Eden Net Security Management

EdenNet 21 FP 2106
Security Management
DN09231593
Issue: 1-3
Security Management DN09231593 1-3 Disclaimer
The information in this document applies solely to the hardware/software product (“Product”) specified herein, and only as specified herein.
This document is intended for use by Nokia' customers (“You”) only, and it may not be used except for the purposes defined in the agreement
between You and Nokia (“Agreement”) under which this document is distributed. No part of this document may be used, copied, reproduced,
modified or transmitted in any form or means without the prior written permission of Nokia. If you have not entered into an Agreement
applicable to the Product, or if that Agreement has expired or has been terminated, You may not use this document in any manner and You
are obliged to return it to Nokia and destroy or delete any copies thereof.
The document has been prepared to be used by professional and properly trained personnel, and You assume full responsibility when using
it. Nokia welcome Your comments as part of the process of continuous development and improvement of the documentation.
This document and its contents are provided as a convenience to You. Any information or statements concerning the suitability, capacity,
fitness for purpose or performance of the Product are given solely on an “as is” and “as available” basis in this document, and Nokia reserves
the right to change any such information and statements without notice. Nokia has made all reasonable efforts to ensure that the content of
this document is adequate and free of material errors and omissions, and Nokia will correct errors that You identify in this document. But,
Nokia' total liability for any errors in the document is strictly limited to the correction of such error(s). Nokia does not warrant that the use of
the software in the Product will be uninterrupted or error-free.
N O WA RRA NT Y O F AN Y KI ND , EI T HER EXPR ES S OR I M P L I E D , I N C L U D I N G B U T N O T L I M I T E D TO A N Y

WARR ANT Y OF AVA IL ABI LI T Y, AC CU RAC Y, R EL I A B I L IT Y, T I T L E , N O N - I N F R I N G E M E N T, M E R C H A N TA B I L I TY
OR F IT NE SS FO R A PA RT ICU LAR PU RPO SE, I S M A D E IN R E L AT I O N TO T H E C O N T E N T O F T H I S D O C U M E N T.
IN NO EVEN T WI L L NOK IA B E LI ABLE F OR AN Y DA M A G E S , I N C L U D I N G B U T N O T L I M I T E D TO S P E C I A L ,
D IRE CT, IN D IRECT, I NCI DE NTAL OR C ON SEQ UE N T IA L OR A N Y L O S S E S , S U C H A S B U T N O T L I M I T E D TO LO SS
OF PRO F IT, REVE NU E, B US IN ESS IN T ER RU PT I ON , B U S I NE S S O P P O RT U N I T Y O R D ATA T H AT M AY A R I S E
FRO M T HE USE O F TH IS DO CU M EN T O R T HE IN F OR M AT IO N I N I T, E V E N I N T H E C A S E O F E R R O R S I N O R
OM IS SI O NS FRO M T HI S DOC UM EN T O R IT S CO NT E N T.
This document is Nokia’ proprietary and confidential information, which may not be distributed or disclosed to any third parties without the
prior written consent of Nokia.
Nokia is a registered trademark of Nokia Corporation. Other product names mentioned in this document may be trademarks of their
respective owners, and they are mentioned for identification purposes only.
Copyright © 2021 Nokia. All rights reserved.
Important Notice on Product Safety

This product may present safety risks due to laser, electricity, heat, and other sources of danger.
Only trained and qualified personnel may install, operate, maintain or otherwise handle this product and only after having carefully read the
safety information applicable to this product.
The safety information is provided in the Safety Information section in the “Legal, Safety and Environmental Information” part of this
document or documentation set.
Nokia is continually striving to reduce the adverse environmental effects of its products and services. We would like to encourage you
as our customers and users to join us in working towards a cleaner, safer environment. Please recycle product packaging and follow the
recommendations for power use and proper disposal of our products and their components.
If you should have questions regarding our Environmental Policy or any of the environmental services we offer, please contact us at Nokia for
any additional information.
Security Management DN09231593 1-3 Table of Contents
Contents
1 Summary of changes...................................................................................................................................... 6
2 Introduction to security management......................................................................................................... 14
3 EdenNet passwords...................................................................................................................................... 15
4 Security updates............................................................................................................................................16
5 Generating sudoers file................................................................................................................................ 17
6 Security supervision..................................................................................................................................... 18
6.1 Enable IPv6 External communication..................................................................................................... 19
6.2 Force Regenerating Certificates and API Secret....................................................................................19
6.3 Security supervision on the Linux OS level............................................................................................20
6.4 Log files................................................................................................................................................... 22
6.5 Security supervision on EdenNet application level.................................................................................22
6.6 EdenNet audit logs..................................................................................................................................23
6.6.1 Syslog forwarding........................................................................................................................... 23
6.6.1.1 Enabling RHEL OS audit log forwarding............................................................................... 25
6.6.1.2 Disabling RHEL OS audit log forwarding...............................................................................27
6.6.1.3 Enabling EdenNet application audit log forwarding............................................................... 27
6.6.1.4 Disabling EdenNet application audit log forwarding...............................................................28
6.6.1.5 Reconfiguring RHEL OS audit logs forwarding......................................................................29
6.6.1.6 Reconfiguring EdenNet application audit logs forwarding......................................................30
6.6.2 Transport layer security (TLS)........................................................................................................ 30
6.6.2.1 Transport layer security certificates....................................................................................... 30
6.6.2.1.1 Signing of certificates by external CA........................................................................... 31
6.6.2.1.2 Signing of certificates by internal CA............................................................................ 32
6.6.3 Audit configuration.......................................................................................................................... 34
7 User and permission management............................................................................................................. 35

7.1 EdenNet application user........................................................................................................................35
7.1.1 Password policy for application user..............................................................................................37
7.2 Database users....................................................................................................................................... 37
7.2.1 Password policy for database users.............................................................................................. 38
7.3 JBoss user...............................................................................................................................................39
7.3.1 Password policy for JBoss user..................................................................................................... 39
7.3.2 Creating JBoss user....................................................................................................................... 39
7.4 Keycloak users........................................................................................................................................ 40
7.5 Linux OS users....................................................................................................................................... 40
7.5.1 Password policy for Linux OS users.............................................................................................. 44
7.5.2 Account lockout for incorrect password attempts...........................................................................44
7.5.3 Account lockout time for failed password attempts........................................................................44
EdenNet 21 FP 2106 © 2021 Nokia 3

7.6 LDAP users............................................................................................................................................. 45
8 Security considerations for EdenNet installation...................................................................................... 46

8.1 Password requirements for EdenNet......................................................................................................46
8.2 Task servers............................................................................................................................................ 47
8.3 firewalld_enabled parameter................................................................................................................... 47
8.4 EdenNet certificates................................................................................................................................ 47
8.5 Virtualization security.............................................................................................................................. 48
8.6 Backup and restore security................................................................................................................... 49
9 EdenNet API security.................................................................................................................................... 50

9.1 Enabling EdenNet API authentication.....................................................................................................50
9.2 Disabling EdenNet API authentication....................................................................................................51
10 Management of LDAP servers................................................................................................................... 52

10.1 Management of secure directory server communications.................................................................... 52
10.1.1 Naming conventions for CA certificates....................................................................................... 53
11 Administration of offline map server........................................................................................................ 54

11.1 Generating or renewing SSL certificates and keys...............................................................................54
11.2 Deploying certificates and keys in the offline map server.................................................................... 55
11.3 SSL certificate expiry verification.......................................................................................................... 56
12 System hardening........................................................................................................................................57
12.1 Operating system hardening.................................................................................................................57
12.1.1 Executing security hardening script..............................................................................................57
12.1.2 Enabling or disabling root login.................................................................................................... 58
12.1.3 Hardening assets included in EdenNet........................................................................................ 58
12.1.4 Changing <installation_user> password.......................................................................................65
12.1.5 Changing password of enet user................................................................................................. 66
12.1.6 Configuring removal of unused packages.................................................................................... 66
12.1.7 Setting warning banner for standard log in services.................................................................... 66
12.2 Database hardening.............................................................................................................................. 67
12.2.1 Database logs............................................................................................................................... 68
12.2.2 Log rotation policy........................................................................................................................ 68
12.2.3 Management of secure database server communications...........................................................68
12.3 Web services hardening....................................................................................................................... 69
13 Certificate management overview............................................................................................................. 70

13.1 Certificate management........................................................................................................................ 70
13.2 Certificate generation............................................................................................................................ 70
13.3 Custom certificate..................................................................................................................................72
13.3.1 Using a custom certificate............................................................................................................ 73
13.3.1.1 Configuring custom certificate for Nginx.............................................................................. 74
13.3.1.2 Configuring custom certificate for Kong............................................................................... 75
13.3.1.3 Configuring custom certificate for LDAP server................................................................... 76

13.4 EdenNet CA certificates........................................................................................................................77

13.4.1 EdenNet CA certificate installation on browser............................................................................ 78
13.4.1.1 Installing EdenNet CA certificate in Firefox......................................................................... 78
13.4.1.2 Installing EdenNet CA certificate in Chrome........................................................................79
13.4.2 Renewing EdenNet certificate...................................................................................................... 80
14 Security Events............................................................................................................................................82
14.1 Configuring retention period for security events................................................................................... 83
15 Security policy for firewalls....................................................................................................................... 87

15.1 Firewall rules......................................................................................................................................... 87
15.1.1 Application Server Virtual Machines (VMs).................................................................................. 87
15.1.2 Database VMs.............................................................................................................................. 95
15.1.3 FM Service nodes.........................................................................................................................97
15.1.4 FM DB nodes................................................................................................................................98
15.1.5 Workflow engine nodes................................................................................................................ 99
15.1.6 Spark Primary nodes.................................................................................................................. 101
15.1.7 Spark Secondary nodes............................................................................................................. 103
15.1.8 Cassandra DB Server nodes......................................................................................................104
15.1.9 Crowd Cell Controller nodes...................................................................................................... 104
15.1.10 AC Application node................................................................................................................. 105
15.1.11 AC Database node................................................................................................................... 112
15.1.12 Selfmon node............................................................................................................................113
15.1.13 Backup and Restore: Avamar Enterprise Edition (AVE)...........................................................114
15.1.14 Control Server (Installation Server).......................................................................................... 116
15.1.15 FAME node............................................................................................................................... 116
16 Appendix.....................................................................................................................................................119

Security Management DN09231593 1-3 Summary of changes
1 Summary of changes
Release Change description
EdenNet 21 FP 2106 Added sections:
• Configuring custom certificate for Nginx

• Configuring custom certificate for Kong
Updated section:
• Management of LDAP servers: Note is updated.

• Certificate management
• Certificate generation
• Using a custom certificate
EdenNet 21 FP 2105 Added section:
• Configuring custom certificate for LDAP server
Updated section:
• Syslog forwarding: Note is updated.
EdenNet 21 FP 2104 No change.
EdenNet 21 FP 2103 Updated section:
• Custom certificate
EdenNet 21 Added sections:
• Enabling IPv6 External communication (IPv4 EdenNet)

• Enabling IPv6 Internal Communication (Dual Mode)
• Enabling IPv6 Internal Communication (Standalone)
Updated sections:
• Enable IPv6 External communication

• Syslog forwarding
• Enabling RHEL OS audit log forwarding
• Disabling RHEL OS audit log forwarding
• Enabling EdenNet application audit log forwarding
• Disabling EdenNet application audit log forwarding
• Reconfiguring RHEL OS audit logs forwarding
• Signing of certificates by external CA
• Signing of certificates by internal CA
• EdenNet certificates

• Custom certificate
• Using a custom certificate
• Firewall rules
• Virtualization security
EdenNet 20 FP 2011 No change.
EdenNet 20 FP 2010 Added section:
• Setting warning banner for standard log in services
Updated sections:
• Management of LDAP servers

• Appendix
• Database hardening
• firewalld_enabled parameter
Deleted sections:
• Management of external directory servers

• Disabling internal LDAP server configuration
• LDAP server access order for user authentication
The deleted sections are moved to EdenNet User and Administra-

tion Guide.
• Account lockout for incorrect password attempts

• Account lockout time for failed password attempts
• Audit configuration
Updated sections:
• Password policy for Linux OS users
• Hardening assets included in EdenNet
EdenNet 20 FP 2008 Updated sections:
• Database logs
• Spark Primary nodes
• Spark Secondary nodes
• Cassandra DB Server nodes

• Backup and restore security

• Web services hardening
Updated sections:

• Configuring retention period for security events
EdenNet 20 Added sections:
• Database hardening
• Database logs
• Log rotation policy
• Enable IPv6 External communication
Updated sections:
• Hardening assets included in EdenNet: The list of security hard-
ening functionalities provided by secpam is updated.
• Generating or renewing SSL certificates and keys
• Security supervision
• External directory server attributes
EdenNet 19A FP 2004 No change.
EdenNet 19A FP 2003 Added sections:
• Password policy for database users

• Modifying back-end external LDAP server configuration with
group support
Updated sections:
• External directory server attributes: New attributes are added.

• Database users: A new user (enetdbsecadmin) is added.
• Adding external server: A note is added.
EdenNet 19A FP 2002 Updated sections:
• AC Application node
• FM Service nodes
• FM DB nodes
• Appendix

• Application Server Virtual Machines (VMs): Vault service details

are added to Table 24: Ports opened internally on application
server VMs.
• Backup and Restore: Avamar Enterprise Edition (AVE):
– Instances of VDP are changed to AVE.

– Port 8543 is replaced by port 7543.
– A note is added.
Removed section:
• Common JBoss nodes
EdenNet 19A FP 1912 Added sections:
• Enabling or disabling root login

• Administration of offline map server
Updated sections:
• Operating system hardening

• Executing security hardening script
• Appendix
• Security supervision
• Application Server Virtual Machines (VMs): The Ports opened
externally on application server VMs table is updated.
EdenNet 19A Updated sections:
• The Signing of certificates by internal CA section is modified.

• The Security supervision section is modified.
• The Operating system hardening section is modified.
• <installation_user> is added to the tables in the following
sections:
– Linux OS users: Linux users table

– EdenNet passwords: Users that require password change
table
• Security supervision on the Linux OS level: The Events record-
ed in log files on Linux OS level table is modified.
• Information about the actions to be executed by root users is
added to the following sections:
– EdenNet audit logs

– Signing of certificates by external CA

• root user is changed to <installation_user> in the
following sections:
– Changing <installation_user> password

– Changing password of enet user
– Signing of certificates by internal CA
– Executing security hardening script
– Using a custom certificate
– Renewing EdenNet certificate
– Creating JBoss user
– Certificate generation
Added sections:
• Management of secure database server communications
• Generating sudoers file
• Troubleshooting security management
• AC Application node: The following tables are updated:
– AC Application node (ports opened externally)

– AC Application node (ports opened internally)
• EdenNet API security: Information about the Kong API gateway
is added.
• Application Server Virtual Machines (VMs): Port 9600 is re-
moved from the Ports opened externally on application server
VMs table.
• credUser is added to the Passwords in inventoryfile table in the

Password requirements for EdenNet section.
• A new port (31600) is added to the AC Application node section
in the AC Application node (ports opened externally) table.
EdenNet 19 FP 1905 The Disabling RHEL OS audit log forwarding section is updated.
EdenNet 19 FP 1904 All instances of Custom modules are changed to Adapted modules
in the following section:
• Task servers

EdenNet 19 • The Management of LDAP servers section is updated.

• The Security Events section is updated.
• The Database VMs section is updated.
• The Appendix section is added.
EdenNet 18 SP1 1901 No updates.
EdenNet 18 SP1 1812 No updates.
EdenNet 18 SP1 1811 Added sections:
• Configuring removal of unused packages
EdenNet 18 SP1 Added sections:
• Executing security hardening script

• EdenNet API security
• Keycloak users
• Security considerations for EdenNet installation
Updated sections:
• The following sections are removed:
– Executing security hardening script

– Enabling and disabling specific hardening features
– Disabling security hardening
• The following sections are modified:
– Operating system hardening

– Certificate generation
– Configuring retention period for security events
– Firewall rules
– Configuring removal of unused packages
– LDAP users
• Instances of NetAct lbwas in the Source System column are
changed to All NetAct WAS nodes in the Firewall rules section.
EdenNet 18 Updated content:
• Configuring retention period for security events
• Firewall rules
• LDAP users
• Configuring removal of unused packages
Added content:

• EdenNet API security

• Keycloak users
• Security considerations for EdenNet installation
EdenNet 17 SP1 FP1 Addition of hc user to section Linux OS users.
A new section is added: Configuring removal of unused packages
EdenNet 17 SP1 The Using a custom certificate section has been updated.
The Firewall rules section has been updated.
EdenNet 17 FP1 The Firewall rules section has been updated.
EdenNet 17 The updated sections are:
• Certificate management overview

• Security policy for firewalls
EdenNet 16 SP4 New sections added:
LDAP users
Management of LDAP servers
Modified sections:
Linux OS users
EdenNet application user
Disabling a set of unnecessary services
Enforcing SSH ciphers
Binding of SSH to specific IP addresses
Restricting the usage of SSH service to users or groups
Setting of SSH log level
EdenNet 16 SP3 Configuring syslog forwarding and Transport layer security sections
added.
Security policy for firewalls section updated.
EdenNet 16 SP2 System hardening, Certificate management, Security events, Secu-

rity updates sections were added. Security supervision, User and
permission management and Firewalls sections were updated.
EdenNet 16 SP1 No updates.
EdenNet 16 This is a new document that provides information on the security as-
pects for EdenNet.

Table 1: Summary of changes

Security Management DN09231593 1-3 Introduction to security management
2 Introduction to security management

This document describes the security aspects for EdenNet. Security management covers user data,
software, network security, and security supervision.

Security Management DN09231593 1-3 EdenNet passwords
3 EdenNet passwords
There are certain users created automatically during EdenNet installation.
Note: Nokia recommends to change the default password of users immediately after Eden-
Net installation.
Table 2: Users that require password change lists the users whose default passwords must be
changed.
User Node User type
root All Linux OS
enet All Linux OS
admin N/A EdenNet application user
<installation_user> All Linux OS
Table 2: Users that require password change

Security Management DN09231593 1-3 Security updates
4 Security updates
When a security vulnerability is discovered in any Red Hat Enterprise Linux (RHEL) package, RHEL
errata containing the fix is released. The RHEL errata is delivered as an ISO image containing the yum
repository.
If you face any issues during installation, contact Nokia technical support.

Security Management DN09231593 1-3 Generating sudoers file
5 Generating sudoers file

For non-root user installation, a sudoers file is required to run the scripts and commands that otherwise require root permission.
A sudoers file enables the <installation_user> to run these commands.
To generate a sudoers file, do the following:
1. Log in to the control server as an <installation_user>.
2. Navigate to the following directory:
<directory of the Control server>/installer/ansible_files
3. Execute the following commands for the corresponding configurations:
• For 2VM configuration:
ansible-playbook -vvv -i ./inventoryfile.2VM prepare_sudoers.yml --

tags "optional-security-hardening"
• For 5VM configuration:

• For 8VM+ configuration:

A security_hardening_sudoers file is generated at the control server.
4. Switch to root user and copy the security_hardening_sudoers file to the following directory
of each target server:
- /etc/sudoers.d
Expected outcome
A security_hardening_sudoers file is available at every target server.

Security Management DN09231593 1-3 Security supervision
6 Security supervision
Security supervision is performed by logging and tracing the user's activities (for example, log in or log
out attempts, password changes, and so on). Audit logging is a crucial security feature. It helps to de-
tect any potential security issues and to analyze the system after a security breach. An audit log is a
security relevant chronological record or a set of records, and/or destination and source of records that
provide documentary evidence of the sequence of activities that have affected a specific operation,
procedure, or event, at any time.
Logging and tracing functionality is provided by the:
• Linux Audit system (for the Linux OS)

• Security Events subsystem (for the logging and tracing functionality)
Note:
• During installation, if the enable_audit_logging_and_hardening inventory para-

meter is set to False, audit scripts and security hardening functionality will not be avail-
able.
Users must take care of audit logging and security hardening and Nokia is not responsi-
ble for the same.
The default value of enable_audit_logging_and_hardening is set to True.
• During any subsequent upgrades:
– hardening and audit logging will continue to be enabled if the previous state was en-
abled (when enable_audit_logging_and_hardening inventory parameter is
set to True).
– hardening and audit logging will be disabled if the previous state was disabled (when
enable_audit_logging_and_hardening inventory parameter is set to False).
– if the value of the enable_audit_logging_and_hardening inventory parame-
ter is set to True, hardening and audit logging functionality will be available (even for
scratch installation).
– if the value of the enable_audit_logging_and_hardening inventory parameter
is set to False, hardening and audit logging functionality will not be available (even
for scratch installation).
• If the installation or upgrade is completed with the value of the

enable_audit_logging_and_hardening inventory parameter set to True, the
audit logging functionality will be present irrespective of the parameter value used during
the next upgrade.
• If the installation or upgrade is completed with the value of the

enable_audit_logging_and_hardening inventory parameter set to False, the au-

dit logging functionality will not be present, irrespective of the parameter value used dur-
ing the next upgrade.
6.1 Enable IPv6 External communication

A new ipv6_deploy_mode inventory parameter is introduced and it is used to enable
IPv6 communication (internal and/or external) in EdenNet 21. During installation, if the
ipv6_deploy_mode parameter is set to off, the internal or external IPv6 communication is disabled.
The default value of this parameter is off, enabling only IPv4 communication.
The prerequisites to enable IPv6 external communication are:
• The target VMs must support IPv6 dualstack configuration and must be enabled in VM network.
• Security hardening must be enabled. The enable_audit_logging_and_hardening inventory
parameter value must be set to True.
If target VMs doesnt support IPv6 dualstack or enable_audit_logging_and_hardening

inventory is False, then ipv6_deploy_mode should be set to off.
During subsequent upgrades, the following table depicts the status of IPv6 external communication for
different inventory flag combinations:
enable_audit_logging_and_hardening IPv6 External Communica-

IPv6_deploy_mode
IPv6 tion
Off True Disabled
External True Enabled
Off False IPv6 External Communication

to be handled by Customer
External False IPv6 External Communication

to be handled by Customer
Table 3: IPv6 external communications status
Note:
During installation, if the inventory parameter enable_audit_logging_and_hardening

meter is set to False, audit scripts, security hardening functionality, the IPv6 loopback
address, and other IPv6 configurations is not available. Users must take care of audit
logging, security hardening, and IPv6 configurations. Nokia is not responsible for the same.

6.2 Force Regenerating Certificates and API Secret

As part of EdenNet upgrade to Release 21, it is mandatory that the certificates and API secrets must
be regenerated. This is controlled using an inventory flag called force_regenerate_certs.
force_regenerate_certs Description Applicable for
True All Certificates and Keys, along • Upgrade to EdenNet 21 or

with API secret will be generat- later from any previous re-
ed. New certificates, keys and lease.
API secrets must be used for • Upgrade to EdenNet 21 or
EdenNet 21 and above releas- later with migration from
es. IPv4 to IPv6 (dual or stand-
alone)
• Upgrade to EdenNet 21 or
later with migration to Multi
IP (IPv4 or IPv6)
False No certificate, keys, or API se- • Scratch Installation to Eden-

cret will be regenerated Net 21 or later
• Monthly Software Update
Table 4: force_regenerate_certs Inventory Flag
Note: This inventory flag:
• Regenerates the certificate, keys, and API secrets during upgrade to EdenNet 21 and
above releases.
• Must be set to True on the first upgrade to EdenNet 21 from previous releases.
When this inventory flag value is set to True, all the migration scenarios are:
• IPv4 to IPv6 (Single IP)

• IPv6 to Multi IPv6
• Multi IPv4 to Multi IPv6
6.3 Security supervision on the Linux OS level

EdenNet supports security supervision on the Linux OS level using the Linux Audit system. The Linux
Audit system generates log entries to record information about the security related events in the sys-
tem.
Table 5: Events recorded in log files on Linux OS level describes the log files.

Events Description
SELinux AVC denials Triggered when access to a resource is denied by

SELinux.
Logins Triggered when a user logs in or logs out of the

system.
Account modifications Triggered when a user or group is added or when

the user account information is modified.
Authentication events Triggered when the user authentication fails.
Audit system events Triggered when the Audit system daemon is start-
ed/stopped/crashed or its configuration is modi-
fied.
Firewall related events Triggered when the Netfilter chain modifications

are detected.
Other, general SELinux audit events Triggered when the SELinux policy is changed
or reloaded, enforcement mode is changed, or
SELinux kernel error occurs.
Changes of important configuration parameters Triggered when the changed configuration para-
meters are:
• Audit configuration
• rsyslog configuration
• Logrotate configuration
• Cron configuration
• Login configuration
• Network configuration
• NTP configuration
• Library search path
• Local timezone
• Kernel parameters
• Modprobe configuration
• Pluggable Authentication Modules (PAM) con-
figuration
• Screen configuration
• SSH configuration
• Sudo configuration
• MySQL configuration
• EdenNet services' configuration
• Time changes

Events Description
• Domain/hostname changes
System logs modifications Triggered when the system logs are modified.
Startup scripts modifications Triggered when the startup scripts are modified.
All actions performed by privileged users Triggered when the Linux OS commands are exe-
cuted by the following users:
• root
• vson
• enet
• <installation_user>
Unauthorized attempts to access resources Triggered when any unauthorized attempts are
made.
Changes to the user profiles Triggered when changes are made to the user
profiles.
Access to audit logs Triggered when a request to access audit logs is

raised.
Table 5: Events recorded in log files on Linux OS level
6.4 Log files

The Audit logs are stored in /var/log/audit/audit.log file. Auditd daemon rotates the logs by
size of 10 MB, with retention of 10 files. Auditd fails to write entries when there is less than 50 MB
space left on the file system.
The audit logs are stored in RAW format. These logs can be read using any text viewer or editor, but
there are special tools that help with this namely, aureport and ausearch.
Security related logs are also written to /var/log/secure file. This file contains information related
to authentication and authorization. For example, sshd and sudo log messages are written in /var/
log/secure, including unsuccessful login attempts.
6.5 Security supervision on EdenNet application level

All the security events triggered by EdenNet users as well as autonomously by EdenNet applications
or services are recorded.
Table 6: Events recorded in log files on application level describes the events logged as part of securi-
ty audit logging.

Events Description
Session management Login and logout attempts, both successful and

unsuccessful are logged.
User management All user profile changes are logged.
For example:
• creating a new user

• modifying the account properties of existing
user (for example, name, e-mail address and
user group)
• deleting a user
SON modules runs All attempts to start, stop, schedule, or remove

the scheduled SON modules are logged.
Configuration changes All attempts to import or delete modules are

logged.
Accessing security events All attempts to access security events are logged.
Table 6: Events recorded in log files on application level
6.6 EdenNet audit logs

Audit logging is a crucial security feature. Although it does not directly increase the security of an ap-
plication or a system, it helps to detect any potential security issues and also to post-analyze the sys-
tem after security breach.
This section explains how to administer the settings related to EdenNet audit logging.
Note: Audit log forwarding cannot be performed with a non-root user and requires root ac-
cess to execute the following operation:
–Enet_audit_forwarding.sh script
6.6.1 Syslog forwarding
Security events, both OS and application level, can be forwarded to the remote server using syslog
protocol for further processing and/or storage. Syslog forwarding via User Datagram Protocol (UDP)
and Transmission Control Protocol (TCP) is supported. Transport layer security (TLS) encryption can
be enabled if needed.
Note:

• This functionality can be used only by the root user.
• On external servers, users must take care of log management activities such as log re-
tention and rotation policy. Nokia is not responsible for the same.
Syslog forwarding can be configured through the command line interface using the
enet_audit_forwarding.sh script. This script is deployed in /opt/nokia/audit/bin directory.
Script usage syntax:
enet_audit_forwarding.sh <os|application|both>
<enable|disable|modify> [-s|--server <remote_server_address>] [--tcp|--
udp]
[-p|--priority <priority>] [-f|--facility <facility>]
[--tls|--notls]
The first command line argument is always mandatory and specifies which audit logs are considered,
RHEL OS audit logs (os), EdenNet application audit logs (application) or both (both).
The second command line argument is always mandatory as well and specifies whether forwarding
should be enabled (enable), disabled (disable) or re-configured (modify).
Table 7: enet_audit_forwarding.sh parameters describes the parameters in

enet_audit_forwarding.sh script.
Optional com-
mand line argu- Description Possible values Default value Mandatory for
ments
-s Specifies the re- IPv4 or IPv6 ad- N/A • Enable- Yes

mote syslog serv- dress or name • Disable- No
--server
er where the logs
• Modify- No
should be forward-
ed
--tcp Specifies whether N/A TCP • Enable- No

TCP or UDP will • Disable- No
--udp
be used for for-
• Modify- No
warding
-p Specifies the prior- LOG_ LOG_INFO • Enable- No

ity set for the for- EMERG,LOG_ • Disable- No
--priority
warded events ALERT,LOG_
• Modify- No
CRIT,LOG_
ERR,LOG_
WARNING,LOG_
NOTICE,LOG_

Optional com-
mand line argu- Description Possible values Default value Mandatory for
ments
INFO,LOG_DE-
BUG
-f Specifies the facil- LOG_ LOG_USER • Enable- No

ity set for the for- USER,LOG_LO- • Disable- No
-- facility
warded events CAL0 to LOG_LO-
• Modify- No
CAL7
--tls Specifies whether N/A no TLS • Enable- No

communication • Disable- No
--notls
between EdenNet
• Modify- No
and remote syslog
server is encrypt-
ed or not. Encryp-
tion can only be
used with TCP.
Table 7: enet_audit_forwarding.sh parameters
The enet_audit_forwarding.sh script is available on each EdenNet node.
RHEL OS audit logs forwarding is managed on each EdenNet node independently. For example,
running the enet_audit_forwarding.sh script with enable flag on one node enables the
forwarding on that particular node only.
EdenNet application audit logs forwarding is managed centrally on Central App VM. The
enet_audit_forwarding.sh script with application flag can be invoked on Central App VM only.
Flag Allowed nodes
OS All EdenNet nodes
application Central App VM
both Central App VM
Table 8: enet_audit_forwarding.sh allowed nodes
6.6.1.1 Enabling RHEL OS audit log forwarding

Security events, both OS and application level, can be forwarded to the remote server using syslog protocol for further
processing and/or storage.

To enable RHEL OS audit logs forwarding, do the following:
1. Log in to the virtual machine (VM) as root user.
2. Forward RHEL OS audit logs by entering:
[root@EdenNet ~]$ /opt/nokia/audit/bin/enet_audit_forwarding.sh os

enable --server <remote_server>
root@EdenNet~]$ /opt/nokia/audit/bin/enet_audit_forwarding.sh os
enable --server syslog.example.com
OS audit log forwarding is re-configured OS audit log
forwarding is enabled
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Note: If EdenNet is installed in dual or standalone mode, the IPv6 server should be
enclosed in square brackets. For example, [<IPv6>] or [<IPv6>]:<PORT.
Expected outcome
RHEL OS audit log forwarding is enabled.
Note:
• To forward RHEL OS audit logs from all the EdenNet nodes, the script must be invoked
on each EdenNet node.
• In EdenNet 16 SP3 it is not possible to specify the port number for the remote syslog
server. 514 is the default port of the remote syslog server. If the remote syslog server
is listening on a different port, the rsyslog configuration on each affected EdenNet node
must be changed manually. The affected nodes are all EdenNet virtual machines for OS
audit logs forwarding and Central App VM for application audit logs forwarding.
To change the port number, edit the
/etc/rsyslog.d/50_enet_audit_rsyslog_forwarding.conf file.
The port number is appended to the server address, after the colon:
For example,
:programname, isequal, "audispd" @@localhost:514 # <-- this

one is for OS audit logs forwarding
:programname, isequal, "edennet" @@localhost:514 # <-- this

one is for application logs forwarding

Note: If remote server is IPv6 based, then the IP should be enclosed by square brack-
ets in the above lines. For example, :programname, isequal, "audispd"
@@[2a00:8a00:a000:4000::1234:abcd]:514
6.6.1.2 Disabling RHEL OS audit log forwarding

To disable RHEL OS audit logs forwarding, do the following:
2. Disable RHEL OS audit logs forwarding by entering:

disable --server <remote_server>
Note: If EdenNet is installed in dual or standalone mode, the IPV6 server should be
The following output is displayed:
[root@sprintlab613vm4 bin]# ./enet_audit_forwarding.sh os disable --

server syslog.example.com
Stopping logging: [ OK ]
Redirecting start to /bin/systemctl start auditd.service
OS audit log forwarding is disabled
Redirecting to /bin/systemctl restart rsyslog.service
Note:
To disable RHEL OS audit logs forwarding on all EdenNet nodes, the script must be in-
voked on each EdenNet node.
Expected outcome
RHEL OS audit log forwarding is disabled.
6.6.1.3 Enabling EdenNet application audit log forwarding

To enable EdenNet application audit logs forwarding, do the following:
1. Log in to the Central App VM as root user.
2. Enable EdenNet application audit logs forwarding by entering:

[root@EdenNet ~]$ /opt/nokia/audit/bin/enet_audit_forwarding.sh

application enable --server <remote_server>
Note:
If EdenNet is installed in dual or standalone mode, the IPV6 server should be enclosed in
square brackets. For example, [<IPv6>] or [<IPv6>]:<PORT.

application enable--server syslog.example.com
Application audit log is enabled
Note: In EdenNet 16 SP3 it is not possible to specify the port number for the remote
syslog server. 514 is the default port of the remote syslog server. If the remote syslog
server is listening on a different port, the rsyslog configuration on each affected EdenNet
node must be changed manually. The affected nodes are all EdenNet virtual machines
for OS audit logs forwarding and Central App VM for application audit logs forwarding.
To change the port number, edit the
/etc/rsyslog.d/50_enet_audit_rsyslog_forwarding.conf file.
The port number is appended to the server address, after the colon:
For example,
:programname, isequal, "audispd" @@localhost:514 # <-- this

one is for OS audit logs forwarding
:programname, isequal, "edennet" @@localhost:514 # <-- this

one is for application logs forwarding
Note:
If remote server is IPv6 based, then the IP should be enclosed by square brackets
in the above lines. For example, :programname, isequal, "audispd"
@@[2a00:8a00:a000:4000::1234:abcd]:514
Expected outcome
EdenNet application audit log forwarding is enabled.
6.6.1.4 Disabling EdenNet application audit log forwarding


To disable EdenNet application audit log forwarding, do the following:
2. Disable EdenNet application audit log forwarding by entering:

application disable

application disable
Application audit log is disabled
Expected outcome
EdenNet application audit log forwarding is disabled.
6.6.1.5 Reconfiguring RHEL OS audit logs forwarding

To re-configure (for example, change the server and transport protocol) RHEL OS audit logs forward-
ing, do the following:
2. Re-configure RHEL OS audit logs forwarding by entering:

modify --server <remote_server> --udp

modify --server newsyslog.example.com --udp
OS audit log forwarding is re-configured
Note:
• To re-configure RHEL OS audit logs forwarding on all EdenNet nodes, the script must
be invoked on each EdenNet node.
• If EdenNet is installed in dual or standalone mode, the IPV6 server should be

Expected outcome
RHEL OS audit logs forwarding is re-configured.
6.6.1.6 Reconfiguring EdenNet application audit logs forwarding

To re-configure (for example, change the server and transport protocol) EdenNet application audit logs
forwarding, do the following:
2. Re-configure EdenNet application audit logs forwarding by entering:

application modify --server <remote_server> --udp

application modify --server newsyslog.example.com --udp
Application audit log forwarding is re-configured
Note: If EdenNet is installed in dual or standalone mode, the IPV6 server should be
Expected outcome
EdenNet application audit logs forwarding is re-configured.
6.6.2 Transport layer security (TLS)

Transport Layer Security (TLS) can be enabled for audit logs forwarding to encrypt the communication
between EdenNet and the remote server. TLS is enabled by passing --tls parameter to the
enet_audit_forwarding.sh script.
Note: In order to configure rsyslog with TLS, the rsyslog-gnutls RPM package must be
installed on all the EdenNet nodes.
6.6.2.1 Transport layer security certificates

Both the client and the server must use valid certificates. All clients (in EdenNet, all the nodes where
syslog forwarding with TLS is enabled) must use own, unique certificate.

Note: The client and server certificates must be signed by the same Certification Authority
(CA); at least if rsyslog is used at the server side. For other syslog servers, check Certificate
management overview.
The certificates can be signed either by EdenNet internal CA or by an external CA.
The keys and certificates used for syslog forwarding with TLS are stored in /etc/rsyslog.d/enet/
rsyslog/certs/ directory on the respective EdenNet nodes.
6.6.2.1.1 Signing of certificates by external CA

EdenNet certificates signed by external, trusted CA is the best possible solution from security and usability perspective.
EdenNet certificates are signed by external, trusted Certification Authority, (for example, VeriSign), and therefore are
automatically trusted by web browsers and other systems/services.
Note:
• A separate private key and certificate must be generated for each EdenNet node where
syslog forwarding with Transport Layer Security (TLS) must be enabled.
• Signing of certificates by an external CA cannot be performed with a non-root user and
requires root access to execute the following operation:
–Deploying_certificates_to_rsyslog.sh script
To sign certificates by external Certificate Authority (CA):
1. Copy the private keys, certificates, and CA certificate to EdenNet GUI node and log in as root to
the same.
2. Deploy the private key, certificate, and CA certificate to one EdenNet node by entering:
[root@EdenNet ~]$ /opt/nokia/certificate_mgmt/bin/

deploy_certificate_to_rsyslog.sh -ca_crt <path to CA certificate> -key
<path to private key> -crt <path to certificate> -host <EdenNet node>
where:
• <path to ...> are paths to the respective files.

• <EdenNet node> is the IPv4 or IPv6 address or name of the respective EdenNet node.
• -host <EdenNet node> is optional and must be used to deploy the certificates to remote
node.
Note: If EdenNet is installed in dual or standalone mode, use IPv6 address else, use
IPv4 address.
To deploy certificates locally, do not use -host parameter.

For example, to deploy custom certificates locally, enter:
[root@EdenNet ~]$/opt/nokia/certificate_mgmt/bin/deploy_certificate_
to_rsyslog.sh -ca_crt/tmp/ca_cert.crt -key /tmp/key.pem -crt /tmp/
cert.crt
Deploying certificates to local host.
Certificate and key files successfully deployed into rsyslog.
To deploy custom certificate to other EdenNet node, enter:
[root@EdenNet ~]$ /opt/nokia/certificate_mgmt/bin/deploy_certificate_

to_rsyslog.sh -ca_crt/tmp/ca_cert.crt -key /tmp/key.pem -crt /tmp/
cert.crt -host 10.10.10.11
Deploying certificates to host:10.10.10.11.
[...]
3. Repeat the above steps to deploy the keys and certificates to all EdenNet nodes where syslog
forwarding with TLS is enabled.
Expected outcome
Certificate and key files are successfully deployed into rsyslog.
6.6.2.1.2 Signing of certificates by internal CA

EdenNet comes with its own, internal Certification Authority (CA) which is used to sign certificates. The certificate of this
CA must be imported to any browser that is used to work with EdenNet. This internal CA can also be used to sign internal
certificates required for HTTPS communication between EdenNet services.
1. Log in as <installation_user> to the EdenNet GUI node.
2. Generate the certificate for an EdenNet node by entering:
[user@EdenNet ~]$ /opt/nokia/certificate_mgmt/bin/

certificate_management.sh -generate crt -app_name rsyslog -ip2 <IPv4/
IPv6 address> -fqdn2 <FQDN>
where:
• <IP address> is the IPv4 or IPv6 address of the node.

• <FQDN> is the fully qualified name of the node.

Note: If EdenNet is deployed in dual mode, both IPv4 and IPv6 addresses should be
given as IP1 and IP2.
[user@EdenNet ~]$ /opt/nokia/certificate_mgmt/bin/certificate_

management.sh -generate crt -app_name rsyslog -ip 10.10.10.10 -fqdn
client.example.com
Setting -ip2 2a00:2345:0425:2CA1:0000:0000:0567:5673 -fqdn client.
example.com
generating and Signing cert
Generating a 2048 bit RSA private key
...+++
............................+++ writing new private key to 'rsyslog.
key'
-----
Signature ok
subject=/CN=client.example.com/C=FI/L=Finland/O=Nokia
Getting CA Private Key
A private key (rsyslog.key) and certificate (rsyslog.crt) are generated.
3. Switch to root user and deploy the generated key, certificate, and CA certificate (/opt/nokia/
certificate_mgmt/ca_cert.crt) in the respective node:
[root@EdenNet ~]$ /opt/nokia/certificate_mgmt/bin/

deploy_certificate_to_rsyslog.sh [-host <EdenNet node>]
where <EdenNet node> is the IPv4 or IPv6 address or name of the respective EdenNet node.
Note:
• -host <EdenNet node> is optional and must be used to deploy certificates in a

remote node.
• If EdenNet is installed in dual or standalone mode, use IPv6 address, else use IPv4
address.
To deploy certificates locally, do not use -host parameter. For example, deploy certificates locally
by entering:

to_rsyslog.sh
Deploying certificates to local host.
Deploy certificates to other EdenNet nodes by entering:

to_rsyslog.sh -host 10.10.10.11
Deploying certificates to host:10.10.10.11.

[...]
4. Repeat the above steps for all the EdenNet nodes where syslog forwarding with Transport Layer
Security (TLS) must be enabled.
You can also use the certificate_management.sh script to generate a server certificate.
However, the deployment is out of scope. For more information, see Certificate generation.
Expected outcome
Certificates and key files are successfully deployed into rsyslog.
6.6.3 Audit configuration
In an immutable mode, unauthorized users cannot execute changes to the audit system to hide
malicious activity and then revert the audit rules. Users may notice a system reboot and that could
alert administrators of an attempt to make unauthorized audit changes. After making the configuration
immutable, the audit rules cannot be modified with auditctl.
For example, if any user is trying to remove the immutable state of audit configuration by using
# auditctl -e 1, then the following error appears:
Error sending enable request (Operation not permitted).

Security Management DN09231593 1-3 User and permission management
7 User and permission management

EdenNet user security is about the mechanisms for controlling user access to the system. The identity
of users is verified through user authentication at login, and user authorization ensures that users can
only perform tasks that they are authorized to perform.
The user types in EdenNet are:
• EdenNet application user: User accounts with which users of the EdenNet GUI work.
• Linux OS user: The internal EdenNet accounts used to run EdenNet services and to perform
tasks in the Linux OS.
• Database user: User accounts that are used internally by MySQL, PostgreSQL, and Cassandra.
• Other user accounts, for example JBoss (used either internally by JBoss for management purpos-
es or by applications deployed on the server), Keycloak (used for Keycloak administration).
7.1 EdenNet application user

EdenNet user types utilize multiple privilege levels and access permissions to prevent unauthorized
access and unwanted changes from being applied to the network.
Table 9: Permissions of EdenNet application users describes the user types in EdenNet.
EdenNet application user Permissions
SON Monitor As a read-only user, SON Monitors have the

most limited set of user permissions:
• retrieving and analyzing SON Module output

performance reports
• viewing and analyzing network performance
metrics
SON Module Executor SON Module Executors are granted all the privi-
leges of SON Monitor user. Additional privileges
granted to SON Module Executors are related to
script execution, such as:
• stopping SON Modules

• configuring, running, and scheduling future
SON Module executions
• viewing the content of SON Modules (when
available)
SON Module Manager SON Module Managers are granted all the privi-
leges of SON Module Executors and SON Mon-

EdenNet application user Permissions
itor users. Additional privileges granted to SON

Module Managers are related to the manage-
ment of available SON Modules and SON priori-
ties, such as:
• setting both user and module priorities

• managing advanced SON Module configura-
tion
• configuring SON Module default parameter
values
• configuring SON Exclusion List
• configuring Black and White Lists
• executing Network Rollback
Administrator EdenNet Administrators are granted all the priv-

ileges available to other user types. Additional
privileges granted to them are related to user ac-
count management, network connectivity, and
SON Exclusion such as:
• creating, adding, editing, and deleting Eden-

Net user accounts
• managing SON module permissions and ge-
ofence list on a per-user basis
• scheduling, enabling, and disabling the con-
nection between EdenNet and Operations
Support System (OSS)
Site Creation User The privileges of Site Creation User are:
• retrieving and analyzing SON Module output

performance reports
• viewing and analyzing network performance
metrics
• modifying site creation settings
• triggering site creation operation
• viewing and interrupting ongoing site cre-
ation operation
Table 9: Permissions of EdenNet application users
Table 10: Application user describes the users created during EdenNet installation.

User Role Description
admin Super Root Used by EdenNet administrator
ascuser Site creation user Used by Automated Site Cre-

ation module
Table 10: Application user
7.1.1 Password policy for application user

EdenNet application users' passwords must comply with the following requirements:
• at least eight characters long

• at least one uppercase letter
• at least one lowercase letter
• at least one number
• at least one special character: ~`!@#$%^&*()-_=+[{]}\|;:'",<.>?
To change the EdenNet application user password or to generate and re-generate secret keys, see the
About the EdenNet User and Administration Guide section in EdenNet User and Administration Guide.
7.2 Database users

This section explains the database users created during EdenNet installation.
MySQL database users
Table 11: MySQL users describes the users created during EdenNet installation.
User Password Description
root Set during installation MySQL database administrator
vson Set during installation MySQL vson database user
Note: The name of

this user is not fixed
and can be set during
EdenNet installation.
custom Randomly generated (20 charac- MySQL user for custom task ap-
ters) plication
enetbackup Randomly generated (20 charac- MySQL user for taking database
ters) backups

audit Randomly generated (20 charac- MySQL user for audit log ac-
ters) cess
zabbix Randomly generated (20 charac- MySQL user for Zabbix Monitor-
ters) ing System
keycloak Randomly generated (20 charac- MySQL user for Keycloak

ters)
enetdbsecadmin Set during installation MySQL database administrator
Table 11: MySQL users
PostgreSQL database users
Table 12: PostgreSQL users describes the PostgreSQL users created during EdenNet installation.
User Access to DB Access from Description
fmcache fmcache FM service node User for FM cache DB

access
postgres all localhost as postgres PostgreSQL adminis-

Linux OS user trator user
noa selfhealingdb Workflow engine nodes Workflow engine inter-

nal user
Table 12: PostgreSQL users
Cassandra database users
Table 13: Cassandra users describes the list of Cassandra users created during EdenNet installation.
cassandra Randomly generated (20 characters) Cassandra superuser
kong Randomly generated (20 characters) Cassandra user for Kong
Table 13: Cassandra users
Note: Changing the password of database users is currently not supported, because
passwords are stored in multiple places throughout EdenNet.
7.2.1 Password policy for database users

As part of database hardening, a strict password policy is introduced for database users.

It is mandatory to provide a password while creating a new MySQL database user. The passwords of
the EdenNet database users must:
• be at least fourteen characters long

• contain at least one letter
• contain at least one number
• contain at least one special character:
– For root user installation, the recommended special characters are: ! @ $ & * _ + = ?
– For non-root user installation, the sudoers file only supports @ and !
Note: Passwords for root, vson, and enetdbsecadmin users are set during installation. From
EdenNet 19A 2003 onwards, these passwords must adhere to the password policy men-
tioned above. The default passwords are already set according to this policy.
7.3 JBoss user

Table 14: JBoss user describes the JBoss user created during EdenNet installation.
User Type Description
jboss Management User Used for JBoss management
Table 14: JBoss user
7.3.1 Password policy for JBoss user

It is mandatory to provide password while creating a new JBoss user. EdenNet JBoss users' pass-
words must comply with the following requirements:
• at least eight characters long

• at least one letter
• at least one number
• be different from the username
• not be root, admin, or administrator
7.3.2 Creating JBoss user

It is mandatory to provide password while creating JBoss user. The password must comply with the password requirements and
the username provided must be unique.
To create new JBoss user, do the following:
1. Log in to JBoss node via SSH as <installation_user>.
2. Create JBoss user by entering:

sudo /opt/jboss-as/bin/add-user.sh <User name> <new_password>
where:
• <User name> is the JBoss username. It must be unique.

• <new_password> is the JBoss password.
Note: Ensure that the password entered complies to the password policy. For more infor-
mation, see Password policy for JBoss user.
Expected outcome
JBoss user is created successfully.
7.4 Keycloak users

Table 15: Keycloak users describes the Keycloak users created during EdenNet installation.
vson Set during installation Keycloak administrator
Note: The name of this user is not

fixed and can be set during Eden-
Net installation.
Table 15: Keycloak users
Note: Changing the Keycloak user's password is currently not supported.
7.5 Linux OS users

Table 16: Linux users lists the Linux OS users in EdenNet.
Virtual Ma- 1 2
User Group Login shell Has password Description
chine (VM)
abrt abrt all No No Automatic bug

reporting tool
adm adm all No No Linux standard

base required
user

Virtual Ma- 1 2
chine (VM)
bin bin all No No Linux standard

base required
user
cassandra_ cassandra_ Central Data- No No System user

kong kong base VM for kong cas-
sandra
daemon daemon all No No Linux standard

base required
user
dbus dbus all No No System mes-

sage bus
dirsrv dirsrv Central Data- No No Lightweight

base VM Directory Ac-
cess Protocol
(LDAP) server
user
fmcache fmcache Database VM No No Used for exe-

(PostgreSQL) cuting cleanup
actions on
Fault Man-
agement (FM)
cache data-
base
fmuser fmgrp FM service Yes No User for run-

ning FM ser-
vices
ftp ftp all No No FTP user
haldaemon haldaemon all No No Hardware Ab-

straction Layer
(HAL) daemon
user
halt root all No No Linux standard

base required
user

Virtual Ma- 1 2
chine (VM)
hc hc all No No Used with the

Healthcheck
component
jboss sysop JBoss VM No No JBoss user
keycloak keycloak, Central VM No No Keycloak sys-

wheel tem user
kong kong Central VM No No Kong system

user
lp lp all No No Linux standard

base required
user
mail mail all No No Linux standard

base required
user
noa noa DB VM (Post- No No System user

greSQL) for accessing
selfhealingdb
DB
nobody nobody all No No Linux standard

base required
user
ntp ntp all No No Time server

user
operator root all No No Linux standard

base required
user
postfix postfix all No No Mail user
saslauth saslauth all No No Saslauthd

user
shutdown root all No No Linux standard

base required
user
sshd sshd all No No SSH daemon

user

Virtual Ma- 1 2
chine (VM)
sync root all No No Linux standard

base required
user
tomcat sysop Workflow en- No No Tomcat server

gine VMs user
uucp uucp all No No Linux standard

base required
user
vcsa vcsa all No No Virtual console

memory
enet sysop, wheel App VM, DB Yes Yes System user

VM
mysql mysql DB VM Yes No MySQL user

(MySQL)
nfsnobody nfsnobody GUI Server, No No Anonymous

Task Server Network File
System (NFS)
user
postgres postgres DB VM (Post- Yes No PostgreSQL

greSQL) user
root root all Yes Yes RHEL super

user
rpc rpc GUI Server, No No Rpcbind dae-

Task Server mon user
rpcuser rpcuser GUI Server, No No RPC service

Task Server user
vson vson, custom, App VM, DB Yes No EdenNet vir-

modules, enet- VM tualenv user
services
rabbitmq rabbitmq App VM No No RabbitMQ

user
zabbix zabbix all No No Zabbix moni-

toring system
user

Virtual Ma- 1 2
chine (VM)
<installation_ <installation_ all Yes Yes For EdenNet

user> user> installation
Table 16: Linux users
Note:
1
If an account does not have login shell or has login shell set to /sbin/nologin, it is not
possible to log in to that account.
2
If an account does not have the password set, it is not possible to log in to that account us-
ing password. However, logging in to the system by other means is possible.
7.5.1 Password policy for Linux OS users
EdenNet Linux OS users' password must comply with the following requirements:
• At least ten characters long
– If password length is ten characters, it is mandatory to have:
• at least one upper case letter

• at least one lower case letter
• at least one digit
• Password must not be the same as any of the previous 12 passwords used.
7.5.2 Account lockout for incorrect password attempts
In EdenNet Linux OS, non-root users are temporarily locked out of the system after five incorrect pass-
word attempts and are denied access to log in.
Note: The root user account is permanently exempt from login failure checks.
7.5.3 Account lockout time for failed password attempts

In case of failed password attempts, the user is locked out of the system for five minutes. Any addition-
al login attempts during the lockout period extends the lockout time.
For example, testuser is an EdenNet Linux OS user. After five unsuccessful login attempts
(because of wrong password), testuser will be locked out for five minutes. During this time period, if
another login attempt is made by testuser using the wrong password, then the lockout timer will be
reset to five minutes again.

Note: Account lockout time is applicable only to non-root users.
7.6 LDAP users

All EdenNet application users are stored in Lightweight Directory Access Protocol (LDAP). Hence,
they are LDAP users. For more information on LDAP users, see EdenNet application user.
Table 17: Permissions for EdenNet LDAP users describes the permissions provided for LDAP users.
LDAP user Initial Password Permissions
admin Provided during installation LDAP server instance adminis-

trator
cn=Directory Manager Provided during installation LDAP users and configuration

administrator
cn=Account Manager, Randomly generated (20 char- LDAP user accounts

ou=Special,ou=Accounts, acters) administrator with complete
dc=eden,dc=net access to ou=Accounts,
dc=eden,dc=net and
ou=Groups,dc=eden,
dc=net
Table 17: Permissions for EdenNet LDAP users
Note: Changing LDAP users' password is currently not supported.

Security Management DN09231593 1-3 Security considerations for EdenNet
installation
8 Security considerations for EdenNet installation

This chapter describes the security considerations for EdenNet installation:
• Password requirements for EdenNet

• Task servers
• EdenNet certificates
8.1 Password requirements for EdenNet

In most cases, if a service user needs to be created, the password is set to a randomly generated
string. However, in some cases, especially when the service user can be used by the operator to
access EdenNet services, the password can be set in the inventoryfile.
Nokia recommends to set complex, long, and hard to guess passwords. Short and easy to guess
passwords or passwords based on dictionary words can be easily broken and are not recommended.
Note:
The autofill function in your browser must be disabled for passwords/credentials to prevent
the credentials from being cached by the browser and re-used.
Table 18: Passwords in inventoryfile describes the list of passwords that must be provided in the
inventoryfile.
Name Description
mysql_root_password Password for MySQL root user.
mysql_user_password Password for MySQL service user (the username is provided in

inventoryfile- mysql_user). EdenNet services connect
to the database using this username and password.
dir_manager_password Password for Directory Manager LDAP administrator.
messaging_broker_password Password for messaging broker. EdenNet services use this

password to connect to the broker.
authentication_server_admin_pass- Keycloak administrator password. This password can be used

word along with the username (authentication_server_ad-
min_name) to access the Keycloak admin console.
credUser Password for accessing and modifying credentials stored in the

vault. This password can be used for updating the passwords
related to OSS integration and region creation.

installation
Table 18: Passwords in inventoryfile
For more information on EdenNet default users and their passwords, see User and permission
management.
8.2 Task servers

Task servers are virtual machines where SON modules are executed. SON modules are Python pro-
grams that are executed inside EdenNet, and users must be careful if untrusted SON modules (for ex-
ample, modules from third party vendors) are about to be run.
All SON modules are run as unprivileged Linux users (vson for Nokia SON modules and custom
for Adapted SON modules). This provides enough separation in most cases. If more separation is
needed, it is possible to set up separate task servers for running Nokia SON modules and Adapted
SON modules. This provides even more separation between EdenNet services, the execution
environment for Nokia SON modules, and the execution environment for Adapted SON modules.
8.3 firewalld_enabled parameter

The firewall rules provided by Nokia allow you to access only the ports which are allowed in the
firewall rules. The firewall rules are controlled by the firewalld_enabled parameter in the inventory
file and must always be enabled.
For example:
firewalld_enabled = True
Note:
• During installation or upgrade, if the firewalld_enabled inventory parameter is set to

False, the firewall rules functionality provided by Nokia will not be available. Users must
take care of the firewall rules and Nokia is not responsible for the same.
• If firewalld_enabled is set to False during scratch installation and then is set to
True during a major version upgrade, the firewall rules functionality provided by Nokia is
enabled.
• If firewalld_enabled is set to True during scratch installation and then is set to
False during a major version upgrade, the firewall rules functionality provided by Nokia
is not disabled and the firewall rules on EdenNet nodes are enabled.
• The value of this flag has no effect on monthly updates or MPs.

installation
8.4 EdenNet certificates

All EdenNet certificates are signed by the EdenNet Certification Authority (CA) during installation.
Certificates for public services (EdenNet GUI and Self Monitoring GUI) must include the correct
identity information [IP address and Fully Qualified Domain Name (FQDN)] in order to be validated
by the clients (for example, web browsers). The IP address and/or FQDN included in the certificate
must be the same as that typed in the browser window. It is possible to provide the public IP address
and FQDN for both EdenNet GUI and Self Monitoring GUI in the inventoryfile. The provided
addresses will be included in the respective certificates.
The inventoryfile variables where the public IP addresses and FQDNs can be provided are
defined in Table 19: inventoryfile variables.
Name Description
gui_public_ip EdenNet GUI public IP address. It is included in the EdenNet

GUI certificate (Subject Alternative Name).
gui_public_fqdn EdenNet GUI public FQDN. It is included in the EdenNet GUI

certificate (Subject Alternative Name).
selfmon_gui_ip Self Monitoring (Zabbix) GUI public IP address. It is included in

the Self Monitoring GUI certificate (Subject Alternative Name).
It is needed only if the Self Monitoring functionality is enabled.
selfmon_gui_fqdn Self Monitoring (Zabbix) GUI public FQDN. It is included in the

Self Monitoring GUI certificate (Subject Alternative Name). It is
needed only if the Self Monitoring functionality is enabled.
Table 19: inventoryfile variables
If the VMs support IPv6 and EdenNet is deployed in dual or standalone mode, then IPv6 address can
be used. If the VMs support IPv4 and EdenNet is deployed in standalone, IPv4 address can be used.
For more information about EdenNet certificates, see Certificate management overview section.
8.5 Virtualization security

EdenNet manages security for the operating system and the application. For virtualization security,
Nokia recommends that you follow the VMware security best practices.
For vSphere 6.5, see: https://docs.vmware.com/en/VMware-vSphere/6.5/

com.vmware.vsphere.security.doc/GUID-412EF981-D4F1-430B-9D09-A4679C2D04E7.html
For vSphere 7.0, see: https://docs.vmware.com/en/VMware-vSphere/7.0/

com.vmware.vsphere.security.doc/GUID-412EF981-D4F1-430B-9D09-A4679C2D04E7.html

installation
Note: For new orders or deployments, use VMWare 7.0.
8.6 Backup and restore security

For backup and restore Dell Avamar related security, Nokia recommends that you follow the Dell secu-
rity advisory best practices available at:
https://www.dell.com/support/security/en-in/?lwp=rt
Note: Users need to login using their Dell account and search with Avamar as the keyword
in the search bar to obtain the list of all the Dell Avamar related security vulnerabilities.

Security Management DN09231593 1-3 EdenNet API security
9 EdenNet API security

Each EdenNet application introduces multiple REST endpoints (WebServices) which provides huge
amount of network data as well as metadata that is required for proper working of the system. The ser-
vices are deployed and can be accessed at two HTTP ports, namely:
• 9600 for unsecured calls

• 9500 which requires authentication enforcing HTTPS
The EdenNet API is accessed by the Software Development Kit (SDK) during SON module develop-
ment.
Note: The goal is to expose port 9500 externally, for example, all external calls are authenti-
cated and encrypted (HTTPS). Port 9600, which allows unauthenticated calls, is closed and
is accessible only from within EdenNet.
Kong is used as an API Gateway. It is based on NGINX and offers many useful features like authenti-
cation, caching, logging, rate limiting, and so on. It is configured to listen on port 9500 and forward re-
quests to the 9600 internal port. It is also configured to authenticate requests using the JWT authenti-
cation plug in. The JWT signing algorithm is set to RS256 and the Keycloak public key is provided. It
uses Cassandra as back end storage. From EdenNet 1904 onwards, port 9600 is not exposed exter-
nally.
Authentication is implemented using OpenID connect and JSON web tokens. In order to use SDK to
develop and test SON modules, the user must generate the secret key. The secret key along with the
username must be configured in SDK. For more information, see the Overview of EdenNet SON Mod-
ule Development and Maintenance Guide. The SDK uses these credentials to acquire the access to-
ken, which is sent to the EdenNet API along with the requests. Although authentication is enabled by
default for all requests over the 9500 port, it can be disabled using a dedicated script.
9.1 Enabling EdenNet API authentication

EdenNet API authentication must be enabled in order to ensure secure communication over port 9500.
To enable authentication for the EdenNet API over port 9500, do the following:
1. Log in to the Central VM node as a vson user.
2. Enable authentication for EdenNet API over port 9500 by entering:
enet_security_toggle enabled
Expected outcome
EdenNet API authentication is enabled.

Security Management DN09231593 1-3 EdenNet API security
9.2 Disabling EdenNet API authentication

For administration and troubleshooting purposes, it might be required to disable authentication for the EdenNet API over port
9500. Later, authentication can be enabled again.
To disable authentication for the EdenNet API over port 9500, do the following:
1. Log in to the Central VM node as a vson user.
2. Disable EdenNet API authentication by entering:
enet_security_toggle disabled
Expected outcome
EdenNet API authentication is disabled.

Security Management DN09231593 1-3 Management of LDAP servers
10 Management of LDAP servers

Lightweight Directory Access Protocol (LDAP) is an application protocol that is used to access and
maintain distributed directory information services over an IP network. Directory services allow the
sharing of information about users, systems, networks, services, and applications throughout the net-
work. LDAP provides a central place to store usernames and passwords thus allowing different appli-
cations and services to connect to the LDAP server to validate users.
An internal LDAP server is set up during EdenNet installation. It is also possible to integrate EdenNet
with an external LDAP server.
Note:
• External LDAP servers are not managed by EdenNet. Therefore, the customer must
maintain these servers.
• The user accounts of external LDAP servers are listed in the EdenNet UI, but the only
possible action for these accounts is to assign the EdenNet role to them.
• For more information on configuration of external LDAP servers, see Administration of
LDAP servers section in the EdenNet User and Administration Guide.
• The user accounts which belong to external LDAP servers can generate API secret for
SON module development using SDK. For more information on generating API secret,
see Generating and viewing API secret section in the EdenNet User and Administration
Guide.
10.1 Management of secure directory server communications

From EdenNet 19 onwards, internal LDAP server communications are over a secure Transport Layer
Security (TLS) connection, by default.
A secure TLS connection can also be configured for external LDAP servers. Table 20: Configuration
attributes used for secure TLS connection for LDAP servers describes the additional configuration at-
tributes that are added to configure a secure TLS connection.
Default value Default value

Mandatory/ Additional
Attribute (internal LDAP (external LDAP Description
Optional information
servers) servers)
Use TLS Mandatory Yes No Describes whether Cannot be

to use TLS or SSL. changed for in-
ternal LDAP
servers. Can
be changed for

Security Management DN09231593 1-3 Management of LDAP servers
Default value Default value

Mandatory/ Additional
Attribute (internal LDAP (external LDAP Description
Optional information
servers) servers)
external LDAP
servers.
Validate Server Mandatory Yes No Describes whether This attribute is

Certificate the LDAP server enabled only if
certificate will be Use TLS is set
validated. to Yes.
CA Certificate Optional EdenNet internal N/A Describes the This attribute

CA certificate LDAP server Cer- is enabled on-
tificate Authority ly if Validate
(CA) certificate. Server Cer-
tificate is set
to Yes.
Table 20: Configuration attributes used for secure TLS connection for LDAP servers
For internal LDAP servers, the security attributes cannot be modified using the GUI. However,
customers can change the certificates using the certificate_management.sh. script.
For external LDAP servers, all the attributes described in Table 20: Configuration attributes used for
secure TLS connection for LDAP servers can be configured.
Customers can decide whether to use TLS or not. If Use TLS is set to Yes, the customer can use the
TLS connection as follows:
• If Validate Server Certificate is set to No, the customer can use the TLS connection
without validating the server certificate (while configuring the external LDAP server). In this case,
LDAP communication will be encrypted and secure but the server authentication will not be done.
• If Validate Server Certificate is set to Yes, the customer must upload the CA certificate
to use the TLS connection. For more information, see Naming conventions for CA certificates.
10.1.1 Naming conventions for CA certificates

Only CRT and PEM extensions are supported for CA certificates.
The certificate name must be less than 20 characters and it must contain only alphanumeric charac-
ters.
Underscore is the only special character that is allowed in the CA certificate file name.

Security Management DN09231593 1-3 Administration of offline map server
11 Administration of offline map server

Offline map server integration to EdenNet enables the map view in the GUI to display the map of the
country region from the local tiles server (offline map server) instead of the Internet.
The offline map server supports both http and https connectivity.
For https connectivity, the offline map server requires the SSL certificates and keys to communicate.
See the following sections if the connectivity between EdenNet and the offline map is via https:
• Generating or renewing SSL certificates and keys

• Deploying certificates and keys in the offline map server
• SSL certificate expiry verification
11.1 Generating or renewing SSL certificates and keys

Generate or renew SSL certificates and keys for the offline map server. Renewal is required if the SSL certificate expires.
1. Log in to the EdenNet GUI node as an <installation_user>.
2. Navigate to the following directory:
/opt/nokia/certificate_mgmt
3. For IPv4, generate a new certificate by entering:
./bin/certificate_management.sh -generate crt -app_name offlinemap

-ip <offlinemap_server_ip> -fqdn <offlinemap_server_FQDN> -days
<validity_period>
The <validity_period> can be 365 days.
For example:
[user1@lm--other-lab--central certificate_mgmt]# ./bin/

certificate_management.sh -generate crt -app_name offlinemap -ip
10.20.30.40 -fqdn offlinemap.nokia.com -days 365
The output is:
Setting IP 10.20.30.40 in configuration file. Setting FQDN

offlinemap.nokia.com in a configuration file. generating and Signing
cert
Generating a 2048 bit RSA private

key ...................................++
+ ...................................+++

writing the new private key to 'offlinemap.key' ----- Signature ok

subject=/CN=offlinemap/C=FI/L=Espoo/ST=Finland/O=Nokia Getting CA
Private Key
4. For IPv6, generate a new certificate by entering:
./bin/certificate_management.sh -generate crt -app_name offlinemap -ip

2a00:8a00:4000:20c::18:e5c -fqdn sprintlab591vm23.netact.nsn-rdnet.net -
days 360
For example:
# ./bin/certificate_management.sh -generate crt -app_name offlinemap -ip

2a00:8a00:4000:20c::18:e5c -fqdn sprintlab591vm23.netact.nsn-rdnet.net -
days 100
The output is:
Setting IP 2a00:8a00:4000:20c::18:e5c in configuration file.
Setting FQDN sprintlab591vm23.netact.nsn-rdnet.net in configuration

file.
...............................+++
................................+++
writing new private key to 'offlinemap.key'
-----
Signature ok
subject=/CN=offlinemap/C=FI/L=Espoo/ST=Finland/O=Nokia
Expected outcome
Offline map server SSL certificates and key files (offlinemap.crt, offlinemap.key) are
generated at the following directory path in the EdenNet GUI node:
/opt/nokia/certificate_mgmt

11.2 Deploying certificates and keys in the offline map server

Configure the SSL certificates and keys to enable https connectivity in the offline map server.
1. Log in to the offline map server as an installation_user (non-root or root).
2. Copy the newly generated offlinemap.key and offlinemap.crt to the /tmp directory
location.
3. Run import_ssl_certificates.sh to import certificates and keys.
cd /tmp/offline_map_installer/file_bundle
[offlinemap]$ sh import_ssl_certficates.sh /tmp/offlinemap.crt /tmp/

offlinemap.key
4. Verify the offline_map_install.log file for the import SSL command results by entering:
tail -f /var/offline/logs/offline_map_install.log
The output is:
Processing the ssl crt /tmp/offlinemap.crt file
Processing the ssl key /tmp/offlinemap.key file
Processing the ssl.conf file from file_bundle/conf/ location
Restarted httpd service
Expected outcome
SSL certificates and keys are deployed in the offline map server.
11.3 SSL certificate expiry verification

Execute the below command in the offline map server node as root user to verify the certificate
expiry timeout:
For example:
[root@localhost ~]# openssl x509 -enddate -noout -in /etc/pki/tls/certs/

offlinemap.crt
notAfter=Nov 29 03:26:22 2020 GMT

Security Management DN09231593 1-3 System hardening
12 System hardening
System hardening is done to prevent unauthorized access to the system which may lead to unavail-
ability of the system or leakage of confidential information. The following are examples of hardening
measures:
• User security
– Password change
– Removal of unneeded accounts
– Locking accounts
• Software security
– Disabling of unnecessary services

– Applying security patches
• Network security
– Closing all ports that are not needed

– Use of firewalls
– Encrypting traffic using TLS
From EdenNet 18 SP1 onwards, Operating System hardening settings are automated as part of post-
install and post-upgrade procedures.
Manual security hardening measures are required to modify/update the root and other user pass-
words, as explained in Changing <installation_user> password and Changing password of enet user.
12.1 Operating system hardening

From EdenNet 18 SP1 onwards, RHEL 7 is used for system hardening. The user need not disable
system hardening at any point.
12.1.1 Executing security hardening script

You can harden the system features on the target nodes by executing the security hardening script.
1. Log in to the target nodes as <installation_user>.
2. Enter:
#/opt/nokia/hardening/bin/enet_enable_os_hardening.sh
Note: After enabling security hardening, you cannot log in to the system as root user
using ssh. You must log in as enet user and then enable root user.
The security hardening enabling log is stored at:

/var/tmp/security_hardening_on.log
Expected outcome
The system features are hardened.
12.1.2 Enabling or disabling root login
Note: Nokia recommends that you limit the usage of root login.
root login must be disabled at all times except during system upgrade or system
maintenance (when it is used with the proper authorization).
1. Log in as enet user.
2. Enable root for any troubleshooting or system administration purposes by entering the following
command from the /opt/nokia/hardening/bin/ directory (for root user):
sudo ./enet_upgrade_mode_on.sh
Note:
For a non-root <installation_user>, enter:
./enet_upgrade_mode_on.sh
3. Disable root after the troubleshooting or system administration tasks are completed by entering
the following command from the /opt/nokia/hardening/bin/ directory (for root user):
sudo ./enet_upgrade_mode_off.sh
Note:
• For a non-root <installation_user>, enter:
./enet_upgrade_mode_off.sh
• Ensure that the security hardening script in the Executing security hardening script
section is executed before disabling root login.
12.1.3 Hardening assets included in EdenNet

The OS security hardening asset provides the secpam (security Pluggable Authentication Module)
software component that applies security hardening and defines audit logging rules for the OS compo-
nent. secpam has been developed based on corporate and industry driven best practices. The main
security hardening functionalities provided by secpam include:
• Blocking of user login after a configurable number of wrong login attempts

• Password history checks

• Password complexity checks

• Disabling empty passwords
• Inactivity timer checks
• Production of security alarms
• Logging of user actions
• Setting of TCP parameters according to CIS Red Hat recommendations
• Disabling interactive boot
• Configurable login banner for terminal and SSH access
• Disabling core dumps
• Disabling host based authentication and ignoring .rhosts
• Disabling IPv6
Note: An inventory flag that allows IPv6 communication has been introduced. For more
information, see Enable IPv6 External communication.
• Password change for Operating System accounts including root user
Note:
Administrators must ensure that the root user password is changed.
• Audit configuration immutable
Secpam has a set of utilities that can be used to further configure the security hardening parameters.
Table 21: secpam utilities describes the details of these utilities.
Utilities included in sec- Manual page for details

Description
pam and examples
acctStat (Account State) This utility reports the state of all known man acctStat
accounts or list of accounts (separated by
a white-space) if arguments are not pro-
vided. Possible account states are:
• aged
• blocked
• OK
• locked
• simulate (too many simultaneous lo-
gins)
Audit Mgr (Audit Manager) Audit Mgr is used to control the settings of man AuditMgr
the Linux audit functionality. There is a de-
fault set of audits that are always enabled
along with additional sets of configurable
audits that Audit Mgr controls. To obtain


Description
pam and examples
the list of all the configurable audit filter

names, invoke Audit-Mgr without any ar-
guments.
AuditSp (Audit Event The AuditSp plugin process is an audit man AuditSp
Spooler) event spooler. Audit events are generated
by the audit daemon and are forwarded to
the auditsp daemon. This audit daemon
plugin generates audit alarms as directed
by the /etc/security/alarm_thresh
configuration file.
CheckPass (Check Basic This utility uses the cracklib c library func- man CheckPass
Password Integrity) tion FascistCheck() to check the pass-
word candidates. It is used by the SEC-
pamLogModule.so PAM library as part
of the password verification function.
Comply (Verify File permis- The Comply utility is used to inspect file man Comply
sions) attributes (mode, owner, group) from pre-
defined reference sets. Any differences
from the references are reported and cor-
rected.
csf-pam-setup (Perform This utility is used to configure or uncon- man csf-pam-setup

secpam tasks as part of figure the secpam package for RPM-
RPM operations) based operations. Generally, it is only
used by the secpam RPM scriptlets, but
the comply operation can be run by the
administration at any time. The utility will
execute any third party scripts that are lo-
cated in the /etc/security/scripts.
d directory for the specified operation.
encpasswd (Automated en- This utility takes a password from stdin man encpasswd
crypted password genera- and returns an associated shadow hash.
tion) It can be used to assign a password to
a specific account by taking a password
from a pipe and generating the shadow
hash that is appropriate for the /etc/
shadow file. This value can be used as
the parameter to the usermod tool to up-
date the password field.


Description
pam and examples
gen-audit (Generate Audit This utility is used to generate a set of au- man gen-audit
Rule Sets) dit filters that might vary based on the sys-
tem. It may be re-executed as needed (for
cases where the audit filter rules may be
changed over time, such as with package
updates that reorganize their file or direc-
tory structures).
secpam-groups (Secpam /etc/security/groups - configura- man secpam-groups

configuration file) tion file for the scan-groups audit exemp-
tions with secpam. The gen-audit script in-
cludes:
/usr/sbin/scan-groups
It is a sub-script that audits and reports

any group that is not being used by the
system. Exceptions to the group audit are
contained as a list (one per line) in the /
etc/security/ group configuration file.
if_list (Display Network In- This utility reports all the network inter- man if_list
terfaces) faces found on the host along with their
IP address and CIDR netmask. It is used
to generate the /etc/security/from_
same_subnet file during a secpam in-
stallation if the file does not already exist.
KillIdleSessions (Terminate This utility monitors the keyboard input for man KillIdleSessions
Idle Sessions) all active sessions. It is configured as a
KillIdleSessions (KIS) cron job for secpam
to run every five minutes.
Monitoring utilizes two inactivity timer in-

tervals - a warning interval and a termina-
tion (kill) interval (configuration granularity
can be defined at the system and user ac-
count levels).
If the keyboard is inactive for the defined

warning interval, a message warning that
the session has been idle each time that
the threshold is met is displayed. If the
keyboard continues to be inactive until the


Description
pam and examples
defined kill threshold is met, the session is

terminated.
This utility can be enabled or disabled

using the -enable or -disable options.
last_login_day (Number of This utility is used to calculate and provide man last_login_day
days since last login) the number of days since a selected user
account was last accessed.
LockIdleAccounts (Lock This utility monitors the user account dor- man LockIdleAccounts
Idle Accounts) mancy (using the last_login_day utili-
ty). It is configured as a LockIdleAccounts
(LIA) cron job for secpam to run once a
day. The default monitoring settings (in
days) are defined in the /etc/securi-
ty/SECprofile file and are tunable us-
ing the /etc/default/passwd file.
rtmon_monitor (Monitor This utility is used to manage the actions man rtmon_monitor
routing table changes) for the rtmon systemd service to monitor
routing table changes. If the argument is
not present or is invalid, a usage or help
message will be generated, as follows:
• (start) the rtmon systemd service

• (stop) the rtmon systemd service
• (check) the rtmon systemd service for
sanity
• (abort) the rtmon systemd service
scan-tools (Scanning utili- Scanning utilities that are available with man scan-tools
ties) secpam are:
• scan-groups
• scan-privileged
• scan-sticky
• scan-unowned
• scan-wwfiles
secpam-admin (Selected The secpam-admin utility is used to per- man secpam-admin

Security Functions) form a select set of security tasks, which
are contained in the /etc/security/
secpam-admin directory.


Description
pam and examples
These tasks are outside the scope of the

secpam RPM specification file.
secpam-alarm_thresh The AuditSp plugin process is an audit man secpam-alarm_thresh

(configuration file for Audit event spooler. Audit events are generated
Spooler) by the audit daemon and are forwarded to
the auditsp daemon. This audit daemon
plugin generates audit alarms as directed
by the /etc/security/alarm_thresh
configuration file.
secpam.boot (Verify SSH This utility is used to verify that the ssh man secpam.boot
Daemon Security after first daemon has been secured (as defined by
boot) secpam-admin sshd) at the first boot af-
ter the installation of the secpam (/var/
log/secpam-boot.log file).
Verification is only done for the first boot

after installing secpam in case the user
has customized the /etc/ssh/sshd_
config.d/ListenAddress file to
prevent over-writing any changes.
secpam-idle_exempt (Con- /etc/default/idle_exempt - config- man secpam-idle_exempt

figuration file to override uration file to override session timeout or
session timeout / termina- termination from KillIdleSessions cron job
tion from KillIdleSessions) with secpam.
secpam-kis.conf (config- /etc/security/kis.conf - configura- man secpam-kis.conf

uration file for KillIdleSes- tion file for KillIdleSessions with secpam.
sions)
secpam-SECprofile (Glob- /etc/security/SECprofile - global man secpam-SECprofile

al configuration file for Kil- configuration file for KillIdleSessions and
lIdleSessions) LockIdleAccounts with secpam.
SECpamLogModule.so A Pluggable Authentication Module (PAM) man SECpamLogModule.

(PAM that replaces default that provides dynamic authentication sup- so
pam_unix) port for applications and services in a Lin-
ux system.
SECpamLogModule.so - a PAM from

secpam that replaces the default pam_
unix module.


Description
pam and examples
secpam-passwd (config- /etc/default/passwd - configuration man secpam-passwd

uration file for password file for password complexity rules with
complexity rules) secpam. The SECpamLogModule.so is a
password authentication module provided
by the security hardening secpam pack-
age, which replaces the standard PAM
(pam_unix) module. The password com-
plexity rules for this module are dynam-
ically tunable with the /etc/default/
passwd configuration file.
secpam.sh (secpam script This shell script is provided for the /etc/ man secpam.sh
for interactive system shell profile.d directory to be run by the /
startups) etc/profile for interactive shells (a
typical bash user shell). This script is pro-
vided during an interactive shell startup
and offers the following services:
• Set the default file mask for only user

level permissions.
• Disallow write access to the user's
terminal device.
• Send warning message to users that
are missing a home directory.
sockprot (Socket protocol This utility provides the type of socket pro- man sockprot
used by a PID) tocol that is used by a Process ID (PID). It
determines if a specified PID is associat-
ed with a socket connection for secpam.
DOSMOND (monitors DOSMOND is a daemon associated with man dosmon.conf

packets dropped by ipta- the dosmon systemd service.
bles)
It provides the following services:
• monitors packets handled (dropped)

by iptables.
• reports a minor alarm based on pack-
et counts over an interval that crosses
the configurable thresholds (high-wa-
ter/lo-water).
DOSMOND and Iptables Denial-of-Ser-

vice (DoS) monitoring is performed based


Description
pam and examples
on a pre-defined, configurable interval,

which defaults to 60 seconds.
FSMOND (monitors file FSMOND is a daemon associated with man fsmon.conf

system usage) the fsmon systemd service.
It provides the following services:
• monitors the mounted file system us-

age (percentage full).
• reports minor, major and/or critical
alarms based on pre-defined config-
urable thresholds.
File system usage monitoring is per-

formed based on a pre-defined config-
urable interval which defaults to 5 sec-
onds.
Generally, FSMOND is started via the

fsmon.service systemd service file.
FSMOND is used to validate the syntax

and parsing of the fsmon configuration file
(default location is /etc/fsmon.conf)
prior to activating the new configuration.
Table 21: secpam utilities
12.1.4 Changing <installation_user> password

After the installation is complete, the root password needs to be changed. Nokia recommends that the root password must be at
least 12 characters long (must include capital and lowercase letters, special characters, and numbers).
Do the following steps on all nodes:
1. Log in as <installation_user>.
2. To change the password, enter:
#passwd
The system prompts you for the new password.
3. Enter the new password.

Expected outcome
passwd: all authentication tokens updated successfully.
12.1.5 Changing password of enet user

Perform the following steps on all nodes:
1. Log in as <installation_user>.
2. Change the enet user password by entering:
#sudo passwd enet
The system prompts for the new password.
3. Enter the new password:
The system prompts to enter the password again.
4. Enter the new password again.
Expected outcome
passwd: all authentication tokens updated successfully.
12.1.6 Configuring removal of unused packages
To remove unused java, execute:
yum remove package_name
For example:
"yum remove java-1.6.0-openjdk"
"yum remove java-1.7.0-openjdk"
To remove unused python-paramiko, execute:
For example:
“ rpm -e cas-0.15-1.el6.1.noarch”
“rpm -e python-paramiko-1.7.5-2.1.el6.noarch”
Note: cas-0.15-1.el6.1.noarch is dependent on the python-paramiko package.

12.1.7 Setting warning banner for standard log in services
To set up the warning banner for standard log in services, do the following:
1. Log in to each VM as root user.
2. To set up the warning banner, do the following:

a) touch /etc/motd
b) echo "Custom Message" > /etc/issue
c) echo "Custom Message" > /etc/issue.net
d) chown root:root /etc/motd
e) chmod 644 /etc/motd
f) chown root:root /etc/issue
g) chmod 644 /etc/issue
h) chown root:root /etc/issue.net
i) chmod 644 /etc/issue.net
3. Open /etc/ssh/sshd_config file and edit the following parameter:
# no default banner path
Banner /etc/issue.net
4. Restart the sshd service by entering:
sshd service restart
Expected outcome
The sshd service is restarted and the warning banner is set for the standard log in services.
12.2 Database hardening

Database hardening prevents unauthorized access to the database. The various security hardening
measures required for EdenNet DB are supported as part of database hardening. MySQL DB configu-
rations are updated in order to achieve compliance with DB security hardening requirements.
Database hardening features involve:
• Upgrade of MySQL to latest MySQL 8.x version

• Changes in my.cnf
• Removal of anonymous accounts
• SSL related DB configurations
• Startup or install or upgrade related changes
• Permission related changes

• Backing up MySQL database

• DB configuration related changes
• IP tables or firewall or port configuration related changes
12.2.1 Database logs

As part of the database hardening feature and the Center for Internet Security (CIS) benchmark rec-
ommendations, the following database related logs are enabled:
• Audit logs:
The audit log is a document that records an event with all the database connection details when
both successful and unsuccessful logins are attempted. In addition to recording what was ac-
cessed in the database, audit log entries also include IP address details, timestamps, and user lo-
gin information. The objective of database audit logging is to ensure that database services and
instances are monitored continually for misused scenarios.
• MySQL slow logs:
The MySQL database server registers all queries that exceed a given threshold of execution time
in the MySQL slow query log. This log helps to identify which queries are the slowest and how of-
ten they are slow.
• General logs:
The general query log is a general record of what the MySQL Server is doing. The server writes
information to this log when clients connect or disconnect, and it logs each SQL statement re-
ceived from clients. The general query log can be useful when you suspect an error in a client and
need to know exactly what the client sent to the MySQL server.
Note: General logs are enabled in the Central DB in case of 5VM architecture and GUI
DB and Central DB in case of 8VM architecture.
12.2.2 Log rotation policy

• Automatic rotation of audit logs is supported in the MySQL server 5.7.28-1.1.
MySQL log files are stored at the following location:
/home/data/mysql/
• Audit and general logs are rotated every hour. By default, the first ten files are compressed, with
one log being active. When the 11th file is created, the oldest file is removed.
• MySQL slow query logs are rotated every day and the same rotation policy is applicable to these
logs.

12.2.3 Management of secure database server communications
From EdenNet 19A onwards, MySQL database server communications are over a secure Transport
Layer Security (TLS) connection, by default.
12.3 Web services hardening

Hardening web services ensures server security thus preventing attacks that could exploit the flaws in
web servers and allow unauthorized members to gain access to the systems hosting the web servers.
Web service hardening features involve:
• Modifying the configuration file to eliminate server misconfigurations.

• Managing SSL or TSL certificates and their settings to ensure secure communication between the
client and the server.
• Input data validation for all inputs received from the EdenNet GUI.
• Protection against click-jacking attacks.
• Setting secure attributes for cookies during SSL communications.
• Setting the httpOnly attribute for session cookies.
• Preventing confidential data from being cached at the client side.
• Protection against Cross-Site Request Forgery (CSRF).
• Turning off auto-complete for confidential data.
• Using the POST method for confidential data transmission.
• Using strong password encryption.

Security Management DN09231593 1-3 Certificate management overview
13 Certificate management overview

This section describes the management of the EdenNet GUI certificate.
Communication between user browser and EdenNet is encrypted using Transport layer Security
(TLS).
EdenNet comes with its own Certification Authority (CA). The certificates used within EdenNet are by
default signed by this CA. It is also possible to upload and use custom certificates signed by an exter-
nal CA and is supported on external interfaces only. The CA certificate is available at https://<Eden-
Net-GUI>/ca_certificate.
The certificate is signed by EdenNet internal Certificate Authority (CA), which is created during instal-
lation. To establish a secure connection between the browser and EdenNet, the EdenNet CA certifi-
cate must be installed on the browser. This allows the browser to trust the certificate that EdenNet
shares while establishing a secure communication. The users can provide their own certificate as well.
13.1 Certificate management

EdenNet provides command line utilities to manage certificates. The certification management service
is installed on the EdenNet GUI node in the /opt/nokia/certificate_mgmt directory.
There is a configuration file called openssl_<service_name>.cnf for each EdenNet service

(application) that can use a certificate. The openssl_<service_name>.cnf configuration file
can be modified to customize the certificate. For more information on configuration properties, see
OpenSSL documentation.
The certificate_management.sh script is used to generate or renew the certificate for a service,
and to generate a Certificate Signing Request (CSR). This script for generating the CSR is available
only on GUI mode.
The deploy_certificate_to_<service_name>.sh script is used to deploy a certificate to a

service.
13.2 Certificate generation

/opt/nokia/certificate_mgmt/bin/certificate_management.sh script is used to
generate a certificate for a service. The script is run as <installation_user>. Some of the
certificate details are as command line arguments. All other parameters are set in the respective
configuration file openssl_<service_name>.cnf.

Usage of :
certificate_management.sh -generate crt -app_name <service_name> -ip

<public IPv4 or IPv6 address/External IP if Multi IP scenario present> -
fqdn <public FQDN>
where:
• -app_name <service_name> parameter is mandatory and specifies the name of the service for
which the certificate will be generated.
• -ip <public IP address> is mandatory and specifies the IPv4 or IPv6 address.
• -fqdn <public FQDN> parameter is optional and specifies the Fully Qualified Domain name
(FQDN). IP address and FQDN are stored in the certificate as Subject Alternative Names (SAN).
Note:
• If -ip <public IP address> and -fqdn <public FQDN> parameters are not
specified, the values from the respective configuration file is used.
• If -ip2 and -fqdn2 are not specified, no default value is taken from configuration file.
• <public FQDN> is mandatory and must be provided either via command line or in a
configuration file.
• <public IP address> is optional and should be used only if the server has a public
(non-reserved) IP address.
• -days <validity_period> parameter is optional and specifies the certificate validity
period in days. If not specified, the default validity period of 10950 (30 years) is used.
• -ip2 <External IP Address> is optional and specifies the external IP when multi
IP scenario is present.
Nokia does not recommend the usage of reserved IP addresses in certificates. The list of reserved IP
addresses can be found at:
• For IPv4: https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-spe-

cial-registry.xhtml
cial-registry.xhtml
If a service is accessible via multiple names (FQDNs) and/or IP addresses, all of them should be
included in the certificate. To do this, all FQDNs and IP addresses must be added to the respective
configuration file (openssl_<service_name>.cnf) as DNS.<n> and IP.<n> attributes in
[alt_names] section.
For example:
[ alt_names ]
# DNS.1 is to be given as the server's FQDN
# IP.1 is to be given as the server's IP
# multiple servers can be given by adding

# DNS.2, IP.2, DNS.3, IP.3, ...

# DNS.1 = <1stFQDN>
# IP.1 = <1stIP>
IP.1 = 10.10.10.10
DNS.1 = server.com
IP.2 = fe80::b11e:3387:5b3f:95dc
DNS.2 = server_alias.com
After the certificate is generated, it is deployed to the respective service by using /opt/nokia/
certificate_mgmt/bin/deploy_certificate_to_<service_name>.sh script. For more
information on deploying and regenerating certificates, see EdenNet CA certificates.
13.3 Custom certificate

To use the custom certificates in EdenNet, for example, signed by the official Certification Authority
(CA), the certificate must be uploaded and deployed to the respective service.
The /opt/nokia/certificate_mgmt/bin/ certificate_management.sh can be used to

generate a Certificate Signing Request (CSR).
Note: /opt/nokia/certificate_mgmt/bin/ certificate_management.sh is only

available in the EdenNet GUI node.
Some of the certificate details can be provided as command line arguments. All the other parameters
can be set in the respective configuration file openssl_<service_name>.cnf.
certificate_management.sh -generate csr -app_name <service_name> -ip

<public IPv4 or IPV6 address/External IP address If Multi IP scenario is
present> -fqdn <public FQDN>
where:
• -app_name <service_name> parameter is mandatory and specifies the name of the service for
which the CSR will be generated.
• -ip <public IP address> is mandatory and specifies the IP address
• -fqdn <public FQDN> parameter is optional and specifies the Fully Qualified Domain name
(FQDN). IP address and FQDN will be stored in the certificate as Subject Alternative Names
(SAN).
Note:
– If -ip <public IP address> and -fqdn <public FQDN> parameters are not
specified, the values from the respective configuration file will be used.
– <public FQDN> must be provided either via command line or in a configuration file.

– <public IP address> is optional and should be used only if the server has a
public (non-reserved) IP address.
– If -ip2 and -fqdn2 are not specified, no default value is taken from configuration
file.
Nokia does not recommend the usage of reserved IP addresses in certificates. The list of reserved IP
addresses can be found at:

cial-registry.xhtml
cial-registry.xhtml
Note:
• Custom certificates must be re-imported after EdenNet major version upgrade.

• If a service is accessible via multiple names (FQDNs) and/or IP addresses, all of them
should be included in the certificate. To do this, all FQDNs and IP addresses must
be added to the respective configuration file (openssl_<service_name>.cnf) as
DNS.<n> and IP.<n> attributes in [alt_names] section.
• If EdenNet is deployed in dual/standalone mode, then both IPv4 and IPv6 public IPs can
be used, if available.
For example:
[ alt_names ]
# DNS.1 is to be given as the server's FQDN
# IP.1 is to be given as the server's IP
# multiple servers can be given by adding
# DNS.2, IP.2, DNS.3, IP.3, ...
# DNS.1 = <1stFQDN>
# IP.1 = <1stIP>
IP.1 = 10.10.10.10
DNS.1 = server.com
IP.2 = fe80::b11e:3387:5b3f:95dc
DNS.2 = server_alias.com
The generated CSR can be used to acquire a signed certificate from CA. The certificate can
be deployed to the respective service by using /opt/nokia/certificate_mgmt/bin/
deploy_certificate_to_<service_name>.sh script.
For more information on deploying certificates, see EdenNet CA certificates.
13.3.1 Using a custom certificate

The customers can choose to install a custom certificate that is signed by their trusted CA, rather than using the EdenNet CA
certificates.

The support for custom certificate is introduced only for external interfaces and services as listed be-
low:
• nginx
• kong
• ldap
13.3.1.1 Configuring custom certificate for Nginx
To use the custom certificate in EdenNet for nginx service (for example, signed by an official Certifica-
tion Authority):
2. Navigate to /opt/nokia/certificate_mgmt directory.
3. Generate a Certificate Signing Request (CSR) by entering:
./bin/certificate_management.sh -generate csr -app_name <service_

name> -ip <public IPv4 or IPv6 address/External IP if Multi IP
scenario present> -fqdn <public FQDN>
Note: IP2 and FQDN2 are optional. These should be filled if IPv6 or IPv4 IPs other than
IP1 is to be added to certificate.
This command generates the private key (nginx.key) and CSR (nginx.csr.pem).
[user@EdenNet certificate_mgmt]# ./bin/certificate_management.sh -

generate csr -app_name nginx -ip 10.20.30.40 -fqdn edennet.nokia.com
Setting IP 10.20.30.40 and FQDN edennet.nokia.com in configuration file.
Generating csr
........................................................................
......+++
........................................................+++
writing new private key to 'nginx.key'
-----
4. Use the CSR to acquire the certificate from Certification Authority (CA).
5. Upload the certificate to GUI node where nginx service is installed. For example, to path /tmp.
6. Deploy nginx.crt:
a) Log in as <installation_user> to the EdenNet GUI node.
b) Navigate to /opt/nokia/certificate_mgmt directory.
c) Deploy the certificate or certificate chain to nginx server by entering:

./bin/deploy_certificate_to_nginx.sh -key_file nginx.key -crt_file

<Path to certificate>
Expected outcome
The certificate or certificate chain is deployed successfully and a successful secure connection can be
established using these custom certificates.
Sample output
[user@EdenNet certificate_mgmt]# ./bin/deploy_certificate_to_nginx.sh -key_

file nginx.key -crt_file /tmp/nginx.crt
Deploying certificates.
Certificate and key files are deployed into nginx successfully.
Changing permissions.
Reloading nginx configurations.
Note: To verify if the custom certificate is applied successfully for nginx service, install
EdenNet CA certificate in browser. For more information, see EdenNet CA certificate
installation on browser.
13.3.1.2 Configuring custom certificate for Kong
To use the custom certificate in EdenNet for kong service (for example, signed by an official Certifica-
tion Authority):
3. Generate a Certificate Signing Request (CSR) by executing:
./bin/certificate_management.sh -generate csr -app_name <service_

name> -ip <public IPv4 or IPv6 address/External IP if Multi IP
scenario present> -fqdn <public FQDN>
IP1 is to be added to certificate.
This command generates the private key kong.key and CSR kong.csr.pem.

generate csr -app_name kong -ip 10.20.30.40 -fqdn edennet.nokia.com
Setting IP 10.20.30.40 and FQDN edennet.nokia.com in configuration file.
Setting FQDN sprintlab613vm6.netact.nsn-rdnet.net in configuration
file.
Alternate IP not passed, Using existing configuration.
Alternate FQDN not passed, Using existing configuration.
Generating csr


........+++
....................+++
writing new private key to 'kong.key'
4. Use the CSR to acquire the certificate from Certification Authority (CA).
5. Upload the certificate to Central App VM where kong service is installed. For example, to the path
/tmp.
6. Deploy kong.crt.
a) Log in as installation_user to the Central App node.
b) Navigate to /opt/nokia/certificate_mgmt directory.
c) Deploy the certificate or certificate chain to kong server by entering:
./bin/deploy_certificate_to_kong.sh -key_file kong.key -crt_file <Path

to certificate>
7. Restart kong service by executing:
systemctl restart ckng-kong*
Expected outcome
Sample output
[user@EdenNet certificate_mgmt]# ./bin/deploy_certificate_to_kong.sh -key_

file kong.key -crt_file kong.crt
Certificate and key files are deployed into kong successfully.
Note: To verify if the custom certificate is deployed successfully for kong service, execute the
following in Central App VM:
# openssl s_client -connect <Central App VM IP>:9500
The certificate information in the output shows the kong certificate signed by the external CA
authority.

13.3.1.3 Configuring custom certificate for LDAP server
To use the custom certificate in EdenNet for LDAP service (for example, signed by an official
Certification Authority):
1. Create the Certificate Signing Request with IP field mandatory in Subject Alternative Names
(SAN). For more information, see Custom certificate.
2. Once the custom certificate is received, deploy the certificate to the central database server.
3. Store the server certificate and private key (generated during the CSR process) in the /etc/
dirsrv/slapd-edennet/ folder in the central database server.
4. Append intermediate and root certificates and store it as ca_cert.crt in the /etc/dirsrv/
slapd-edennet/ folder.
Note: The file name must not be changed and must be retained as ca_cert.crt.
5. Navigate to /opt/nokia/certificate_mgmt/bin in the central database server and enter the

deploy script:
# ./deploy_certificate_to_dirsrv.sh -key_file intldap.key -crt_file

intldap.crt
Note:
It is not mandatory to provide the absolute path of certificate and key files.
6. Restart LDAP service by executing:
systemctl restart dirsrv.target*
Expected outcome
Following is the sample output:
Certificate and key files are deployed into LDAP successfully.
13.4 EdenNet CA certificates

EdenNet CA certificates must be installed on all browsers in order to ensure secure connection.

13.4.1 EdenNet CA certificate installation on browser

Without securely installing the EdenNet Certification Authority (CA) certificate in the browser, the
connection between the browser and EdenNet is not private, even though it is encrypted. That is, if
EdenNet CA certificate is not installed in the browser, it will not trust the EdenNet certificate which the
browser receives during secure connection establishment. In such a scenario, the Web browser de-
tects this issue and displays a warning page.
The most important aspect during the installation of EdenNet certificate in the browser is to get the
certificate that is not tampered, onto the machine where the browser is installed. There are mainly two
ways to do this:
• Use a secure communication channel, for example USB stick, e-mail with signature or provide the
certificate on a trusted server using HTTPS secured by an already known and a trusted certificate.
• Download the CA certificate from EdenNet and verify its fingerprint. The CA certificate can be
downloaded from https://<EdenNet-GUI>/ca_certificate. The certificate's fingerprint must be
compared with the one retrieved through the secure channel, or taken directly from the EdenNet
server.
Note:
• The fingerprint of the certificate is displayed by the browser before the import is complet-
ed. On the server side, the fingerprint can be calculated using the following command on
App node (the node where nginx is installed):
openssl x509 -in /opt/nokia/certificate_mgmt/ca_cert.crt -sha1 -

fingerprint -noout
• If EdenNet is deployed in dual mode, the EdenNet-GUI IP can be the IPv4 or IPv6 ad-
dress of the GUI Node. If EdenNet is deployed in standalone mode, the EdenNet-GUI
IP should be the IPv6 address (Client Browser and Network should be capable of han-
dling IPv6 protocol).
13.4.1.1 Installing EdenNet CA certificate in Firefox

EdenNet certificates have to be installed separately in each browser. They are installed mainly to establish a secure connection.
Prerequisites
• Ensure that you have the SHA1 fingerprint provided through the safe communication channel. For
more information, see EdenNet CA certificate installation on browser.
Note: The steps may change based on the Firefox version you have installed.

To install EdenNet certificate in Firefox version 52.9.0, do the following:
1. Open the Firefox browser.
2. Go to Options → Advanced → Certificates → View Certificates.
The Certificate Manager page appears.
3. Click Authorities tab.
A list of certificates appear.
4. Click Import.
5. Select the EdenNet certificate to be imported, and click Open.
6. Click View.
The EdenNet certificate opens.
7. Compare the SHA1 fingerprint on the EdenNet certificate with the one provided through the safe
communication channel.
This comparison is done mainly for security reasons.
Note: Abort the import if they differ and click Close.
8. Select only Trust this CA to identify websites and click OK.
Expected outcome
The EdenNet CA certificate is installed successfully in Firefox.
Note: There is no warning shown for EdenNet certificate whenever Firefox browser is used
to establish a secure connection with EdenNet after successful installation of EdenNet CA
certificate in Firefox.
13.4.1.2 Installing EdenNet CA certificate in Chrome

EdenNet certificates have to be installed separately in each browsers. They are installed mainly to establish a secure
connection.
Prerequisites
• Ensure that you have the SHA1 fingerprint provided through the safe communication channel. For
more information, see EdenNet CA certificate installation on browser.

Note: The steps may change based on the Chrome version you have installed.
To install EdenNet certificate in Chrome version 68.0.3440.106, do the following:
1. Open the Chrome browser.
2. Go to Settings → Show advanced settings → HTTPS/SSL → Manage certificates... →

Trusted Root Certification Authorities.
3. Click Import and click Next.
4. Click Browse... to select the EdenNet Certification Authority (CA) certificate to be imported and
click Next.
5. Check that the selected certificate store is Trusted Root Certification Authorities and click Next.
6. Click Finish.
You get a security warning stating the name of the certificate - EdenNet CA - and the
Thumbprint (sha1)
7. Compare the SHA1 fingerprint (thumbprint) with the one provided through the safe communication
channel. Abort the import by clicking No, if they differ.
8. Click Yes if the fingerprints match.
Expected outcome
The EdenNet CA certificate is installed successfully in Chrome.
Note: After successful installation of EdenNet CA certificate in Chrome, there is no warning

shown for EdenNet certificate whenever Chrome browser is used to establish a secure
connection with EdenNet.
13.4.2 Renewing EdenNet certificate

EdenNet certificates must be renewed in the event of EdenNet certificate expiry or revocation.
To renew the EdenNet certificate:
3. Generate a new certificate by entering:
./bin/certificate_management.sh -generate crt -app_name nginx [-

ip2 <public IPv4 or IPv6 address/External IP if multi ip scenario is
present>] [-fqdn <public FQDN>]

IP1 is added to certificate.
This command generates the private key (nginx.key) and certificate (nginx.crt) that is valid
for 1 year (365 days).

generate crt -app_name nginx -ip 10.20.30.40 -fqdn edennet.nokia.com
-days 365
Setting IP 10.20.30.40 and FQDN edennet.nokia.com in configuration
file.
.............................................+++
................................................+++
writing new private key to 'nginx.key'
-----
Signature ok
subject=/CN=edennet.nokia.com/C=FI/L=Finland/O=Nokia
4. Deploy the certificate to nginx server by entering:
./bin/deploy_certificate_to_nginx.sh -key_file nginx.key -crt_file

nginx.crt
Expected outcome
The EdenNet certificate is renewed successfully.
The sample output is:
[user@EdenNet certificate_mgmt]# ./bin/deploy_certificate_to_nginx.sh -

key_file nginx.key -crt_file nginx.crt
Certificate and key files are deployed into nginx successfully.
Reloading nginx configurations.

Security Management DN09231593 1-3 Security Events
14 Security Events
All the recorded security events are available in Administration → Security Events tab.
Note:
• Only users in Administrator group can access the Security Events tab.
• Security relevant events like create or delete user are logged with the user's host
IP address, except for events related to START_MODULE, STOP_MODULE, and
IDLE_MODULE (These internal events do not contain the HostIP of the user).
Table 22: Security events describes all events available under Security Events tab.
Event Property
Date The timestamp when the event has been trig-

gered.
Event Name The name of the event that identifies the opera-
tion.
Category The event category for example, session, user,

execution, configuration, logging is displayed.
Event Source The module/service that has triggered the event.
User ID Identifies the account name of the user respon-

sible for the operation. If the actual responsible
cannot be known reliably, this is the user account,
which has been used for logging into the system.
Source IP The source IP address of the user who has trig-

gered the event.
Resource The resource on which the operation is per-

formed.
Resource Type The type of the resource on which the operation

is performed. For example, user, module, log, pa-
rameter.
Result The result of the operation (success, failure) or

the failure cause (for example, no_privileges,
wrong_credentials).
Effect Identifies how the operation has affected or has

attempted to affect target data. For example, cre-
ate, delete, modify, read, and so on.

Event Property
Note:
• Create effect is also used for start

(SON module) and log in.
• Delete effect is also used for stop
(SON module) and log out.
Details Event details that do not fit in any of the above

properties. For example, additional information,
logs, and so on.
Table 22: Security events
The events in the Security Events tab can be sorted and filtered based on time range as well as
based on any of the properties mentioned in Table 22: Security events.
14.1 Configuring retention period for security events

Security events are stored in EdenNet for a specified configurable period. It is 90 days by default.
To configure the retention time, do the following:
1. Log in (SSH) to the EdenNet App Server as vson user.
2. Open the configuration tool by entering:
cfg
The following output appears:
(enet) [vson@EdenNet ~]$ cfg

--------------------------------------------------
Enet config editor: Registered apps list
--------------------------------------------------
0) antenna_plan_app
1) appServersApp
2) cellPlanApp
3) clusterApp
4) cron
5) emailApp
6) enb_autoplanning_manager_app
7) escript
8) eventLoggingApp
9) license_manager
10) mainApp
11) ossPushApp
12) oss_access_app

13) scriptInterlock
14) scriptPlanMapperApp
15) security_event_logging_app
16) sonConfigApp
17) sonExclusionApp
18) sonKpi
19) son_api_app
20) son_app_manager_app
21) sonpm
22) tier
23) tmoCellPlanUpdate
24) tomcat
25) user_manager
cfg>
3. List all the services by entering:
cfg> s
0) UIDGenerationService
1) antennaPlanService
2) auth_api_service
3) auth_service
4) cellPlanService
5) cellPlanUpdateService
6) cells_service
7) clusterService
8) cm_redis_service
9) cronApp
10) emailService
11) emsValidation
12) enb_autoplanning_manager_service
13) error_classifier_service
14) escriptService
15) evaluateService
16) eventLoggingService
17) ggc
18) kpi_redis_service
19) ldap
20) license_manager
21) module_commanding_service
22) nadcPushApp
23) ossPushService
24) oss_manager_service
25) pexrepo
26) plan_provisioning
27) polygonService

28) regionInterface
29) regionService
30) ret_mapping_service
31) scriptConfigService
32) scriptInterlockService
33) scriptPlanMapperService
34) scriptStorageService
35) security_event_logging_service
36) sonConfigService
37) sonExclusionService
38) sonKpi
39) son_app_manager_service
40) son_nbi_service
41) son_reporting_service
42) syslog_forwarding_service
43) task_manager
44) task_mon
45) tier_service
46) user_manager_service
4. Find the security_event_logging_service service on the list and note the index.
5. Open the security_event_logging_service configuration by entering:
cfg> s <service_index>
For example:
cfg> s 35
This opens the service configuration file in the default editor (for example, vim).
6. Modify prune_day to the desired value and save the changes by typing wq in the vim editor.
[params]
max_log_age_on_disk_days = 3
api_path = " /security_event_ db log"
prune_day = 90
event_db_commit_rate_seconds = 5
max_event_log_size_mb = 10
security_event_log_dir = "~/log/logging"
7. Exit the configuration tool by entering:
cfg> q
(enet) [vson@EdenNet ~]$
8. Restart the security_event_logging_app application by entering:
(enet) [vson@EdenNet ~]$ enet restart security_event_logging_app

Note:
The parameter values provided under security_event_logging_service are

default values. They can be modified according to the customer requirement.
Expected outcome
The security_event_logging_app is restarted and the retention period for security events is
configured successfully.

Security Management DN09231593 1-3 Security policy for firewalls
15 Security policy for firewalls

Firewalls are required to protect the IT systems from unauthorized access. To implement firewalls, it is
necessary to know the allowed communications.
The communication information contains:
• Source: The machine that wants to begin communication and the port it wants to use.
• Destination: The machine with which the source wants to communicate and the port it wants to
use.
• Protocols: The protocols are:
– Application layer protocol

– Transport layer protocol
Note: Firewall rules are applicable for both IPv4 and IPv6.
15.1 Firewall rules

The firewall rules section contains the following information:
• Application Server Virtual Machines (VMs)

• Database VMs
• FM Service nodes
• FM DB nodes
• Workflow engine nodes
• Spark Primary nodes
• Spark Secondary nodes
• Cassandra DB Server nodes
• Crowd Cell Controller nodes
• AC Application node
• AC Database node
• Selfmon node
• Backup and Restore: Avamar Enterprise Edition (AVE)
• Control Server (Installation Server)
• FAME node

15.1.1 Application Server Virtual Machines (VMs)

This section applies to all Application Server VMs such as GUI Server, Central VM Server, and KPI
Supplier Server. Depending on the EdenNet deployment, these might be located on the same or sepa-
rate VMs.
Table 23: Ports opened externally on application server VMs lists ports opened externally (access from
outside of EdenNet should be allowed) on Application Server VMs.
Destina- Application Transport

Source Source Destination Destination
tion sys- layer proto- layer proto- Comments
system port port service
tem col col
PC used by Ephemeral GUI server 80 HTTP TCP nginx This port

EdenNet doesn't
users have do be
opened if
SON API
clients will
clients
use port
443 directly.
PC used by Ephemeral GUI server 443 HTTPS TCP ngnix N/A

EdenNet
users
SON API
clients
SDK clients Ephemeral Central VM 9500 HTTPS TCP kong API Gate-
Server way for
SON Mod-
ule develop-
ment
SDK clients Ephemeral Central VM 8666 HTTPS TCP keycloak Authentica-

Server tion serv-
er for SON
Module de-
velopment
PC used by Ephemeral All Applica- 22 SSH TCP sshd N/A

support en- tion server
gineers VMs
Central VM Ephemeral OSSes 22 SSH TCP sshd SSH con-

server nections to
OSSes.


tem col col
KPI Suppli- Ephemeral OSSes 22 SSH TCP sshd SSH con-

er Server nections to
OSSes
Central VM Ephemeral RF Plan- 21 FTP TCP ftp FTP con-

server ning Tool, nections
OSSes to Plan-
ning Tool,
Huawei
OSS
Central VM Ephemeral RF Plan- 22 SFTP TCP sshd SFTP con-

server ning Tool, nections
OSSes to Plan-
ning Tool,
Huawei
OSS
KPI Suppli- Ephemeral OSSes 22 SFTP TCP sshd SFTP con-

er Server nections
to Huawei
OSS
GUI Server Ephemeral All NetAct 9999 HTTPS TCP IHS Used by
(SOAP) ASC for CM
WAS nodes
persistency
queries
GUI Server Ephemeral All NetAct 443 HTTPS TCP IHS Used by
(SOAP, ASC for CM
WAS nodes
REST) NMS API,
FM NMS
API and KPI
client ser-
vices
Central VM Ephemeral All NetAct 9999 HTTPS TCP IHS CM Open

server (SOAP) API
WAS nodes
Central VM Ephemeral All NetAct 443 HTTPS TCP IHS

server (SOAP,
WAS nodes
REST)


tem col col
All NetAct Ephemeral GUI Server 8080 HTTP TCP tomcat CM Web
WAS nodes (SOAP) Service no-
tification
GUI server Ephemeral SMTP serv- 25 SMTP TCP mail server

er
GUI server Ephemeral SMTP serv- 587 SMTP TCP mail server
er
All Applica- 123 NTP Server 123 NTP UDP ntpd

tion Server
VMs
All Applica- Ephemeral External 514 syslog TCP syslog External

tion Server syslog syslog for-
VMs warding is
server
disabled by
default. The
TLS encryp-
tion is con-
figurable.
All Applica- Ephemeral External 514 syslog UDP syslog External

tion Server syslog syslog for-
VMs warding is
server
disabled by
default.
GUI Server Ephemeral External 389 LDAP TCP LDAP Only if ex-
LDAP server ternal LDAP
server is in-
server
tegrated.
Port can be
different,
depend-
ing on the
LDAP inte-
gration con-
figuration.
GUI Server Ephemeral Offline Map 443 HTTPS TCP offlinemap Only if Of-
Server fline Map


tem col col
Server is in-
tegrated.
Port can be
different,
depending
on the Of-
fline Map
integration
configura-
tion.
GUI Server Ephemeral Offline Map 80 HTTP TCP offlinemap Only if Of-
Server fline Map
Server is in-
tegrated.
Port can be
different,
depending
on the Of-
fline Map
integration
configura-
tion.
Table 23: Ports opened externally on application server VMs
Table 24: Ports opened internally on application server VMs lists ports opened internally (access from
outside of EdenNet should not be allowed) on Application Server VMs.
Applica- Transport
Source Source Destination Destina- Destination Com-
tion layer layer pro-
system port system tion port service ments
protocol tocol
All Applica- Ephemeral All EdenNet 22 SSH TCP sshd

tion Server servers
VMs
localhost Ephemeral GUI server 8080 HTTP TCP tomcat N/A
localhost Ephemeral GUI server 1099 RMI TCP tomcat
localhost Ephemeral GUI server 8009 AJP TCP tomcat

Applica- Transport
protocol tocol
GUI server Ephemeral Central VM 9600 HTTP TCP nginx

Server
GUI server Ephemeral Task Server 9600 HTTP TCP nginx
Central VM Ephemeral KPI Supplier 9600 HTTP TCP nginx

Server Server
Central VM Ephemeral GUI Server 9600 HTTP TCP nginx

Server
Task Server Ephemeral GUI Server 9600 HTTP TCP nginx
Task Server Ephemeral Central VM 9600 HTTP TCP nginx

Server
KPI Suppli- Ephemeral GUI Server 9600 HTTP TCP nginx

er Server
Workflow Ephemeral GUI Server 9600 HTTP TCP nginx

Engine
GUI Server Ephemeral Central VM 9601 HTTP TCP SON NBI Cells
Server Service (Spring
boot app)
GUI Server Ephemeral GUI Server 9602 HTTP TCP SON NBI Mod-
ule Command-
ing (Spring
boot app)
Central VM Ephemeral Central VM 9603 HTTPS TCP Auth service

Server Server (Spring boot
app)
localhost Ephemeral GUI Server 9600 HTTP TCP ngnix
All EdenNet Ephemeral Central VM 61613 Stomp TCP RabbitMQ

servers server
All EdenNet Ephemeral Central VM 5672 AMQP TCP RabbitMQ

servers server
localhost Ephemeral Central VM 25672 Erlang Dis- TCP RabbitMQ

server tribution
Protocol

Applica- Transport
protocol tocol
localhost Ephemeral Central VM 4369 Erlang Dis- TCP RabbitMQ (EP-

server tribution MD)
Protocol
All EdenNet Ephemeral Central VM 6379 RESP TCP redis

servers server
All EdenNet Ephemeral KPI supplier 6379 RESP TCP redis

servers server
All EdenNet Ephemeral GUI server 6379 RESP TCP redis

servers
GUI Server Ephemeral GUI DB 3306 mysql TCP mysqld

server
Central VM Ephemeral Central VM 3306 mysql TCP mysqld

Server DB Server
KPI Suppli- Ephemeral KPI Supplier 3306 mysql TCP mysqld

er Server DB server
Task Ephemeral GUI Server 514 syslog TCP rsyslogd

servers
Task Ephemeral GUI Server 111 portmap TCP rpcbind For NFS
servers
Task Ephemeral GUI Server 111 portmap UDP rpcbind For NFS
servers
localhost Ephemeral Task Server 111 portmap TCP rpcbind For NFS
localhost Ephemeral Task Server 111 portmap UDP rpcbind For NFS
localhost Ephemeral Central VM 111 portmap TCP rpcbind For NFS

Server
localhost Ephemeral Central VM 111 portmap UDP rpcbind For NFS

Server
Task Ephemeral GUI Server 662 NSM TCP rpc.statd For NFS
servers
Task Ephemeral GUI Server 662 NSM UDP rpc.statd For NFS
servers

Applica- Transport
protocol tocol
Task Ephemeral GUI Server 875 rquota TCP rpc.rquotad For NFS
servers
Task Ephemeral GUI Server 875 rquota UDP rpc.rquotad For NFS
servers
Task Ephemeral GUI Server 892 NFS TCP rpc.mountd For NFS
servers MOUNT
Task Ephemeral GUI Server 892 NFS UDP rpc.mountd For NFS
servers MOUNT
Task Ephemeral GUI Server 2049 NFS TCP nfsd For NFS
servers
Task Ephemeral GUI Server 2049 NFS UDP nfsd For NFS
servers
Task Ephemeral GUI Server 32803 KLM TCP lockd For NFS
servers
Task Ephemeral GUI Server 32769 KLM UDP lockd For NFS
servers
GUI Server Ephemeral Central VM 389 LDAP TCP ns-slapd

DB Server
Selfmon Ephemeral All Applica- 10050 zabbix- TCP zabbix_agentd

Node tion Server
agent
VMs
All Applica- Ephemeral Selfmon 10051 zabbix- TCP zabbix_server

tion Server Node
trapper
VMs
Task Server Ephemeral Spark Pri- 8090 spark TCP spark_job_ For sub-
mary VM server mitting
spark
jobs
Central VM Ephemeral Crowd Cell 8000 HTTP TCP lwm2m_media- Generic

Server Controller tion IoT serv-
VM er used
by Eden-
Net

Applica- Transport
protocol tocol
Central VM Ephemeral Crowd Cell 8084 HTTP TCP lwm2m_service Service

Server Controller layer
VM used by
Crowd
cell con-
troller
Central VM Ephemeral Central VM 8901 HTTPS TCP kong Kong ad-

Server Server min API
GUI Server Ephemeral Central VM 8901 HTTPS TCP kong Kong ad-
Server min API
KPI Suppli- Ephemeral Central VM 8901 HTTPS TCP kong Kong ad-
er Server Server min API
Central VM Ephemeral Central VM 9993 HTTPS TCP keycloak JBoss

Server Server manage-
ment in-
terface
All EdenNet Ephemeral Central Re- 8200 HTTPS TCP Vault Vault API
servers gion App
VM Server
All EdenNet Ephemeral Central Re- 8201 HTTPS TCP Vault Vault
servers gion App cluster
VM Server port
All EdenNet Ephemeral Central Re- 8888 Raw TCP CSKM CSKM
servers gion App Vault
VM Server Cluster
service
Table 24: Ports opened internally on application server VMs
15.1.2 Database VMs

All Database virtual machines (VM) required for security management, namely, GUI DB Server, Cen-
tral VM DB Server, and KPI Supplier DB Server are described in this section. Depending on the Eden-
Net deployment, these might be located on the same or separate VMs.
Table 25: Ports opened externally on database VMs lists the ports opened externally (access from out-
side of EdenNet should be allowed) on Database VMs.

Destina- Applica- Transport Destina-

Source Source Destina-
tion sys- tion layer layer Pro- tion ser- Comments
System port tion port
tem protocol tocol vice
PC used by Ephemeral All Data- 22 SSH TCP sshd N/A

support en- base VMs
gineers
PC used by Ephemeral All Data- 3306 mysql TCP mysqld

support en- base VMs
gineers
All Data- 123 NTP server 123 NTP UDP ntpd

base VMs
All Data- Ephemeral External 514 syslog TCP syslog External syslog
base VMs syslog forwarding is dis-
abled by default.
server
The Transport
layer Security
(TLS) encryption
is configurable.
All Data- Ephemeral External 514 syslog UDP syslog External syslog
base VMs syslog forwarding is dis-
abled by default.
server
Table 25: Ports opened externally on database VMs
Table 26: Ports opened internally on database VMs lists the ports opened internally (access from out-
side of EdenNet should not be allowed) on Database VMs.

GUI Server Ephemeral GUI DB 3306 mysql TCP mysqld N/A

server
Central VM Ephemeral Central VM 3306 mysql TCP mysqld

server DB server
KPI Suppli- Ephemeral KPI Sup- 3306 mysql TCP mysqld

er Server plier DB
Server
DB server Ephemeral EdenNet 22 SSH TCP sshd

servers


GUI Server Ephemeral Central VM 389 LDAP TCP ns-slapd

DB Server
Selfmon Ephemeral All Data- 10050 zabbix- TCP zabbix_

Node base VMs agentd
agent
All Data- Ephemeral Selfmon 10051 zabbix- TCP zabbix_

base VMs Node server
trapper
Central DB Ephemeral Central DB 8942 CQL TCP cassandra

VM VM
Central VM Ephemeral Central DB 8942 CQL TCP cassandra

VM
Central DB Ephemeral Central DB 7000 Cassandra TCP cassandra Not used, cannot
VM VM inter-node be disabled thus
communi- limited to local-
cation host
Central DB Ephemeral Central DB 7199 JMX TCP cassandra Not used, cannot
VM VM be disabled thus
limited to local-
host
Task Ephemeral Central DB 3306 mysqld No Yes

servers VM
Table 26: Ports opened internally on database VMs
15.1.3 FM Service nodes

Table 27: Ports opened externally on FM Service node lists the ports opened externally (access from
outside of EdenNet should be allowed) on Fault Management (FM) Service nodes.

tion sys- tion layer layer pro- tion ser- Comments
system port tion port
PC used by Ephemeral FM 22 SSH TCP sshd

support en-
Service
gineers
OSSes Every Op- FM 42101 IIOP TCP orbd

erations
Service
Support


System
(OSS) us-
es a differ-
ent set of
ports. For
more in-
formation,
check the
iSDK in-
tegration
guides
FM Service 123 NTP 123 NTP UDP ntpd
Server
EdenNet’s Ephemeral FM Service 9401 HTTP TCP fmaccess

Central VM
Table 27: Ports opened externally on FM Service node
Table 28: Ports opened internally on FM Service node lists the ports opened internally (access from
outside of EdenNet should not be allowed) on FM Service nodes.

FM Service Ephemeral FM Service 45600 JMX TCP fmpipe ActiveMQ broker
FM Service Ephemeral FM Service 6155 ActiveMQ UDP servicemix For auto-discov-

multicast ering brokers
FM Service Ephemeral FM Service 42100 IIOP TCP orbd
FM Service Ephemeral FM Service 42102 IIOP TCP orbd
FM Service Ephemeral EdenNet’s 22 SSH TCP sshd

Central VM
FM Service Ephemeral FM DB 5432 postgresql TCP postgresql
FM Service Ephemeral FM Service 1099 RMI TCP servicemix
Table 28: Ports opened internally on FM Service node

15.1.4 FM DB nodes
Table 29: Ports opened externally on FM DB nodes lists the ports opened externally (access from out-
side of EdenNet should be allowed) on FM DB nodes.
Application Transport
Source sys- Destination Destination Destination
Source port layer proto- layer proto-
tem system port service
col col
PC used by Ephemeral FM DB 22 ssh TCP sshd

support engi-
neers
FM DB 123 NTP server 123 NTP UDP ntpd
Table 29: Ports opened externally on FM DB nodes
Table 30: Ports opened internally on FM DB nodes lists the ports opened internally (access from out-
side of EdenNet should not be allowed) on FM DB nodes.
Applica-
tion layer Transport Destina-
Source sys- Destination Destination
Source port protocol layer proto- tion service
tem system port
tion col na-
FM Service Ephemeral FM DB 5432 postgresql TCP postgresql
FM DB Ephemeral FM Service 22 SSH TCP sshd
Table 30: Ports opened internally on FM DB nodes
15.1.5 Workflow engine nodes

Table 31: Ports opened externally on Workflow engine nodes lists ports opened externally (access
from outside of EdenNet should be allowed) on Workflow Engine nodes.

tem col col
PC used by Ephemeral Workflow 22 SSH TCP sshd

support en- Engine
gineers
PC used by Ephemeral Workflow 8080 HTTP TCP tomcat

EdenNet Engine
users
PC used by Ephemeral Workflow 80 HTTP TCP tomcat Redirection

EdenNet Engine to port 8080
users via iptables


tem col col
PC used by Ephemeral Workflow 8443 HTTPS TCP tomcat

EdenNet Engine
users
PC used by Ephemeral Workflow 443 HTTPS TCP tomcat Redirection

EdenNet Engine to port 443
users via iptables
Workflow 123 NTP Server 123 NTP UDP ntpd

Engine
Workflow Ephemeral FAME VM 4240 HTTP TCP mml_engine

Engine
Workflow Ephemeral All NetAct 80 HTTP TCP IHS Port 80 or

Engine WAS nodes 443 is used
depending
on configu-
ration
Workflow Ephemeral All NetAct 443 HTTPS TCP IHS Port 80 or

Engine WAS nodes 443 is used
depending
on configu-
ration
Workflow Ephemeral All NetAct 9999 HTTPS TCP IHS

Engine WAS nodes
Workflow Ephemeral NetAct DB 1521 Oracle TNS TCP Oracle

Engine node
Workflow Ephemeral NetAct DM- 22 SSH TCP sshd Needed

Engine GR during in-
stallation to
deploy cer-
tificate
FAME VM Ephemeral Workflow 8080 HTTP TCP tomcat

Engine
All NetAct Ephemeral Workflow 8443 HTTPS TCP tomcat CM noti-

WAS nodes Engine fications:
port 8080
or 8443 is
used de-


tem col col
pending on
configura-
tion
All NetAct Ephemeral Workflow 8080 HTTP TCP tomcat CM noti-

WAS nodes Engine fications:
port 8080
or 8443 is
used de-
pending on
configura-
tion
Table 31: Ports opened externally on Workflow engine nodes
Table 32: Ports opened internally on Workflow engine nodes lists ports opened internally (access from
outside of EdenNet should not be allowed) on Workflow Engine nodes.
col col
localhost Ephemeral Workflow En- 8009 AJP TCP tomcat

gine
Workflow En- Ephemeral All EdenNet 22 SSH TCP sshd

gine servers
Workflow En- Ephemeral Common 5432 postgresql TCP postgresql

gine PostgreSQL
Workflow En- Ephemeral GUI server 9600 HTTP TCP nginx

gine
Table 32: Ports opened internally on Workflow engine nodes
15.1.6 Spark Primary nodes

Table 33: Ports opened externally on Spark Primary node lists ports opened externally (access from
outside of EdenNet should be allowed) on Spark Primary node.

col col
PC used by Ephemeral Spark Primary 22 SSH TCP sshd

EdenNet VM
users
Table 33: Ports opened externally on Spark Primary node
Table 34: Ports opened internally on Spark Primary node lists ports opened internally (access from
outside of EdenNet should not be allowed) on Spark Primary node.

Spark Se- Ephemeral Spark Pri- 7077 spark TCP spark_pri-

condary mary VM mary
VMs
Spark Se- Ephemeral Spark Pri- 8100 spark TCP spark_pri- For spark appli-
condary mary VM mary cation driver
VMs
Spark Se- Ephemeral Spark Pri- 8101 spark TCP spark_pri- For spark block
condary mary VM mary manager
VMs
Spark Se- Ephemeral Spark Pri- 8200 spark TCP spark_job_ For job server
condary mary VM server driver
VMs
Spark Se- Ephemeral Spark Pri- 8201 spark TCP spark_job_ For job server
condary mary VM server block manager
VMs
Task Ephemeral Spark Pri- 8090 spark TCP spark_job_ For submitting
servers mary VM server spark jobs
Spark Se- Ephemeral Spark Pri- 111 portmap TCP rpcbind For NFS
condary mary VM
VMs
Spark Se- Ephemeral Spark Pri- 111 portmap UDP rpcbind For NFS
condary mary VM
VMs


Spark Se- Ephemeral Spark Pri- 892 NFS TCP rpc.mountd For NFS
condary mary VM MOUNT
VMs
Spark Se- Ephemeral Spark Pri- 892 NFS UDP rpc.mountd For NFS
condary mary VM MOUNT
VMs
Spark Se- Ephemeral Spark Pri- 2049 NFS TCP nfsd For NFS
condary mary VM
VMs
Spark Se- Ephemeral Spark Pri- 2049 NFS UDP nfsd For NFS
condary mary VM
VMs
Table 34: Ports opened internally on Spark Primary node
15.1.7 Spark Secondary nodes

Table 35: Ports opened externally on Spark Secondary node lists the ports opened externally (access
from outside of EdenNet should be allowed) on Spark Secondary nodes.
col col
PC used by Ephemeral All Spark Se- 22 SSH TCP sshd

support engi- condary VMs
neers
Table 35: Ports opened externally on Spark Secondary node
Table 36: Ports opened internally on Spark Secondary nodes lists the ports opened internally (access
from outside of EdenNet should not be allowed) on Spark Secondary nodes.

Spark Se- Ephemeral All Spark 8101-8126 spark TCP spark_sec- For Spark Se-
condary Secondary ondary condary block
VM VMs manager


Spark Se- Ephemeral All Spark 8201-8220 spark TCP spark_sec- For Spark Se-
condary Secondary ondary condary block
VM VMs manager
Table 36: Ports opened internally on Spark Secondary nodes
15.1.8 Cassandra DB Server nodes

Table 37: Ports opened externally on Cassandra DB Server nodes lists the ports opened externally
(access from outside of EdenNet should be allowed) on Cassandra DB Server nodes.
col col
PC used by Ephemeral All Cassan- 22 SSH TCP sshd

support engi- dra DB Server
neers VMs
Table 37: Ports opened externally on Cassandra DB Server nodes
Table 38: Ports opened internally on Cassandra DB Server nodes lists the ports opened internally (ac-
cess from outside of EdenNet should not be allowed) on Cassandra DB Server nodes.

All Spark Ephemeral Cassandra 7000 Cassandra TCP Cassandra For Cassandra
Secondary DB Server Storage intra-cluster com-
VMs VM munication
All Spark Ephemeral Cassandra 9042 Cassandra TCP Cassandra For Cassandra
Seconary DB Server CQL native transport
VMs VM
Table 38: Ports opened internally on Cassandra DB Server nodes
15.1.9 Crowd Cell Controller nodes

Table 39: Ports opened externally on CCC nodes lists the ports opened externally (access from out-
side of EdenNet should be allowed) on Crowd Cell Controller (CCC) server nodes.


PC used by Ephemeral Crowd Cell 22 SSH TCP sshd

support en- Controller
gineers VMs
Crowd Cell Ephemeral Crowd Cell 5683 CoAP UDP lwm2m_ Machine to Ma-
Controller device mediation chine communi-
VM cation with de-
vices
Table 39: Ports opened externally on CCC nodes
Table 40: Ports opened internally on CCC nodes lists ports opened internally (access from inside
EdenNet should be allowed) on CCC nodes.

Crowd Cell Ephemeral Crowd Cell 9160 Thrift TCP cassandra Cassandra client
Controller Controller port (Thrift)
VM VMs
Crowd Cell Ephemeral Crowd Cell 8000 HTTP TCP http Generic IoT serv-
Controller Controller er used by Eden-
VM Node- Net
LWM2M
Mediation
server
Application Ephemeral Crowd Cell 8084 HTTP TCP http CCC service
server VMs Controller used by EdenNet
Node- modules
lwm2m_
service
Crowd Cell Ephemeral Crowd Cell 9042 Cassandra TCP cassandra CQL native
Controller Controller CQL clients port
VM VMs
Table 40: Ports opened internally on CCC nodes

15.1.10 AC Application node

Table 41: AC Application node (ports opened externally) lists ports opened externally (access from
outside of EdenNet should be allowed) on the AC Application node.

tem col col
AC Installa- Ephemeral AC Applica- 22 SSH TCP sshd Required

tion Server tion Server during in-
stallation
AC Installa- Ephemeral AC Data- 22 SSH TCP sshd Required

tion Server base Serv- during in-
er stallation
AC Installa- Ephemeral AC Key- 22 SSH TCP sshd Required

tion Server cloak Serv- during in-
er stallation
AC Installa- Ephemeral AC Zabbix 22 SSH TCP sshd Required

tion Server Server during in-
stallation
AC Applica- Ephemeral Huawei 22 SSH SFTP sshd AC up-

tion Server U2000 loads com-
31100 IIOP TCP
pressed
31600 IIOP SSL files con-
taining the
complete
Huawei
configu-
ration via
SFTP. Files
can be sev-
eral 100
MB per up-
load.
Configu-
ration files
containing
planned
changes
are down-
loaded
to U2000


tem col col
whenever
changes
are activat-
ed. These
files range
from a few
kB to MB
depend-
ing on the
number of
changes.
AC Applica- Ephemeral Ericsson 22 SSH SFTP sshd AC up-

tion Server OSS-RC loads com-
pressed
files con-
taining the
complete
Ericsson
OSS-RC
configu-
ration via
SFTP. Files
can be sev-
eral 100
MB per up-
load.
Configu-
ration files
containing
planned
changes
are down-
loaded
to the Er-
icsson
OSS-RC
whenever
changes
are activat-


tem col col
ed. These
files range
from a few
kB to MB
depend-
ing on the
number of
changes.
AC Applica- Ephemeral Ericsson 443 HTTPS TCP - AC up-

tion Server ENM loads com-
pressed
files con-
taining the
complete
Ericsson
ENM con-
figuration
via HTTPS.
Files can
be several
100 MB per
upload.
Configu-
ration files
containing
planned
changes
are down-
loaded to
the Erics-
son ENM
whenever
changes
are activat-
ed. These
files range
from a few
kB to MB
depend-


tem col col
ing on the
number of
changes.
AC Applica- Ephemeral NetAct We- 443 HTTPS TCP - Configu-

tion Server bSphere ration files
load bal- containing
ancer planned
changes
are down-
loaded
to NetAct
whenever
changes
are activat-
ed. These
files range
from a few
kB to MB
depend-
ing on the
number of
changes.
NetAct We- Ephemeral AC Applica- 80 HTTP - AC up-

bSphere tion Server loads com-
443 HTTPS
Application pressed
servers files con-
taining the
complete
NetAct con-
figuration
via HTTPS.
Files can
be several
100 MB per
upload.
NetAct
sends CM
change


tem col col
events to
AC every
30 seconds
(if any). The
event file
size ranges
from a few
kB to MB
depend-
ing on the
number of
changes.
User work- Ephemeral AC Installa- 22 SSH sshd

station SSH tion Server
client
User work- Ephemeral AC Applica- 22 SSH sshd

station SSH tion Server
client
User work- Ephemeral AC Applica- 80, 443 HTTP keycloak AC Java

station AC tion Server WebStart
8080 and HTTPS
Java WebS- GUIs re-
8443
tart Client, ceive op-
eration
Internet
feedback
browser
and sta-
tus change
messages
(a few kB
per minute)
from the AC
Application
server VMs.
Exports of
large plans
or other
configura-
tions using
the GUIs


tem col col
might fetch
a few hun-
dred MB of
data from
the AC Ap-
plication
server VMs.
User work- Ephemeral AC Key- 443 HTTPS zabbix The da-

station AC cloak Serv- ta size is
Java WebS- er a few kB
tart Client, per second
when the
Internet
user logs in
browser
to the AC
Start Page.
User work- Ephemeral AC Zabbix 443 HTTPS The da-

station Inter- Server ta size is
net browser a few kB
per sec-
ond while
brows-
ing perfor-
mance da-
ta.
Table 41: AC Application node (ports opened externally)
Table 42: AC Application node (ports opened internally) lists ports opened internally (access from out-
side of EdenNet should not be allowed) on AC Application node.

Source Source Destina- Com-
tion sys- tion layer layer pro- tion ser-
system port tion port ments
Central Ephemeral AC App 8443 HTTPS TCP JBoss AS CM Open

VM Server VM API
Central Ephemeral AC App 8080 HTTP TCP JBoss AS CM Open

VM Server VM API


Source Source Destina- Com-
tion sys- tion layer layer pro- tion ser-
system port tion port ments
AC App Ephemeral Central 9600 HTTP TCP NADC CM notifi-

VM VM Server EMS Ser- cations
vice
AC Ap- Ephemeral AC Data- 5432 JDBC TCP postgresql Encrypt-

plication base Serv- ed Post-
Server er gres JDBC
Connec-
tion
AC Ap- Ephemeral AC Key- 443 HTTPS TCP keycloak

plication cloak
Server Server
AC Zabbix Ephemeral AC Ap- 10050 HTTP TCP selfmon

Server plication
Server
All AC Ephemeral AC Zabbix 10051 HTTP TCP Zabbix

VMs Server
EdenNet Ephemeral AC Ap- 80 HTTP TCP nginx

plication
443 HTTPS
Server
AC Ap- Ephemeral EdenNet 80 HTTP TCP nginx

plication
443 HTTPS
Server
AC Ap- Ephemeral EdenNet 9600 HTTPS TCP nginx

plication
Server
Table 42: AC Application node (ports opened internally)
15.1.11 AC Database node

Table 43: AC Database Node (ports opened externally) lists the ports opened externally (access from
outside of EdenNet should be allowed) on AC Database node.


tem col col
PC used by Ephemeral AC DB VM 22 SSH TCP sshd

support en-
gineers
AC DB VM 123 NTP Server 123 NTP UDP ntpd
Table 43: AC Database Node (ports opened externally)
Table 44: AC Database Node (ports opened internally) lists the ports opened internally (access from
outside of EdenNet should be allowed) on AC Database node.

tem col col
AC App VM Ephemeral AC DB VM 5432 postgresql TCP postgresql
Table 44: AC Database Node (ports opened internally)
15.1.12 Selfmon node

Table 45: Ports opened externally on Selfmon nodes lists the ports opened externally (access from
outside of EdenNet should be allowed) on Selfmon nodes.

Source Source Destination
system port port
PC used by Ephemeral Selfmon 22 SSH TCP sshd N/A

support en- Node
gineers
PC used by Ephemeral Selfmon 443 HTTPS TCP httpd N/A

EdenNet Node
users
Selfmon 123 NTP Server 123 NTP UDP ntpd N/A

Node
Selfmon 162 External 162 SNMP UDP snmpd Only if external

Node monitoring monitoring sys-
system tem (for exam-
ple, NetAct) is
integrated

Table 45: Ports opened externally on Selfmon nodes
Table 46: Ports opened internally on Selfmon nodes lists the ports opened internally (access from out-
side of EdenNet should not be allowed) on Selfmon nodes.
col col
Selfmon Node Ephemeral All EdenNet 10050 zabbix-agent TCP zabbix_

servers agentd
All EdenNet Ephemeral Selfmon 10051 zabbix-trapper TCP zabbix_server

servers Node
Selfmon Node Ephemeral All EdenNet 22 SSH TCP sshd

servers
Selfmon Node Ephemeral ESXi host 161 SNMP TCP snmpd
Selfmon Node Ephemeral Selfmon DB 3306 mysql TCP mysqld
Table 46: Ports opened internally on Selfmon nodes
15.1.13 Backup and Restore: Avamar Enterprise Edition (AVE)

Table 47: Ports opened externally on AVE nodes lists the ports opened externally (access from outside
of EdenNet should be allowed) on Avamar Enterprise Edition (AVE) nodes.

SSH Client, Ephemeral AVE 22 SSH TCP sshd CLI maintenance

vSphere connection to es-
Web Client xi hosts
vSphere Ephemeral AVE 7543 HTTPS TCP AVE server AVE appliance
Web Client management.
Tomcat serv-
er redirects the
packets to AVE
appliance on
7543 port
vSphere Ephemeral vCenter 9443 HTTPS TCP vCenter vSphere Web

Web Client server Client HTTPS


AVE Node 123 NTP Serv- 123 NTP UDP ntpd NTP
er
Table 47: Ports opened externally on AVE nodes
Table 48: Ports opened internally on AVE nodes lists the ports opened internally (access from outside
of EdenNet should not be allowed) on Avamar Enterprise Edition (AVE) nodes.

AVE Node Ephemeral vCenter 80 HTTP TCP vCenter vCenter Server

Server requires port 80
for direct HTTP
connections and
licensing
AVE Ephemeral vSphere 111 portmap UDP vCenter rpcbind

host Server
vSphere Ephemeral vCenter 443 HTTPS TCP vCenter The default port
Web Client Server that the vCen-
ter Server sys-
tem uses to lis-
ten for connec-
tions from the
vSphere Client.
AVE Node Ephemeral vCenter 902 Heartbeat TCP vCenter Managed hosts
Server send a regular
heartbeat over
UDP port 902
to the vCenter
Server system.
AVE Node Ephemeral vCenter 7444 HTTPS TCP vCenter vCenter Single
Server Sign On HTTPS

Table 48: Ports opened internally on AVE nodes
Note: For the additional data ports that are required, see the Avamar reference documents
section in the EdenNet Backup and Restore document.
15.1.14 Control Server (Installation Server)

Table 49: Ports opened externally on Control Server (Installation Server) lists the ports opened exter-
nally (access from outside of EdenNet should be allowed) on Control Server.
col col
PC used by Ephemeral Control server 22 SSH TCP sshd

installation
engineer
Table 49: Ports opened externally on Control Server (Installation Server)
Table 50: Ports opened internally on Control Server (Installation Server) lists the ports opened internal-
ly (access from outside of EdenNet should not be allowed) on Control Server.

Control Ephemeral All Eden- 22 SSH TCP sshd SSH is used for
server Net servers installation
Control Ephemeral All Data- 3306 mysql TCP mysqld To access the
server base VMs databases for
verifying the in-
stallation (not re-
quired during in-
stallation)
Table 50: Ports opened internally on Control Server (Installation Server)
15.1.15 FAME node
Note: The Fast Asynchronous MML Engine (FAME) Virtual Machine (VM) is deployed in
NetAct virtual infrastructure, so the configuration of the firewall protecting NetAct must be ad-
justed.

Table 51: Ports opened externally on FAME node lists the ports opened externally (access from out-
side of NetAct should be allowed) on FAME node.
col col
PC used by Ephemeral FAME VM 22 SSH TCP sshd

support engi-
neers
Workflow En- Ephemeral FAME VM 4240 HTTP TCP mml_engine

gine
FAME VM Ephemeral Workflow En- 8080 HTTP TCP tomcat

gine
Table 51: Ports opened externally on FAME node
Table 52: Ports opened internally on FAME node lists the ports opened internally (access from outside
of NetAct should not be allowed) on FAME node.
Source Source Destination Destination Destination
layer proto- layer proto- Comments
system port system port service
col col
FAME VM Ephemeral NetAct lb- 80 HTTP TCP IHS Port 80 or

was 443 is used
depending
on the con-
figuration
FAME VM Ephemeral NetAct lb- 443 HTTPS TCP IHS Port 80 or

was 443 is used
depending
on the con-
figuration
FAME VM Ephemeral NetAct DB 1521 Oracle TNS TCP oracle

node
FAME VM Ephemeral NetAct OSI 22 SSH TCP sshd

Stack node
FAME VM Ephemeral NetAct lb- 9810 EJB Lookup TCP lbwas

was
FAME VM Ephemeral NetAct WAS 9100 EJB IIOP TCP WAS

Source Source Destination Destination Destination
layer proto- layer proto- Comments
system port system port service
col col
NetAct OSI Ephemeral FAME VM 102 ICCP TCP osinets

Stack node
Table 52: Ports opened internally on FAME node

Security Management DN09231593 1-3 Appendix
16 Appendix
This section details the known issues regarding EdenNet security, and explains the reasons for not fix-
ing these.
• In the MySQL configuration, the local_infile option is set to ON. The EdenNet security vulner-
ability scanners have reported this issue as a security vulnerability of MEDIUM severity.
However, setting local_infile to OFF results in functionality issues for EdenNet. Hence, this
security vulnerability will not be fixed.
• In the MySQL configuration, the STRICT_ALL_TABLES option is set to OFF. The EdenNet securi-
ty vulnerability scanners have reported this issue as a security vulnerability.
However, setting STRICT_ALL_TABLES to ON results in functionality issues for EdenNet. Hence,

this security vulnerability will not be fixed.
• It is found in some security audits that X11 related RPMs are installed in EdenNet. The security
audit recommendation is to remove these RPMs.
Note: The audit tools find X11 RPMs that are related to fonts, and these are dependen-
cies for OpenJDK 1.8. Hence, these RPMs cannot be removed, and relevant audit find-
ing is a false-positive as these RPMs do not have any security related impacts.
• The EdenNet security vulnerability scanners report AMQP Cleartext Authentication as a

security vulnerability. Disabling clear text authentication mechanism in the AMQP configuration re-
sults in functionality issues in EdenNet. This security vulnerability is not fixed and is considered as
part of Context Aware SON release.

Eden Net Security Management

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Eden Net Security Management

Uploaded by

Copyright:

Available Formats

EdenNet 21 FP 2106

N O WA RRA NT Y O F AN Y KI ND , EI T HER EXPR ES S OR I M P L I E D , I N C L U D I N G B U T N O T L I M I T E D TO A N Y

Copyright © 2021 Nokia. All rights reserved.

Important Notice on Product Safety

2 Introduction to security management......................................................................................................... 14

5 Generating sudoers file................................................................................................................................ 17

7 User and permission management............................................................................................................. 35

EdenNet 21 FP 2106 © 2021 Nokia 3

7.6 LDAP users............................................................................................................................................. 45

8 Security considerations for EdenNet installation...................................................................................... 46

9 EdenNet API security.................................................................................................................................... 50

10 Management of LDAP servers................................................................................................................... 52

11 Administration of offline map server........................................................................................................ 54

13 Certificate management overview............................................................................................................. 70

EdenNet 21 FP 2106 © 2021 Nokia 4

13.4 EdenNet CA certificates........................................................................................................................77

15 Security policy for firewalls....................................................................................................................... 87

EdenNet 21 FP 2106 © 2021 Nokia 5

Release Change description

EdenNet 21 FP 2106 Added sections:

• Configuring custom certificate for Nginx

• Management of LDAP servers: Note is updated.

EdenNet 21 FP 2105 Added section:

• Configuring custom certificate for LDAP server

• Syslog forwarding: Note is updated.

EdenNet 21 FP 2104 No change.

EdenNet 21 FP 2103 Updated section:

EdenNet 21 Added sections:

• Enabling IPv6 External communication (IPv4 EdenNet)

• Enable IPv6 External communication

EdenNet 21 FP 2106 © 2021 Nokia 6

Release Change description

EdenNet 20 FP 2011 No change.

EdenNet 20 FP 2010 Added section:

• Setting warning banner for standard log in services

• Management of LDAP servers

• Management of external directory servers

The deleted sections are moved to EdenNet User and Administra-

EdenNet 20 FP 2009 Added sections:

• Account lockout for incorrect password attempts

EdenNet 20 FP 2008 Updated sections:

EdenNet 20 FP 2007 Added sections:

EdenNet 21 FP 2106 © 2021 Nokia 7

Release Change description

• Backup and restore security

• Hardening assets included in EdenNet

EdenNet 20 Added sections:

EdenNet 19A FP 2004 No change.

EdenNet 19A FP 2003 Added sections:

• Password policy for database users

• External directory server attributes: New attributes are added.

EdenNet 19A FP 2002 Updated sections:

EdenNet 21 FP 2106 © 2021 Nokia 8

Release Change description

• Application Server Virtual Machines (VMs): Vault service details

– Instances of VDP are changed to AVE.

• Common JBoss nodes

EdenNet 19A FP 2001 No change.

EdenNet 19A FP 1912 Added sections:

• Enabling or disabling root login

• Operating system hardening

EdenNet 19A FP 1911 No change.

EdenNet 19A Updated sections:

• The Signing of certificates by internal CA section is modified.