.
4 Security updates
When a security vulnerability is discovered in any Red Hat Enterprise Linux (RHEL) package, RHEL
errata containing the fix is released. The RHEL errata is delivered as an ISO image containing the yum
repository.
If you face any issues during installation, contact Nokia technical support.
4. Switch to root user and copy the security_hardening_sudoers file to the following directory
of each target server:
- /etc/sudoers.d
Expected outcome
6 Security supervision
Security supervision is performed by logging and tracing the user's activities (for example, log in or log
out attempts, password changes, and so on). Audit logging is a crucial security feature. It helps to de-
tect any potential security issues and to analyze the system after a security breach. An audit log is a
security relevant chronological record or a set of records, and/or destination and source of records that
provide documentary evidence of the sequence of activities that have affected a specific operation,
procedure, or event, at any time.
Note:
Users must take care of audit logging and security hardening and Nokia is not responsi-
ble for the same.
– hardening and audit logging will continue to be enabled if the previous state was en-
abled (when enable_audit_logging_and_hardening inventory parameter is
set to True).
– hardening and audit logging will be disabled if the previous state was disabled (when
enable_audit_logging_and_hardening inventory parameter is set to False).
– if the value of the enable_audit_logging_and_hardening inventory parame-
ter is set to True, hardening and audit logging functionality will be available (even for
scratch installation).
– if the value of the enable_audit_logging_and_hardening inventory parameter
is set to False, hardening and audit logging functionality will not be available (even
for scratch installation).
dit logging functionality will not be present, irrespective of the parameter value used dur-
ing the next upgrade.
• The target VMs must support IPv6 dualstack configuration and must be enabled in VM network.
• Security hardening must be enabled. The enable_audit_logging_and_hardening inventory
parameter value must be set to True.
During subsequent upgrades, the following table depicts the status of IPv6 external communication for
different inventory flag combinations:
Note:
• Regenerates the certificate, keys, and API secrets during upgrade to EdenNet 21 and
above releases.
• Must be set to True on the first upgrade to EdenNet 21 from previous releases.
When this inventory flag value is set to True, all the migration scenarios are:
Table 5: Events recorded in log files on Linux OS level describes the log files.
Events Description
Audit system events Triggered when the Audit system daemon is start-
ed/stopped/crashed or its configuration is modi-
fied.
Other, general SELinux audit events Triggered when the SELinux policy is changed
or reloaded, enforcement mode is changed, or
SELinux kernel error occurs.
Changes of important configuration parameters Triggered when the changed configuration para-
meters are:
• Audit configuration
• rsyslog configuration
• Logrotate configuration
• Cron configuration
• Login configuration
• Network configuration
• NTP configuration
• Library search path
• Local timezone
• Kernel parameters
• Modprobe configuration
• Pluggable Authentication Modules (PAM) con-
figuration
• Screen configuration
• SSH configuration
• Sudo configuration
• MySQL configuration
• EdenNet services' configuration
• Time changes
Events Description
• Domain/hostname changes
System logs modifications Triggered when the system logs are modified.
Startup scripts modifications Triggered when the startup scripts are modified.
All actions performed by privileged users Triggered when the Linux OS commands are exe-
cuted by the following users:
• root
• vson
• enet
• <installation_user>
Unauthorized attempts to access resources Triggered when any unauthorized attempts are
made.
Changes to the user profiles Triggered when changes are made to the user
profiles.
The audit logs are stored in RAW format. These logs can be read using any text viewer or editor, but
there are special tools that help with this namely, aureport and ausearch.
Security related logs are also written to /var/log/secure file. This file contains information related
to authentication and authorization. For example, sshd and sudo log messages are written in /var/
log/secure, including unsuccessful login attempts.
Table 6: Events recorded in log files on application level describes the events logged as part of securi-
ty audit logging.
Events Description
For example:
Accessing security events All attempts to access security events are logged.
This section explains how to administer the settings related to EdenNet audit logging.
Note: Audit log forwarding cannot be performed with a non-root user and requires root ac-
cess to execute the following operation:
–Enet_audit_forwarding.sh script
Security events, both OS and application level, can be forwarded to the remote server using syslog
protocol for further processing and/or storage. Syslog forwarding via User Datagram Protocol (UDP)
and Transmission Control Protocol (TCP) is supported. Transport layer security (TLS) encryption can
be enabled if needed.
Note:
• On external servers, users must take care of log management activities such as log re-
tention and rotation policy. Nokia is not responsible for the same.
Syslog forwarding can be configured through the command line interface using the
enet_audit_forwarding.sh script. This script is deployed in /opt/nokia/audit/bin directory.
enet_audit_forwarding.sh <os|application|both>
<enable|disable|modify> [-s|--server <remote_server_address>] [--tcp|--
udp]
[-p|--priority <priority>] [-f|--facility <facility>]
[--tls|--notls]
The first command line argument is always mandatory and specifies which audit logs are considered,
RHEL OS audit logs (os), EdenNet application audit logs (application) or both (both).
The second command line argument is always mandatory as well and specifies whether forwarding
should be enabled (enable), disabled (disable) or re-configured (modify).
Optional com-
mand line argu- Description Possible values Default value Mandatory for
ments
Optional com-
mand line argu- Description Possible values Default value Mandatory for
ments
INFO,LOG_DE-
BUG
RHEL OS audit logs forwarding is managed on each EdenNet node independently. For example,
running the enet_audit_forwarding.sh script with enable flag on one node enables the
forwarding on that particular node only.
EdenNet application audit logs forwarding is managed centrally on Central App VM. The
enet_audit_forwarding.sh script with application flag can be invoked on Central App VM only.
root@EdenNet~]$ /opt/nokia/audit/bin/enet_audit_forwarding.sh os
enable --server syslog.example.com
OS audit log forwarding is re-configured OS audit log
forwarding is enabled
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Note: If EdenNet is installed in dual or standalone mode, the IPv6 server should be
enclosed in square brackets. For example, [<IPv6>] or [<IPv6>]:<PORT.
Expected outcome
Note:
• To forward RHEL OS audit logs from all the EdenNet nodes, the script must be invoked
on each EdenNet node.
• In EdenNet 16 SP3 it is not possible to specify the port number for the remote syslog
server. 514 is the default port of the remote syslog server. If the remote syslog server
is listening on a different port, the rsyslog configuration on each affected EdenNet node
must be changed manually. The affected nodes are all EdenNet virtual machines for OS
audit logs forwarding and Central App VM for application audit logs forwarding.
To change the port number, edit the
/etc/rsyslog.d/50_enet_audit_rsyslog_forwarding.conf file.
The port number is appended to the server address, after the colon:
For example,
Note: If remote server is IPv6 based, then the IP should be enclosed by square brack-
ets in the above lines. For example, :programname, isequal, "audispd"
@@[2a00:8a00:a000:4000::1234:abcd]:514
Note: If EdenNet is installed in dual or standalone mode, the IPV6 server should be
enclosed in square brackets. For example, [<IPv6>] or [<IPv6>]:<PORT.
Note:
To disable RHEL OS audit logs forwarding on all EdenNet nodes, the script must be in-
voked on each EdenNet node.
Expected outcome
Note:
If EdenNet is installed in dual or standalone mode, the IPV6 server should be enclosed in
square brackets. For example, [<IPv6>] or [<IPv6>]:<PORT.
Note: In EdenNet 16 SP3 it is not possible to specify the port number for the remote
syslog server. 514 is the default port of the remote syslog server. If the remote syslog
server is listening on a different port, the rsyslog configuration on each affected EdenNet
node must be changed manually. The affected nodes are all EdenNet virtual machines
for OS audit logs forwarding and Central App VM for application audit logs forwarding.
/etc/rsyslog.d/50_enet_audit_rsyslog_forwarding.conf file.
The port number is appended to the server address, after the colon:
For example,
Note:
If remote server is IPv6 based, then the IP should be enclosed by square brackets
in the above lines. For example, :programname, isequal, "audispd"
@@[2a00:8a00:a000:4000::1234:abcd]:514
Expected outcome
Expected outcome
To re-configure (for example, change the server and transport protocol) RHEL OS audit logs forward-
ing, do the following:
Note:
• To re-configure RHEL OS audit logs forwarding on all EdenNet nodes, the script must
be invoked on each EdenNet node.
• If EdenNet is installed in dual or standalone mode, the IPV6 server should be
enclosed in square brackets. For example, [<IPv6>] or [<IPv6>]:<PORT.
Expected outcome
To re-configure (for example, change the server and transport protocol) EdenNet application audit logs
forwarding, do the following:
Note: If EdenNet is installed in dual or standalone mode, the IPV6 server should be
enclosed in square brackets. For example, [<IPv6>] or [<IPv6>]:<PORT.
Expected outcome
Note: In order to configure rsyslog with TLS, the rsyslog-gnutls RPM package must be
installed on all the EdenNet nodes.
Note: The client and server certificates must be signed by the same Certification Authority
(CA); at least if rsyslog is used at the server side. For other syslog servers, check Certificate
management overview.
The keys and certificates used for syslog forwarding with TLS are stored in /etc/rsyslog.d/enet/
rsyslog/certs/ directory on the respective EdenNet nodes.
Note:
• A separate private key and certificate must be generated for each EdenNet node where
syslog forwarding with Transport Layer Security (TLS) must be enabled.
• Signing of certificates by an external CA cannot be performed with a non-root user and
requires root access to execute the following operation:
–Deploying_certificates_to_rsyslog.sh script
1. Copy the private keys, certificates, and CA certificate to EdenNet GUI node and log in as root to
the same.
2. Deploy the private key, certificate, and CA certificate to one EdenNet node by entering:
where:
Note: If EdenNet is installed in dual or standalone mode, use IPv6 address else, use
IPv4 address.
[root@EdenNet ~]$/opt/nokia/certificate_mgmt/bin/deploy_certificate_
to_rsyslog.sh -ca_crt/tmp/ca_cert.crt -key /tmp/key.pem -crt /tmp/
cert.crt
Deploying certificates to local host.
Certificate and key files successfully deployed into rsyslog.
3. Repeat the above steps to deploy the keys and certificates to all EdenNet nodes where syslog
forwarding with TLS is enabled.
Expected outcome
where:
Note: If EdenNet is deployed in dual mode, both IPv4 and IPv6 addresses should be
given as IP1 and IP2.
3. Switch to root user and deploy the generated key, certificate, and CA certificate (/opt/nokia/
certificate_mgmt/ca_cert.crt) in the respective node:
where <EdenNet node> is the IPv4 or IPv6 address or name of the respective EdenNet node.
Note:
To deploy certificates locally, do not use -host parameter. For example, deploy certificates locally
by entering:
[...]
Certificate and key files successfully deployed into rsyslog.
4. Repeat the above steps for all the EdenNet nodes where syslog forwarding with Transport Layer
Security (TLS) must be enabled.
You can also use the certificate_management.sh script to generate a server certificate.
However, the deployment is out of scope. For more information, see Certificate generation.
Expected outcome
In an immutable mode, unauthorized users cannot execute changes to the audit system to hide
malicious activity and then revert the audit rules. Users may notice a system reboot and that could
alert administrators of an attempt to make unauthorized audit changes. After making the configuration
immutable, the audit rules cannot be modified with auditctl.
For example, if any user is trying to remove the immutable state of audit configuration by using
• EdenNet application user: User accounts with which users of the EdenNet GUI work.
• Linux OS user: The internal EdenNet accounts used to run EdenNet services and to perform
tasks in the Linux OS.
• Database user: User accounts that are used internally by MySQL, PostgreSQL, and Cassandra.
• Other user accounts, for example JBoss (used either internally by JBoss for management purpos-
es or by applications deployed on the server), Keycloak (used for Keycloak administration).
Table 9: Permissions of EdenNet application users describes the user types in EdenNet.
SON Module Executor SON Module Executors are granted all the privi-
leges of SON Monitor user. Additional privileges
granted to SON Module Executors are related to
script execution, such as:
SON Module Manager SON Module Managers are granted all the privi-
leges of SON Module Executors and SON Mon-
Table 10: Application user describes the users created during EdenNet installation.
To change the EdenNet application user password or to generate and re-generate secret keys, see the
About the EdenNet User and Administration Guide section in EdenNet User and Administration Guide.
Table 11: MySQL users describes the users created during EdenNet installation.
custom Randomly generated (20 charac- MySQL user for custom task ap-
ters) plication
enetbackup Randomly generated (20 charac- MySQL user for taking database
ters) backups
audit Randomly generated (20 charac- MySQL user for audit log ac-
ters) cess
zabbix Randomly generated (20 charac- MySQL user for Zabbix Monitor-
ters) ing System
Table 12: PostgreSQL users describes the PostgreSQL users created during EdenNet installation.
Table 13: Cassandra users describes the list of Cassandra users created during EdenNet installation.
Note: Changing the password of database users is currently not supported, because
passwords are stored in multiple places throughout EdenNet.
It is mandatory to provide a password while creating a new MySQL database user. The passwords of
the EdenNet database users must:
– For root user installation, the recommended special characters are: ! @ $ & * _ + = ?
– For non-root user installation, the sudoers file only supports @ and !
Note: Passwords for root, vson, and enetdbsecadmin users are set during installation. From
EdenNet 19A 2003 onwards, these passwords must adhere to the password policy men-
tioned above. The default passwords are already set according to this policy.
where:
Note: Ensure that the password entered complies to the password policy. For more infor-
mation, see Password policy for JBoss user.
Expected outcome
Virtual Ma- 1 2
User Group Login shell Has password Description
chine (VM)
Virtual Ma- 1 2
User Group Login shell Has password Description
chine (VM)
Virtual Ma- 1 2
User Group Login shell Has password Description
chine (VM)
Virtual Ma- 1 2
User Group Login shell Has password Description
chine (VM)
Virtual Ma- 1 2
User Group Login shell Has password Description
chine (VM)
Note:
1
If an account does not have login shell or has login shell set to /sbin/nologin, it is not
possible to log in to that account.
2
If an account does not have the password set, it is not possible to log in to that account us-
ing password. However, logging in to the system by other means is possible.
EdenNet Linux OS users' password must comply with the following requirements:
In EdenNet Linux OS, non-root users are temporarily locked out of the system after five incorrect pass-
word attempts and are denied access to log in.
Note: The root user account is permanently exempt from login failure checks.
For example, testuser is an EdenNet Linux OS user. After five unsuccessful login attempts
(because of wrong password), testuser will be locked out for five minutes. During this time period, if
another login attempt is made by testuser using the wrong password, then the lockout timer will be
reset to five minutes again.
Table 17: Permissions for EdenNet LDAP users describes the permissions provided for LDAP users.
Nokia recommends to set complex, long, and hard to guess passwords. Short and easy to guess
passwords or passwords based on dictionary words can be easily broken and are not recommended.
Note:
The autofill function in your browser must be disabled for passwords/credentials to prevent
the credentials from being cached by the browser and re-used.
Table 18: Passwords in inventoryfile describes the list of passwords that must be provided in the
inventoryfile.
Name Description
For more information on EdenNet default users and their passwords, see User and permission
management.
All SON modules are run as unprivileged Linux users (vson for Nokia SON modules and custom
for Adapted SON modules). This provides enough separation in most cases. If more separation is
needed, it is possible to set up separate task servers for running Nokia SON modules and Adapted
SON modules. This provides even more separation between EdenNet services, the execution
environment for Nokia SON modules, and the execution environment for Adapted SON modules.
For example:
firewalld_enabled = True
Note:
The inventoryfile variables where the public IP addresses and FQDNs can be provided are
defined in Table 19: inventoryfile variables.
Name Description
If the VMs support IPv6 and EdenNet is deployed in dual or standalone mode, then IPv6 address can
be used. If the VMs support IPv4 and EdenNet is deployed in standalone, IPv4 address can be used.
For more information about EdenNet certificates, see Certificate management overview section.
https://www.dell.com/support/security/en-in/?lwp=rt
Note: Users need to login using their Dell account and search with Avamar as the keyword
in the search bar to obtain the list of all the Dell Avamar related security vulnerabilities.
The EdenNet API is accessed by the Software Development Kit (SDK) during SON module develop-
ment.
Note: The goal is to expose port 9500 externally, for example, all external calls are authenti-
cated and encrypted (HTTPS). Port 9600, which allows unauthenticated calls, is closed and
is accessible only from within EdenNet.
Kong is used as an API Gateway. It is based on NGINX and offers many useful features like authenti-
cation, caching, logging, rate limiting, and so on. It is configured to listen on port 9500 and forward re-
quests to the 9600 internal port. It is also configured to authenticate requests using the JWT authenti-
cation plug in. The JWT signing algorithm is set to RS256 and the Keycloak public key is provided. It
uses Cassandra as back end storage. From EdenNet 1904 onwards, port 9600 is not exposed exter-
nally.
Authentication is implemented using OpenID connect and JSON web tokens. In order to use SDK to
develop and test SON modules, the user must generate the secret key. The secret key along with the
username must be configured in SDK. For more information, see the Overview of EdenNet SON Mod-
ule Development and Maintenance Guide. The SDK uses these credentials to acquire the access to-
ken, which is sent to the EdenNet API along with the requests. Although authentication is enabled by
default for all requests over the 9500 port, it can be disabled using a dedicated script.
To enable authentication for the EdenNet API over port 9500, do the following:
enet_security_toggle enabled
Expected outcome
To disable authentication for the EdenNet API over port 9500, do the following:
enet_security_toggle disabled
Expected outcome
An internal LDAP server is set up during EdenNet installation. It is also possible to integrate EdenNet
with an external LDAP server.
Note:
• External LDAP servers are not managed by EdenNet. Therefore, the customer must
maintain these servers.
• The user accounts of external LDAP servers are listed in the EdenNet UI, but the only
possible action for these accounts is to assign the EdenNet role to them.
• For more information on configuration of external LDAP servers, see Administration of
LDAP servers section in the EdenNet User and Administration Guide.
• The user accounts which belong to external LDAP servers can generate API secret for
SON module development using SDK. For more information on generating API secret,
see Generating and viewing API secret section in the EdenNet User and Administration
Guide.
A secure TLS connection can also be configured for external LDAP servers. Table 20: Configuration
attributes used for secure TLS connection for LDAP servers describes the additional configuration at-
tributes that are added to configure a secure TLS connection.
external LDAP
servers.
Table 20: Configuration attributes used for secure TLS connection for LDAP servers
For internal LDAP servers, the security attributes cannot be modified using the GUI. However,
customers can change the certificates using the certificate_management.sh. script.
For external LDAP servers, all the attributes described in Table 20: Configuration attributes used for
secure TLS connection for LDAP servers can be configured.
Customers can decide whether to use TLS or not. If Use TLS is set to Yes, the customer can use the
TLS connection as follows:
• If Validate Server Certificate is set to No, the customer can use the TLS connection
without validating the server certificate (while configuring the external LDAP server). In this case,
LDAP communication will be encrypted and secure but the server authentication will not be done.
• If Validate Server Certificate is set to Yes, the customer must upload the CA certificate
to use the TLS connection. For more information, see Naming conventions for CA certificates.
The certificate name must be less than 20 characters and it must contain only alphanumeric charac-
ters.
Underscore is the only special character that is allowed in the CA certificate file name.
The offline map server supports both http and https connectivity.
For https connectivity, the offline map server requires the SSL certificates and keys to communicate.
See the following sections if the connectivity between EdenNet and the offline map is via https:
/opt/nokia/certificate_mgmt
For example:
For example:
...............................+++
................................+++
-----
Signature ok
subject=/CN=offlinemap/C=FI/L=Espoo/ST=Finland/O=Nokia
Expected outcome
Offline map server SSL certificates and key files (offlinemap.crt, offlinemap.key) are
generated at the following directory path in the EdenNet GUI node:
/opt/nokia/certificate_mgmt
2. Copy the newly generated offlinemap.key and offlinemap.crt to the /tmp directory
location.
cd /tmp/offline_map_installer/file_bundle
4. Verify the offline_map_install.log file for the import SSL command results by entering:
tail -f /var/offline/logs/offline_map_install.log
Expected outcome
SSL certificates and keys are deployed in the offline map server.
For example:
12 System hardening
System hardening is done to prevent unauthorized access to the system which may lead to unavail-
ability of the system or leakage of confidential information. The following are examples of hardening
measures:
• User security
– Password change
– Removal of unneeded accounts
– Locking accounts
• Software security
From EdenNet 18 SP1 onwards, Operating System hardening settings are automated as part of post-
install and post-upgrade procedures.
Manual security hardening measures are required to modify/update the root and other user pass-
words, as explained in Changing <installation_user> password and Changing password of enet user.
2. Enter:
#/opt/nokia/hardening/bin/enet_enable_os_hardening.sh
Note: After enabling security hardening, you cannot log in to the system as root user
using ssh. You must log in as enet user and then enable root user.
/var/tmp/security_hardening_on.log
Expected outcome
Note: Nokia recommends that you limit the usage of root login.
root login must be disabled at all times except during system upgrade or system
maintenance (when it is used with the proper authorization).
2. Enable root for any troubleshooting or system administration purposes by entering the following
command from the /opt/nokia/hardening/bin/ directory (for root user):
sudo ./enet_upgrade_mode_on.sh
Note:
./enet_upgrade_mode_on.sh
3. Disable root after the troubleshooting or system administration tasks are completed by entering
the following command from the /opt/nokia/hardening/bin/ directory (for root user):
sudo ./enet_upgrade_mode_off.sh
Note:
./enet_upgrade_mode_off.sh
• Ensure that the security hardening script in the Executing security hardening script
section is executed before disabling root login.
Note: An inventory flag that allows IPv6 communication has been introduced. For more
information, see Enable IPv6 External communication.
Note:
Secpam has a set of utilities that can be used to further configure the security hardening parameters.
Table 21: secpam utilities describes the details of these utilities.
acctStat (Account State) This utility reports the state of all known man acctStat
accounts or list of accounts (separated by
a white-space) if arguments are not pro-
vided. Possible account states are:
• aged
• blocked
• OK
• locked
• simulate (too many simultaneous lo-
gins)
Audit Mgr (Audit Manager) Audit Mgr is used to control the settings of man AuditMgr
the Linux audit functionality. There is a de-
fault set of audits that are always enabled
along with additional sets of configurable
audits that Audit Mgr controls. To obtain
AuditSp (Audit Event The AuditSp plugin process is an audit man AuditSp
Spooler) event spooler. Audit events are generated
by the audit daemon and are forwarded to
the auditsp daemon. This audit daemon
plugin generates audit alarms as directed
by the /etc/security/alarm_thresh
configuration file.
CheckPass (Check Basic This utility uses the cracklib c library func- man CheckPass
Password Integrity) tion FascistCheck() to check the pass-
word candidates. It is used by the SEC-
pamLogModule.so PAM library as part
of the password verification function.
Comply (Verify File permis- The Comply utility is used to inspect file man Comply
sions) attributes (mode, owner, group) from pre-
defined reference sets. Any differences
from the references are reported and cor-
rected.
encpasswd (Automated en- This utility takes a password from stdin man encpasswd
crypted password genera- and returns an associated shadow hash.
tion) It can be used to assign a password to
a specific account by taking a password
from a pipe and generating the shadow
hash that is appropriate for the /etc/
shadow file. This value can be used as
the parameter to the usermod tool to up-
date the password field.
gen-audit (Generate Audit This utility is used to generate a set of au- man gen-audit
Rule Sets) dit filters that might vary based on the sys-
tem. It may be re-executed as needed (for
cases where the audit filter rules may be
changed over time, such as with package
updates that reorganize their file or direc-
tory structures).
/usr/sbin/scan-groups
if_list (Display Network In- This utility reports all the network inter- man if_list
terfaces) faces found on the host along with their
IP address and CIDR netmask. It is used
to generate the /etc/security/from_
same_subnet file during a secpam in-
stallation if the file does not already exist.
KillIdleSessions (Terminate This utility monitors the keyboard input for man KillIdleSessions
Idle Sessions) all active sessions. It is configured as a
KillIdleSessions (KIS) cron job for secpam
to run every five minutes.
last_login_day (Number of This utility is used to calculate and provide man last_login_day
days since last login) the number of days since a selected user
account was last accessed.
LockIdleAccounts (Lock This utility monitors the user account dor- man LockIdleAccounts
Idle Accounts) mancy (using the last_login_day utili-
ty). It is configured as a LockIdleAccounts
(LIA) cron job for secpam to run once a
day. The default monitoring settings (in
days) are defined in the /etc/securi-
ty/SECprofile file and are tunable us-
ing the /etc/default/passwd file.
rtmon_monitor (Monitor This utility is used to manage the actions man rtmon_monitor
routing table changes) for the rtmon systemd service to monitor
routing table changes. If the argument is
not present or is invalid, a usage or help
message will be generated, as follows:
scan-tools (Scanning utili- Scanning utilities that are available with man scan-tools
ties) secpam are:
• scan-groups
• scan-privileged
• scan-sticky
• scan-unowned
• scan-wwfiles
secpam.boot (Verify SSH This utility is used to verify that the ssh man secpam.boot
Daemon Security after first daemon has been secured (as defined by
boot) secpam-admin sshd) at the first boot af-
ter the installation of the secpam (/var/
log/secpam-boot.log file).
secpam.sh (secpam script This shell script is provided for the /etc/ man secpam.sh
for interactive system shell profile.d directory to be run by the /
startups) etc/profile for interactive shells (a
typical bash user shell). This script is pro-
vided during an interactive shell startup
and offers the following services:
sockprot (Socket protocol This utility provides the type of socket pro- man sockprot
used by a PID) tocol that is used by a Process ID (PID). It
determines if a specified PID is associat-
ed with a socket connection for secpam.
1. Log in as <installation_user>.
#passwd
Expected outcome
1. Log in as <installation_user>.
Expected outcome
For example:
For example:
“ rpm -e cas-0.15-1.el6.1.noarch”
“rpm -e python-paramiko-1.7.5-2.1.el6.noarch”
To set up the warning banner for standard log in services, do the following:
Banner /etc/issue.net
Expected outcome
The sshd service is restarted and the warning banner is set for the standard log in services.
• Audit logs:
The audit log is a document that records an event with all the database connection details when
both successful and unsuccessful logins are attempted. In addition to recording what was ac-
cessed in the database, audit log entries also include IP address details, timestamps, and user lo-
gin information. The objective of database audit logging is to ensure that database services and
instances are monitored continually for misused scenarios.
• MySQL slow logs:
The MySQL database server registers all queries that exceed a given threshold of execution time
in the MySQL slow query log. This log helps to identify which queries are the slowest and how of-
ten they are slow.
• General logs:
The general query log is a general record of what the MySQL Server is doing. The server writes
information to this log when clients connect or disconnect, and it logs each SQL statement re-
ceived from clients. The general query log can be useful when you suspect an error in a client and
need to know exactly what the client sent to the MySQL server.
Note: General logs are enabled in the Central DB in case of 5VM architecture and GUI
DB and Central DB in case of 8VM architecture.
/home/data/mysql/
• Audit and general logs are rotated every hour. By default, the first ten files are compressed, with
one log being active. When the 11th file is created, the oldest file is removed.
• MySQL slow query logs are rotated every day and the same rotation policy is applicable to these
logs.
From EdenNet 19A onwards, MySQL database server communications are over a secure Transport
Layer Security (TLS) connection, by default.
Communication between user browser and EdenNet is encrypted using Transport layer Security
(TLS).
EdenNet comes with its own Certification Authority (CA). The certificates used within EdenNet are by
default signed by this CA. It is also possible to upload and use custom certificates signed by an exter-
nal CA and is supported on external interfaces only. The CA certificate is available at https://<Eden-
Net-GUI>/ca_certificate.
The certificate is signed by EdenNet internal Certificate Authority (CA), which is created during instal-
lation. To establish a secure connection between the browser and EdenNet, the EdenNet CA certifi-
cate must be installed on the browser. This allows the browser to trust the certificate that EdenNet
shares while establishing a secure communication. The users can provide their own certificate as well.
The certificate_management.sh script is used to generate or renew the certificate for a service,
and to generate a Certificate Signing Request (CSR). This script for generating the CSR is available
only on GUI mode.
Usage of :
where:
• -app_name <service_name> parameter is mandatory and specifies the name of the service for
which the certificate will be generated.
• -ip <public IP address> is mandatory and specifies the IPv4 or IPv6 address.
• -fqdn <public FQDN> parameter is optional and specifies the Fully Qualified Domain name
(FQDN). IP address and FQDN are stored in the certificate as Subject Alternative Names (SAN).
Note:
• If -ip <public IP address> and -fqdn <public FQDN> parameters are not
specified, the values from the respective configuration file is used.
• If -ip2 and -fqdn2 are not specified, no default value is taken from configuration file.
• <public FQDN> is mandatory and must be provided either via command line or in a
configuration file.
• <public IP address> is optional and should be used only if the server has a public
(non-reserved) IP address.
• -days <validity_period> parameter is optional and specifies the certificate validity
period in days. If not specified, the default validity period of 10950 (30 years) is used.
• -ip2 <External IP Address> is optional and specifies the external IP when multi
IP scenario is present.
Nokia does not recommend the usage of reserved IP addresses in certificates. The list of reserved IP
addresses can be found at:
If a service is accessible via multiple names (FQDNs) and/or IP addresses, all of them should be
included in the certificate. To do this, all FQDNs and IP addresses must be added to the respective
configuration file (openssl_<service_name>.cnf) as DNS.<n> and IP.<n> attributes in
[alt_names] section.
For example:
[ alt_names ]
# DNS.1 is to be given as the server's FQDN
# IP.1 is to be given as the server's IP
# multiple servers can be given by adding
After the certificate is generated, it is deployed to the respective service by using /opt/nokia/
certificate_mgmt/bin/deploy_certificate_to_<service_name>.sh script. For more
information on deploying and regenerating certificates, see EdenNet CA certificates.
Some of the certificate details can be provided as command line arguments. All the other parameters
can be set in the respective configuration file openssl_<service_name>.cnf.
where:
• -app_name <service_name> parameter is mandatory and specifies the name of the service for
which the CSR will be generated.
• -ip <public IP address> is mandatory and specifies the IP address
• -fqdn <public FQDN> parameter is optional and specifies the Fully Qualified Domain name
(FQDN). IP address and FQDN will be stored in the certificate as Subject Alternative Names
(SAN).
Note:
– If -ip <public IP address> and -fqdn <public FQDN> parameters are not
specified, the values from the respective configuration file will be used.
– <public FQDN> must be provided either via command line or in a configuration file.
– <public IP address> is optional and should be used only if the server has a
public (non-reserved) IP address.
– If -ip2 and -fqdn2 are not specified, no default value is taken from configuration
file.
Nokia does not recommend the usage of reserved IP addresses in certificates. The list of reserved IP
addresses can be found at:
Note:
For example:
[ alt_names ]
# DNS.1 is to be given as the server's FQDN
# IP.1 is to be given as the server's IP
# multiple servers can be given by adding
# DNS.2, IP.2, DNS.3, IP.3, ...
# DNS.1 = <1stFQDN>
# IP.1 = <1stIP>
IP.1 = 10.10.10.10
DNS.1 = server.com
IP.2 = fe80::b11e:3387:5b3f:95dc
DNS.2 = server_alias.com
The generated CSR can be used to acquire a signed certificate from CA. The certificate can
be deployed to the respective service by using /opt/nokia/certificate_mgmt/bin/
deploy_certificate_to_<service_name>.sh script.
The support for custom certificate is introduced only for external interfaces and services as listed be-
low:
• nginx
• kong
• ldap
To use the custom certificate in EdenNet for nginx service (for example, signed by an official Certifica-
tion Authority):
Note: IP2 and FQDN2 are optional. These should be filled if IPv6 or IPv4 IPs other than
IP1 is to be added to certificate.
This command generates the private key (nginx.key) and CSR (nginx.csr.pem).
4. Use the CSR to acquire the certificate from Certification Authority (CA).
5. Upload the certificate to GUI node where nginx service is installed. For example, to path /tmp.
6. Deploy nginx.crt:
a) Log in as <installation_user> to the EdenNet GUI node.
b) Navigate to /opt/nokia/certificate_mgmt directory.
c) Deploy the certificate or certificate chain to nginx server by entering:
Expected outcome
The certificate or certificate chain is deployed successfully and a successful secure connection can be
established using these custom certificates.
Sample output
Note: To verify if the custom certificate is applied successfully for nginx service, install
EdenNet CA certificate in browser. For more information, see EdenNet CA certificate
installation on browser.
To use the custom certificate in EdenNet for kong service (for example, signed by an official Certifica-
tion Authority):
Note: IP2 and FQDN2 are optional. These should be filled if IPv6 or IPv4 IPs other than
IP1 is to be added to certificate.
This command generates the private key kong.key and CSR kong.csr.pem.
4. Use the CSR to acquire the certificate from Certification Authority (CA).
5. Upload the certificate to Central App VM where kong service is installed. For example, to the path
/tmp.
6. Deploy kong.crt.
a) Log in as installation_user to the Central App node.
b) Navigate to /opt/nokia/certificate_mgmt directory.
c) Deploy the certificate or certificate chain to kong server by entering:
Expected outcome
The certificate or certificate chain is deployed successfully and a successful secure connection can be
established using these custom certificates.
Sample output
Note: To verify if the custom certificate is deployed successfully for kong service, execute the
following in Central App VM:
The certificate information in the output shows the kong certificate signed by the external CA
authority.
To use the custom certificate in EdenNet for LDAP service (for example, signed by an official
Certification Authority):
1. Create the Certificate Signing Request with IP field mandatory in Subject Alternative Names
(SAN). For more information, see Custom certificate.
2. Once the custom certificate is received, deploy the certificate to the central database server.
3. Store the server certificate and private key (generated during the CSR process) in the /etc/
dirsrv/slapd-edennet/ folder in the central database server.
4. Append intermediate and root certificates and store it as ca_cert.crt in the /etc/dirsrv/
slapd-edennet/ folder.
Note: The file name must not be changed and must be retained as ca_cert.crt.
Note:
It is not mandatory to provide the absolute path of certificate and key files.
Expected outcome
The certificate or certificate chain is deployed successfully and a successful secure connection can be
established using these custom certificates.
Deploying certificates.
Certificate and key files are deployed into LDAP successfully.
Changing permissions.
The most important aspect during the installation of EdenNet certificate in the browser is to get the
certificate that is not tampered, onto the machine where the browser is installed. There are mainly two
ways to do this:
• Use a secure communication channel, for example USB stick, e-mail with signature or provide the
certificate on a trusted server using HTTPS secured by an already known and a trusted certificate.
• Download the CA certificate from EdenNet and verify its fingerprint. The CA certificate can be
downloaded from https://<EdenNet-GUI>/ca_certificate. The certificate's fingerprint must be
compared with the one retrieved through the secure channel, or taken directly from the EdenNet
server.
Note:
• The fingerprint of the certificate is displayed by the browser before the import is complet-
ed. On the server side, the fingerprint can be calculated using the following command on
App node (the node where nginx is installed):
Prerequisites
• Ensure that you have the SHA1 fingerprint provided through the safe communication channel. For
more information, see EdenNet CA certificate installation on browser.
Note: The steps may change based on the Firefox version you have installed.
4. Click Import.
6. Click View.
7. Compare the SHA1 fingerprint on the EdenNet certificate with the one provided through the safe
communication channel.
Expected outcome
Note: There is no warning shown for EdenNet certificate whenever Firefox browser is used
to establish a secure connection with EdenNet after successful installation of EdenNet CA
certificate in Firefox.
Prerequisites
• Ensure that you have the SHA1 fingerprint provided through the safe communication channel. For
more information, see EdenNet CA certificate installation on browser.
Note: The steps may change based on the Chrome version you have installed.
4. Click Browse... to select the EdenNet Certification Authority (CA) certificate to be imported and
click Next.
5. Check that the selected certificate store is Trusted Root Certification Authorities and click Next.
6. Click Finish.
You get a security warning stating the name of the certificate - EdenNet CA - and the
Thumbprint (sha1)
7. Compare the SHA1 fingerprint (thumbprint) with the one provided through the safe communication
channel. Abort the import by clicking No, if they differ.
Expected outcome
Note: IP2 and FQDN2 are optional. These should be filled if IPv6 or IPv4 IPs other than
IP1 is added to certificate.
This command generates the private key (nginx.key) and certificate (nginx.crt) that is valid
for 1 year (365 days).
Expected outcome
14 Security Events
All the recorded security events are available in Administration → Security Events tab.
Note:
• Only users in Administrator group can access the Security Events tab.
• Security relevant events like create or delete user are logged with the user's host
IP address, except for events related to START_MODULE, STOP_MODULE, and
IDLE_MODULE (These internal events do not contain the HostIP of the user).
Table 22: Security events describes all events available under Security Events tab.
Event Property
Event Name The name of the event that identifies the opera-
tion.
Event Property
Note:
The events in the Security Events tab can be sorted and filtered based on time range as well as
based on any of the properties mentioned in Table 22: Security events.
cfg
13) scriptInterlock
14) scriptPlanMapperApp
15) security_event_logging_app
16) sonConfigApp
17) sonExclusionApp
18) sonKpi
19) son_api_app
20) son_app_manager_app
21) sonpm
22) tier
23) tmoCellPlanUpdate
24) tomcat
25) user_manager
cfg>
cfg> s
0) UIDGenerationService
1) antennaPlanService
2) auth_api_service
3) auth_service
4) cellPlanService
5) cellPlanUpdateService
6) cells_service
7) clusterService
8) cm_redis_service
9) cronApp
10) emailService
11) emsValidation
12) enb_autoplanning_manager_service
13) error_classifier_service
14) escriptService
15) evaluateService
16) eventLoggingService
17) ggc
18) kpi_redis_service
19) ldap
20) license_manager
21) module_commanding_service
22) nadcPushApp
23) ossPushService
24) oss_manager_service
25) pexrepo
26) plan_provisioning
27) polygonService
28) regionInterface
29) regionService
30) ret_mapping_service
31) scriptConfigService
32) scriptInterlockService
33) scriptPlanMapperService
34) scriptStorageService
35) security_event_logging_service
36) sonConfigService
37) sonExclusionService
38) sonKpi
39) son_app_manager_service
40) son_nbi_service
41) son_reporting_service
42) syslog_forwarding_service
43) task_manager
44) task_mon
45) tier_service
46) user_manager_service
4. Find the security_event_logging_service service on the list and note the index.
cfg> s <service_index>
For example:
cfg> s 35
This opens the service configuration file in the default editor (for example, vim).
6. Modify prune_day to the desired value and save the changes by typing wq in the vim editor.
[params]
max_log_age_on_disk_days = 3
api_path = " /security_event_ db log"
prune_day = 90
event_db_commit_rate_seconds = 5
max_event_log_size_mb = 10
security_event_log_dir = "~/log/logging"
cfg> q
Note:
Expected outcome
The security_event_logging_app is restarted and the retention period for security events is
configured successfully.
• Source: The machine that wants to begin communication and the port it wants to use.
• Destination: The machine with which the source wants to communicate and the port it wants to
use.
• Protocols: The protocols are:
Note: Firewall rules are applicable for both IPv4 and IPv6.
Table 23: Ports opened externally on application server VMs lists ports opened externally (access from
outside of EdenNet should be allowed) on Application Server VMs.
SON API
clients
SDK clients Ephemeral Central VM 9500 HTTPS TCP kong API Gate-
Server way for
SON Mod-
ule develop-
ment
GUI Server Ephemeral All NetAct 9999 HTTPS TCP IHS Used by
(SOAP) ASC for CM
WAS nodes
persistency
queries
GUI Server Ephemeral All NetAct 443 HTTPS TCP IHS Used by
(SOAP, ASC for CM
WAS nodes
REST) NMS API,
FM NMS
API and KPI
client ser-
vices
All NetAct Ephemeral GUI Server 8080 HTTP TCP tomcat CM Web
WAS nodes (SOAP) Service no-
tification
GUI server Ephemeral SMTP serv- 587 SMTP TCP mail server
er
GUI Server Ephemeral External 389 LDAP TCP LDAP Only if ex-
LDAP server ternal LDAP
server is in-
server
tegrated.
Port can be
different,
depend-
ing on the
LDAP inte-
gration con-
figuration.
GUI Server Ephemeral Offline Map 443 HTTPS TCP offlinemap Only if Of-
Server fline Map
Server is in-
tegrated.
Port can be
different,
depending
on the Of-
fline Map
integration
configura-
tion.
GUI Server Ephemeral Offline Map 80 HTTP TCP offlinemap Only if Of-
Server fline Map
Server is in-
tegrated.
Port can be
different,
depending
on the Of-
fline Map
integration
configura-
tion.
Table 24: Ports opened internally on application server VMs lists ports opened internally (access from
outside of EdenNet should not be allowed) on Application Server VMs.
Applica- Transport
Source Source Destination Destina- Destination Com-
tion layer layer pro-
system port system tion port service ments
protocol tocol
Applica- Transport
Source Source Destination Destina- Destination Com-
tion layer layer pro-
system port system tion port service ments
protocol tocol
GUI Server Ephemeral Central VM 9601 HTTP TCP SON NBI Cells
Server Service (Spring
boot app)
GUI Server Ephemeral GUI Server 9602 HTTP TCP SON NBI Mod-
ule Command-
ing (Spring
boot app)
Applica- Transport
Source Source Destination Destina- Destination Com-
tion layer layer pro-
system port system tion port service ments
protocol tocol
Task Ephemeral GUI Server 111 portmap TCP rpcbind For NFS
servers
Task Ephemeral GUI Server 111 portmap UDP rpcbind For NFS
servers
localhost Ephemeral Task Server 111 portmap TCP rpcbind For NFS
localhost Ephemeral Task Server 111 portmap UDP rpcbind For NFS
Task Ephemeral GUI Server 662 NSM TCP rpc.statd For NFS
servers
Task Ephemeral GUI Server 662 NSM UDP rpc.statd For NFS
servers
Applica- Transport
Source Source Destination Destina- Destination Com-
tion layer layer pro-
system port system tion port service ments
protocol tocol
Task Ephemeral GUI Server 875 rquota TCP rpc.rquotad For NFS
servers
Task Ephemeral GUI Server 875 rquota UDP rpc.rquotad For NFS
servers
Task Ephemeral GUI Server 892 NFS TCP rpc.mountd For NFS
servers MOUNT
Task Ephemeral GUI Server 892 NFS UDP rpc.mountd For NFS
servers MOUNT
Task Ephemeral GUI Server 2049 NFS TCP nfsd For NFS
servers
Task Ephemeral GUI Server 2049 NFS UDP nfsd For NFS
servers
Task Ephemeral GUI Server 32803 KLM TCP lockd For NFS
servers
Task Ephemeral GUI Server 32769 KLM UDP lockd For NFS
servers
Task Server Ephemeral Spark Pri- 8090 spark TCP spark_job_ For sub-
mary VM server mitting
spark
jobs
Applica- Transport
Source Source Destination Destina- Destination Com-
tion layer layer pro-
system port system tion port service ments
protocol tocol
GUI Server Ephemeral Central VM 8901 HTTPS TCP kong Kong ad-
Server min API
KPI Suppli- Ephemeral Central VM 8901 HTTPS TCP kong Kong ad-
er Server Server min API
All EdenNet Ephemeral Central Re- 8200 HTTPS TCP Vault Vault API
servers gion App
VM Server
All EdenNet Ephemeral Central Re- 8201 HTTPS TCP Vault Vault
servers gion App cluster
VM Server port
All EdenNet Ephemeral Central Re- 8888 Raw TCP CSKM CSKM
servers gion App Vault
VM Server Cluster
service
Table 25: Ports opened externally on database VMs lists the ports opened externally (access from out-
side of EdenNet should be allowed) on Database VMs.
All Data- Ephemeral External 514 syslog TCP syslog External syslog
base VMs syslog forwarding is dis-
abled by default.
server
The Transport
layer Security
(TLS) encryption
is configurable.
All Data- Ephemeral External 514 syslog UDP syslog External syslog
base VMs syslog forwarding is dis-
abled by default.
server
Table 26: Ports opened internally on database VMs lists the ports opened internally (access from out-
side of EdenNet should not be allowed) on Database VMs.
Central DB Ephemeral Central DB 7000 Cassandra TCP cassandra Not used, cannot
VM VM inter-node be disabled thus
communi- limited to local-
cation host
Central DB Ephemeral Central DB 7199 JMX TCP cassandra Not used, cannot
VM VM be disabled thus
limited to local-
host
Server
Table 28: Ports opened internally on FM Service node lists the ports opened internally (access from
outside of EdenNet should not be allowed) on FM Service nodes.
15.1.4 FM DB nodes
Table 29: Ports opened externally on FM DB nodes lists the ports opened externally (access from out-
side of EdenNet should be allowed) on FM DB nodes.
Application Transport
Source sys- Destination Destination Destination
Source port layer proto- layer proto-
tem system port service
col col
Table 30: Ports opened internally on FM DB nodes lists the ports opened internally (access from out-
side of EdenNet should not be allowed) on FM DB nodes.
Applica-
tion layer Transport Destina-
Source sys- Destination Destination
Source port protocol layer proto- tion service
tem system port
tion col na-
Table 32: Ports opened internally on Workflow engine nodes lists ports opened internally (access from
outside of EdenNet should not be allowed) on Workflow Engine nodes.
Application Transport
Source sys- Destination Destination Destination
Source port layer proto- layer proto-
tem system port service
col col
Application Transport
Source sys- Destination Destination Destination
Source port layer proto- layer proto-
tem system port service
col col
Table 34: Ports opened internally on Spark Primary node lists ports opened internally (access from
outside of EdenNet should not be allowed) on Spark Primary node.
Spark Se- Ephemeral Spark Pri- 8100 spark TCP spark_pri- For spark appli-
condary mary VM mary cation driver
VMs
Spark Se- Ephemeral Spark Pri- 8101 spark TCP spark_pri- For spark block
condary mary VM mary manager
VMs
Spark Se- Ephemeral Spark Pri- 8200 spark TCP spark_job_ For job server
condary mary VM server driver
VMs
Spark Se- Ephemeral Spark Pri- 8201 spark TCP spark_job_ For job server
condary mary VM server block manager
VMs
Task Ephemeral Spark Pri- 8090 spark TCP spark_job_ For submitting
servers mary VM server spark jobs
Spark Se- Ephemeral Spark Pri- 111 portmap TCP rpcbind For NFS
condary mary VM
VMs
Spark Se- Ephemeral Spark Pri- 111 portmap UDP rpcbind For NFS
condary mary VM
VMs
Spark Se- Ephemeral Spark Pri- 892 NFS TCP rpc.mountd For NFS
condary mary VM MOUNT
VMs
Spark Se- Ephemeral Spark Pri- 892 NFS UDP rpc.mountd For NFS
condary mary VM MOUNT
VMs
Spark Se- Ephemeral Spark Pri- 2049 NFS TCP nfsd For NFS
condary mary VM
VMs
Spark Se- Ephemeral Spark Pri- 2049 NFS UDP nfsd For NFS
condary mary VM
VMs
Application Transport
Source sys- Destination Destination Destination
Source port layer proto- layer proto-
tem system port service
col col
Table 36: Ports opened internally on Spark Secondary nodes lists the ports opened internally (access
from outside of EdenNet should not be allowed) on Spark Secondary nodes.
Spark Se- Ephemeral All Spark 8101-8126 spark TCP spark_sec- For Spark Se-
condary Secondary ondary condary block
VM VMs manager
Spark Se- Ephemeral All Spark 8201-8220 spark TCP spark_sec- For Spark Se-
condary Secondary ondary condary block
VM VMs manager
Application Transport
Source sys- Destination Destination Destination
Source port layer proto- layer proto-
tem system port service
col col
Table 38: Ports opened internally on Cassandra DB Server nodes lists the ports opened internally (ac-
cess from outside of EdenNet should not be allowed) on Cassandra DB Server nodes.
All Spark Ephemeral Cassandra 7000 Cassandra TCP Cassandra For Cassandra
Secondary DB Server Storage intra-cluster com-
VMs VM munication
All Spark Ephemeral Cassandra 9042 Cassandra TCP Cassandra For Cassandra
Seconary DB Server CQL native transport
VMs VM
Crowd Cell Ephemeral Crowd Cell 5683 CoAP UDP lwm2m_ Machine to Ma-
Controller device mediation chine communi-
VM cation with de-
vices
Table 40: Ports opened internally on CCC nodes lists ports opened internally (access from inside
EdenNet should be allowed) on CCC nodes.
Crowd Cell Ephemeral Crowd Cell 9160 Thrift TCP cassandra Cassandra client
Controller Controller port (Thrift)
VM VMs
Crowd Cell Ephemeral Crowd Cell 8000 HTTP TCP http Generic IoT serv-
Controller Controller er used by Eden-
VM Node- Net
LWM2M
Mediation
server
Application Ephemeral Crowd Cell 8084 HTTP TCP http CCC service
server VMs Controller used by EdenNet
Node- modules
lwm2m_
service
Crowd Cell Ephemeral Crowd Cell 9042 Cassandra TCP cassandra CQL native
Controller Controller CQL clients port
VM VMs
Configu-
ration files
containing
planned
changes
are down-
loaded
to U2000
whenever
changes
are activat-
ed. These
files range
from a few
kB to MB
depend-
ing on the
number of
changes.
Configu-
ration files
containing
planned
changes
are down-
loaded
to the Er-
icsson
OSS-RC
whenever
changes
are activat-
ed. These
files range
from a few
kB to MB
depend-
ing on the
number of
changes.
Configu-
ration files
containing
planned
changes
are down-
loaded to
the Erics-
son ENM
whenever
changes
are activat-
ed. These
files range
from a few
kB to MB
depend-
ing on the
number of
changes.
NetAct
sends CM
change
events to
AC every
30 seconds
(if any). The
event file
size ranges
from a few
kB to MB
depend-
ing on the
number of
changes.
might fetch
a few hun-
dred MB of
data from
the AC Ap-
plication
server VMs.
Table 42: AC Application node (ports opened internally) lists ports opened internally (access from out-
side of EdenNet should not be allowed) on AC Application node.
Table 44: AC Database Node (ports opened internally) lists the ports opened internally (access from
outside of EdenNet should be allowed) on AC Database node.
Table 46: Ports opened internally on Selfmon nodes lists the ports opened internally (access from out-
side of EdenNet should not be allowed) on Selfmon nodes.
Application Transport
Source sys- Destination Destination Destination
Source port layer proto- layer proto-
tem system port service
col col
vSphere Ephemeral AVE 7543 HTTPS TCP AVE server AVE appliance
Web Client management.
Tomcat serv-
er redirects the
packets to AVE
appliance on
7543 port
AVE Node 123 NTP Serv- 123 NTP UDP ntpd NTP
er
Table 48: Ports opened internally on AVE nodes lists the ports opened internally (access from outside
of EdenNet should not be allowed) on Avamar Enterprise Edition (AVE) nodes.
vSphere Ephemeral vCenter 443 HTTPS TCP vCenter The default port
Web Client Server that the vCen-
ter Server sys-
tem uses to lis-
ten for connec-
tions from the
vSphere Client.
AVE Node Ephemeral vCenter 902 Heartbeat TCP vCenter Managed hosts
Server send a regular
heartbeat over
UDP port 902
to the vCenter
Server system.
AVE Node Ephemeral vCenter 7444 HTTPS TCP vCenter vCenter Single
Server Sign On HTTPS
Note: For the additional data ports that are required, see the Avamar reference documents
section in the EdenNet Backup and Restore document.
Application Transport
Source sys- Destination Destination Destination
Source port layer proto- layer proto-
tem system port service
col col
Table 50: Ports opened internally on Control Server (Installation Server) lists the ports opened internal-
ly (access from outside of EdenNet should not be allowed) on Control Server.
Control Ephemeral All Eden- 22 SSH TCP sshd SSH is used for
server Net servers installation
Control Ephemeral All Data- 3306 mysql TCP mysqld To access the
server base VMs databases for
verifying the in-
stallation (not re-
quired during in-
stallation)
Note: The Fast Asynchronous MML Engine (FAME) Virtual Machine (VM) is deployed in
NetAct virtual infrastructure, so the configuration of the firewall protecting NetAct must be ad-
justed.
Table 51: Ports opened externally on FAME node lists the ports opened externally (access from out-
side of NetAct should be allowed) on FAME node.
Application Transport
Source sys- Destination Destination Destination
Source port layer proto- layer proto-
tem system port service
col col
Table 52: Ports opened internally on FAME node lists the ports opened internally (access from outside
of NetAct should not be allowed) on FAME node.
Application Transport
Source Source Destination Destination Destination
layer proto- layer proto- Comments
system port system port service
col col
Application Transport
Source Source Destination Destination Destination
layer proto- layer proto- Comments
system port system port service
col col
16 Appendix
This section details the known issues regarding EdenNet security, and explains the reasons for not fix-
ing these.
• In the MySQL configuration, the local_infile option is set to ON. The EdenNet security vulner-
ability scanners have reported this issue as a security vulnerability of MEDIUM severity.
However, setting local_infile to OFF results in functionality issues for EdenNet. Hence, this
security vulnerability will not be fixed.
• In the MySQL configuration, the STRICT_ALL_TABLES option is set to OFF. The EdenNet securi-
ty vulnerability scanners have reported this issue as a security vulnerability.
• It is found in some security audits that X11 related RPMs are installed in EdenNet. The security
audit recommendation is to remove these RPMs.
Note: The audit tools find X11 RPMs that are related to fonts, and these are dependen-
cies for OpenJDK 1.8. Hence, these RPMs cannot be removed, and relevant audit find-
ing is a false-positive as these RPMs do not have any security related impacts.