C H A P T E R 18 Configuring SGM Security This chapter provides the following information about configuring SGM security and limiting access to SGM: • Configuring SGM User-Based Access, page 18-1 • Implementing SSL Support in SGM, page 18-26 • Limiting SGM Client Access to the SGM Server (Solaris Only), page 18-40 Configuring SGM User-Based Access SGM enables you to control who is allowed to do what in SGM, beyond simply specifying root and non-root users. SGM calls this ability User-Based Access.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access • Manually Disabling Users and Passwords (Solaris Only), page 18-14 (Optional) • Enabling and Changing Users and Passwords (Solaris Only), page 18-16 (Optional) • Displaying a Message of the Day, page 18-18 (Optional) • Manually Synchronizing Local SGM Passwords, page 18-21 (Optional) • Listing All Currently Defined Users, page 18-21 (Optional) • Displaying the Contents of the System Security Log, page 18-22 (Optional) • R
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Step 3 If you have already configured the type of SGM security authentication you want to use, skip to Step 4. Otherwise, configure the type of SGM security authentication you want to use: • Local authentication allows you to create user accounts and passwords local to the SGM system. When using this method, you can use SGM User-Based Access commands manage user names, passwords, and access levels.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access To enable Solaris authentication, enter the following command: # ./sgm authtype solaris See the “SGM Command Reference” section on page C-1 for more information on the use of each of the above SGM commands. Step 4 To add a user to your SGM User-Based Access authentication list, use the following command: # ./sgm sgm adduser username where username is the name of the user.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Note If sgm authtype is set to solaris, users cannot change their passwords using the SGM client. Instead, they must manage their passwords on the external authentication servers, using Solaris commands, such as passwd. All new passwords take effect the next time SGM automatically synchronizes local SGM passwords with Solaris, or you can manually synchronize passwords at any time using the sgm syncusers command.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access • The password cannot be a common word. SGM uses the dictionary located at /usr/lib/share/dict/words to determine whether a word is common. To override the SGM dictionary, change the DICT_FILE entry in the System.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Note Access to SGM information and downloads on Cisco.com is already protected by Cisco.com, and is not protected by SGM.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access • System Data Files – Notes – Views – Preferences • Viewing SGM documentation • Downloading client software Power User (Level 2) Access Power Users have access to all Basic User functions. Power Users can change some aspects of the way SGM works.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access • Telnetting to the ITP • Viewing route table files and GTT files, but not editing them Network Operators have access to the following SGM Web displays: • Point Code Inventories • System Data Files – Route table files – Global Title Translation (GTT) table files – System ITP IOS README Network Administrator (Level 4) Access Network Administrators have access to all Basic User, Power User, and Network Operator functions.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access System Administrators have access to the following SGM Web displays: • System Messages and Logs • System Status, including User Accounts and System Troubleshooting • Trap Host Configuration, including SNMP configuration information • System Information – System Command Log – System Console Log – System Event Automation Log – System Install Log – System Process Services – System Properties – System Report Parameters and Timers Pa
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Step 2 Enter the following command: # cd /opt/CSCOsgm/bin Step 3 (Optional) You can configure SGM to generate an alarm after a specified number of unsuccessful login attempts by a user. To do so, enter the following command: # ./sgm badloginalarm number-of-attempts where number-of-attempts is the number of unsuccessful login attempts allowed before SGM generates an alarm.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Step 5 (Optional) SGM keeps track of the date and time each user last logged in. You can configure SGM to disable a user’s security authentication automatically after a specified number of days of inactivity. To do so, enter the following command: # ./sgm inactiveuserdays number-of-days where number-of-days is the number of days a user can be inactive before SGM disables the user’s authentication.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access If you have enabled this function and you want to disable it (that is, prevent SGM from forcing users to change passwords), enter the following command: # ./sgm passwordage clear Note Step 7 If sgm authtype is set to solaris, you cannot use the sgm passwordage command. Instead, you must manage passwords on the external authentication servers.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Manually Disabling Users and Passwords (Solaris Only) As described in the “Automatically Disabling Users and Passwords (Solaris Only)” section on page 18-10, you can customize SGM to automatically disable users and passwords when certain conditions are met. However, you can also manually disable SGM User-Based Access users and passwords when the need arises.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access You can also re-enable the user’s authentication with the same password, or with a new password: Step 5 • To re-enable the user’s authentication with the same password as before, use the sgm enableuser command. • To re-enable the user’s authentication with a new password, use the sgm userpass command. (Optional) To disable a user’s authentication, but not the user’s password, use the following command: # .
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Enabling and Changing Users and Passwords (Solaris Only) Of course, SGM also enables you to re-enable users and passwords, and change user accounts. To enable and change users and passwords, use the following procedures: Step 1 Log in as the root user, as described in the “Becoming the Root User (Solaris Only)” section on page 2-3, or as a super user, as described in the “Specifying a Super User (Solaris Only)” section on page 18-24.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Note Step 5 If sgm authtype is set to solaris, you cannot use the sgm userpass command. Instead, you must manage passwords on the external authentication servers. (Optional) To change a user’s authentication level and password, enter the following command: # ./sgm updateuser username where username is the name of the user.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Step 6 (Optional) To change a user’s authentication level, but not the user’s password, enter the following command: # ./sgm newlevel username where username is the name of the user. SGM prompts you for the new authentication level.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access • SGM displays the Message of the Day dialog (Figure 18-1). Figure 18-1 Message of the Day Dialog The Message of the Day dialog contains the following fields and buttons: Field or Button Description Message of the Day Last Updated Date and time the message of the day was last updated. If there is no message of the day, SGM displays Unknown. Message Field Text of the message of the day.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Field or Button Description Decline Closes the Message of the Day dialog and exits the client. This button is available when there is a message of the day and you launch the SGM client or GTT client. OK Closes the Message of the Day dialog without exiting the client. This button is available if you displayed the Message of the Day dialog by selecting View > Message of the Day from the SGM Main Menu.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access To display the contents of the message of the day file, enter the following command: # ./sgm motd cat To disable this function (that is, to stop displaying the message of the day whenever a user attempts to launch an SGM or GTT client), enter the following command: # .
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access SGM displays the following information for each user: • User name • Last time the user logged in • User’s authentication access level • User’s current authentication status, such as Account Enabled or Password Disabled To list information for only a specific user, enter the following command: # ./sgm listusers username where username is the name of the user.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access • Access to all privileged files and processes • Operating system configuration changes and program changes, at the Solaris level • SGM restarts • Failures of computers, programs, communications, and operations, at the Solaris level To clear the log and restart the server, enter the following command: # ./sgm seclog clear The default path and filename for the system security log file is /opt/CSCOsgm/logs/sgmSecurityLog.txt.
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Disabling SGM User-Bases Access For some reason, you might want to completely disable SGM User-Based Access. To do so, log in as the root user, as described in the “Becoming the Root User (Solaris Only)” section on page 2-3, or as a super user, as described in the “Specifying a Super User (Solaris Only)” section on page 18-24, then enter the following commands: # cd /opt/CSCOsgm/bin # .
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access When you specify a super user, keep in mind the following considerations: • The user must exist in the local /etc/passwd file. You cannot specify a user that is defined in a distributed Network Information Services (NIS) system. • The super user does not have access to all SGM commands.
Chapter 18 Configuring SGM Security Implementing SSL Support in SGM – sgm webport – sgm xtermpath • If sgm authtype is set to solaris, you must still be logged in as the root user to enter the following commands: – sgm adduser – sgm disableuser – sgm enableuser – sgm updateuser • If the SNMP trap port number on the SGM server is less than 1024, you cannot use the sgm superuser command.
Chapter 18 Configuring SGM Security Implementing SSL Support in SGM • Importing an SSL Certificate to an SGM Client, page 18-33 • Exporting an SSL Certificate, page 18-34 • Viewing Detailed Information About an SSL Certificate, page 18-36 • Managing SSL Support in SGM, page 18-39 • Disabling SSL Support in SGM, page 18-39 Enabling SSL Support in SGM To enable SSL support in SGM, perform the following tasks: Step 1 Obtain the SSL-enabled version of SGM.
Chapter 18 Configuring SGM Security Implementing SSL Support in SGM SGM generates the following files: – /opt/CSCOsgm/etc/ssl/server.key is the SGM server’s private key. Ensure that unauthorized personnel cannot access this key. – /opt/CSCOsgm/etc/ssl/server.cer is the self-signed SSL certificate. – /opt/CSCOsgm/etc/ssl/server.csr is a certificate signing request (CSR). It is not used if you are using a self-signed SSL certificate.
Chapter 18 Configuring SGM Security Implementing SSL Support in SGM • To use an existing signed key/certificate pair, log in as the root user on the SGM server and enter the following command: # ./sgm keytool import_key key_filename cert_filename where key_filename is the name of the existing SSL key and cert_filename is the name of the existing signed certificate. SGM stops the SGM server and imports the SSL key in OpenSSL format and the signed SSL certificate in X.509 format.
Chapter 18 Configuring SGM Security Implementing SSL Support in SGM Downloading the SGM Server’s Self-Signed SSL Certificate If you have implemented Secure Sockets Layer (SSL) support in your SGM system, you can download the SGM server’s signed SSL certificate to all remote SGM clients that connect to the server using SSL.
Chapter 18 Configuring SGM Security Implementing SSL Support in SGM Launching the SGM Certificate Tool for SSL If you have implemented Secure Sockets Layer (SSL) support in your SGM system, you can launch the SGM Certificate Tool for SSL. The SGM Certificate Tool dialog lists all SSL certificates that have been imported by the SGM client, and enables you to import, export, and display detailed information about SSL certificates.
Chapter 18 Configuring SGM Security Implementing SSL Support in SGM Figure 18-2 SGM Certificate Tool Dialog The SGM Certificate Tool dialog displays the following information about each SSL certificate: Field or Button Description Issued to Host name of the SGM server to which the SSL certificate was issued. Issued by Certificate authority (CA) that issued the SSL certificate. Self-signed SSL certificates display the host name of the SGM server.
Chapter 18 Configuring SGM Security Implementing SSL Support in SGM Field or Button Description Details Displays the Certificate Information dialog, which provides detailed information about the selected certificate. Exit Closes the SGM Certificate Tool dialog. Help Displays online help for the current window.
Chapter 18 Configuring SGM Security Implementing SSL Support in SGM Use the Open dialog to locate the SSL certificate that you want to import. The Open dialog for an SSL certificate provides the following fields and buttons: Field or Button Description Look In Enables you to select the directory in which you want to find the SSL certificate. Either accept the default directory, or select a new directory from the drop-down list box.
Chapter 18 Configuring SGM Security Implementing SSL Support in SGM To export an SSL certificate, launch the SGM SSL Certificate Tool, as described in the “Launching the SGM Certificate Tool for SSL” section on page 18-31, select a certificate from the list, then click Export. SGM displays the Save dialog for SSL certificates (Figure 18-1). Figure 18-4 Save Dialog for SSL Certificates Use the Save dialog to export the SSL certificate to another directory.
Chapter 18 Configuring SGM Security Implementing SSL Support in SGM Field or Button Description Files of Type Specifies the type of file to save, and displays all files of that type in the selected directory. For SSL certificates, this field displays All files, which means files of all types are displayed in the table. Up One Level Displays the sub-folders and files that are in the folder that is up one level from the currently displayed folder.
Chapter 18 Configuring SGM Security Implementing SSL Support in SGM Figure 18-5 Certificate Information Dialog Cisco Signaling Gateway Manager User Guide OL-5742-01 18-37
Chapter 18 Configuring SGM Security Implementing SSL Support in SGM The Certificate Information dialog displays the following detailed information for the selected SSL certificate: Field or Button Description Subject Device to which the SSL certificate was issued. The Subject field always includes the Common Name (CN) of the subject, which must match the fully qualified host name of your SGM server, such as sgm-sun8.cisco.com.
Chapter 18 Configuring SGM Security Implementing SSL Support in SGM Managing SSL Support in SGM SGM enables you to perform the following tasks to make it easier to manage SSL support in SGM: • To display the current status of SSL support in SGM, including whether SSL support is enabled or disabled and which SSL keys and certificates exist, use either the sgm ssl status or sgm sslstatus command. • To print the SGM server’s SSL certificate in X.509 format, use the sgm keytool print_crt command.
Chapter 18 Configuring SGM Security Limiting SGM Client Access to the SGM Server (Solaris Only) • To remove an SSL certificate from the SGM client, launch the SGM SSL Certificate Tool. SGM lists each imported certificate. Select the certificate you want to remove, and click Remove. SGM deletes the certificate from the list. See the “Importing an SSL Certificate to an SGM Client” section on page 18-33 for more information on launching the SGM SSL Certificate Tool.
Chapter 18 Configuring SGM Security Limiting SGM Client Access to the SGM Server (Solaris Only) Step 3 Create the ipaccess.conf file: • To create the ipaccess.conf file and add a client IP address to the list, enter the following command: # ./sgm ipaccess add • To create the ipaccess.conf file and open the file to edit it directly, enter the following command: # .
Chapter 18 Configuring SGM Security Limiting SGM Client Access to the SGM Server (Solaris Only) Any changes you make to the ipaccess.conf file take effect when you restart the SGM server. SGM also enables you to limit the IP addresses that can send traps to the server by creating and maintaining the trapaccess.conf file. For more information, see the “Limiting Traps by IP Address (Solaris Only)” section on page 19-40.