Activating the EAGLE OA&M IP Security Enhancement Controlled Feature

This procedure is used to enable and activate the EAGLE OAM IP Security Enhancement Controlled Feature, using the feature’s part number and a feature access key.

For Release 46.5 and later. the EAGLE OA&M IP Security feature is enabled by default and the feature entry is used to control only the alarming if the SSH for terminals or Security of FTP Server entries is OFF. SSH for terminals and Security of FTP Server entries are controlled via the SECU-DFLT: SSH parameter and SECUIRTY parameter against the FTP servers entries, respectively. The following is expected after upgrade to release 46.5 or later from release 46.4 or earlier:

1. If the OA&M IP Security feature is currently (R46.4 or earlier) OFF, then it will remain OFF after the upgrade to R46.5.
2. If the OA&M IP Security feature is currently (R46.4 or earlier) ON, and all the FTP Servers have Security ON and the Telnet terminals are using SSH, then it will remain ON after the upgrade to R46.5.
3. If the OA&M IP Security feature is currently (R46.4 or earlier) ON, and there was 1 or more FTP Servers or Telnet terminals not using SSH, then it will be turned OFF after upgrade to R46.5, so that no new alarms will be generated after the upgrade.
4. If the OA&M IP Security feature is currently (R46.4 or earlier) OFF and SECU-DFLT-SSH parameter is ON, then the SECU-DFLT-SSH parameter will be turned OFF after the upgrade to R46.5, so that the access protocol used will not be changed after the upgrade.
5. If the OA&M IP Security feature is currently (R46.4 or earlier) OFF and the SECURITY parameter is ON for the FTP server entry in the FTP server table, then the SECURITY parameter for the FTP server entry (except for the SFLOG FTP server entry) will be turned OFF after the upgrade to R46.5, so that the file transfer protocol used will not be changed after the upgrade.

With SSH for terminals ON, a secure shell connection is established between the EAGLE and the telnet terminals allowing passwords to be sent over the connection. This allows the EAGLE administrator to add new users to the EAGLE (with the ent-user command) and to change the passwords of existing users (with the pid parameter of the chg-user command) from a telnet terminal.

If the SSH for terminals is ON, the FTRA must be configured to support secure connections to the EAGLE. Go to FTP Table Base Retrieval User's Guide, for more information on using secure connections with the FTRA.

If Security of meas FTP Server entry is ON, the Measurements Platform must support secure FTP servers. Go to the Adding an FTP Server procedure for more information on configuring secure FTP servers for the Measurements Platform.

Similarly, if Security of FTP Server entry for any specific application (dist, db, user) is ON, the designated FTP server for the application must support secure FTP protocol.

Caution:

If EAGLE OA&M IP Security Enhancements feature is activated with a temporary feature access key and that key expires, secure shell connections will become non-secure. Passwords can be transmitted on a non-secure connection, but cannot be assigned or changed. The ent-user command and pid parameter of the chg-user command cannot be used. File transfers using secure FTP cannot be performed unless non-secure FTP servers are available. It is recommended that the FTRA and the Measurements Platform is configured with secure and non-secure FTP servers.

To enable and activate this feature, the enable-ctrl-feat, ent-serial-num, and chg-ctrl-feat commands are used. For more information on these commands, go to the Activating Controlled Features procedure, or Commands User's Guide.

1. Display the status of the controlled features by entering the rtrv-ctrl-feat command.

   The following is an example of the possible output.

   rlghncxa03w 06-10-01 21:15:37 GMT EAGLE5 36.0.0
   The following features have been permanently enabled:
   
   Feature Name              Partnum    Status  Quantity
   Command Class Management  893005801  off     ----
   LNP Short Message Service 893006601  on      ----
   Intermed GTT Load Sharing 893006901  off     ----
   XGTT Table Expansion      893006101  off     ----
   XMAP Table Expansion      893007710  on      3000
   Large System # Links      893005910  on      2000
   Routesets                 893006401  on      6000
   
   The following features have been temporarily enabled:
   
   Feature Name              Partnum    Status  Quantity     Trial Period Left
   Zero entries found.
   
   The following features have expired temporary keys:
   
   Feature Name              Partnum
   Zero entries found.
   

   If the rtrv-ctrl-feat output shows that the controlled feature is permanently enabled, and its status is on, no further action is necessary.

   If the controlled feature is permanently enabled, and its status is off, skip steps 2 through 6, and go to step 7.

   If the controlled feature is temporarily enabled, and you wish to permanently enable this feature, or the temporary feature access key for that feature has expired, skip steps 2 through 5, and go to step 6.

   If the controlled feature is to remain temporarily enabled, and its status is off, skip steps 2 through 6, and go to step 7. If the feature’s status is on, no further action is necessary. If the controlled feature is to remain temporarily enabled, and its status is on, no further action is necessary.

   Note:

   If the rtrv-ctrl-feat output in step 1 shows any controlled features, skip steps 2 through 5, and go to step 6. If the rtrv-ctrl-feat output shows only the HC-MIMSLK Capacity feature with a quantity of 64, steps 2 through 5 must be performed.
2. Display the serial number in the database with the rtrv-serial-num command.

   This is an example of the possible output.

   rlghncxa03w 06-10-01 21:15:37 GMT EAGLE5 36.0.0
   System serial number = ntxxxxxxxxxxxxx
   
   System serial number is not locked.
   
   rlghncxa03w 06-10-01 21:15:37 GMT EAGLE5 36.0.0
   Command Completed
   

   Note:

   If the serial number is correct and locked, skip steps 3, 4, and 5, and go to step 6. If the serial number is correct but not locked, skip steps 3 and 4, and go to step 5. If the serial number is not correct, but is locked, this feature cannot be enabled and the remainder of this procedure cannot be performed. Contact the Customer Care Center to get an incorrect and locked serial number changed. Refer to My Oracle Support (MOS) for the contact information. The serial number can be found on a label affixed to the control shelf (shelf 1100).

3. Enter the correct serial number into the database using the ent-serial-num command with the serial parameter.

   For this example, enter this command.

   ent-serial-num:serial=<EAGLE’s correct serial number>

   When this command has successfully completed, the following message should appear.

   rlghncxa03w 06-10-01 21:15:37 GMT EAGLE5 36.0.0
   ENT-SERIAL-NUM:  MASP A - COMPLTD
   

4. Verify that the serial number entered into step 3 was entered correctly using the rtrv-serial-num command.

   This is an example of the possible output.

   rlghncxa03w 06-10-01 21:15:37 GMT EAGLE5 36.0.0
   System serial number = nt00001231
   
   System serial number is not locked.
   
   rlghncxa03w 06-10-01 21:15:37 GMT EAGLE5 36.0.0
   Command Completed
   

   If the serial number was not entered correctly, repeat steps 3 and 4 and re-enter the correct serial number.

5. Lock the serial number in the database by entering the ent-serial-num command with the serial number shown in step 2, if the serial number shown in step 2 is correct, or with the serial number shown in step 4, if the serial number was changed in step 3, and with the lock=yes parameter.

   For this example, enter this command.

   ent-serial-num:serial=<EAGLE’s serial number>:lock=yes

   When this command has successfully completed, the following message should appear.

   rlghncxa03w 06-10-01 21:15:37 GMT EAGLE5 36.0.0
   ENT-SERIAL-NUM:  MASP A - COMPLTD
   

6. Enable the controlled feature with either a permanent key or temporary key by entering the enable-ctrl-feat command.
   For this example, enter this command.

   enable-ctrl-feat:partnum=893400001:fak=<feature access key>

   Note:

   The values for the feature access key (the fak parameter) are provided by Oracle. If you do not have the feature access key for the SEAS over IP feature, contact your Oracle Sales Representative or Account Representative.

   When the enable-ctrl-feat command has successfully completed, this message should appear.

   rlghncxa03w 06-10-01 21:15:37 GMT EAGLE5 36.0.0
   ENABLE-CTRL-FEAT: MASP B - COMPLTD
   

   Note:

   If the feature was temporarily enabled before being permanently enabled in step 6, and the status of the temporarily enabled feature was on, skip steps 7 through 12, and go to step 13.
7. Before the status of the EAGLE OAMIP Security Enhancements controlled feature can be changed to on, all ISPMs, if present, must be taken out of service.

   Before the ISPMs can be taken out of service, all telnet terminals associated with the IPSMs must be taken out of service. Enter the rtrv-trm command to display the terminals in the database. The following is an example of the possible output.

   rlghncxa03w 06-10-01 16:02:08 GMT EAGLE5 39.0.0
   TRM  TYPE     COMM        FC    TMOUT MXINV DURAL
   1    VT320    9600-7-E-1  SW    30    5     99:59:59
   2    KSR      9600-7-E-1  HW    30    5     INDEF
   3    PRINTER  4800-7-E-1  HW    30    0     00:00:00
   4    VT320    2400-7-E-1  BOTH  30    5     00:30:00
   5    VT320    9600-7-O-1  NONE  30    5     00:00:30
   6    VT320    9600-7-E-2  SW    30    9     INDEF
   7    PRINTER  9600-7-N-2  HW    30    5     00:30:00
   8    KSR     19200-7-E-2  BOTH  30    5     00:30:00
   9    VT320    9600-7-E-1  SW    30    7     00:30:00
   10   VT320    9600-7-E-1  HW    30    5     00:30:00
   11   VT320    4800-7-E-1  HW    30    5     00:30:00
   12   PRINTER  9600-7-E-1  HW    30    4     00:30:00
   13   VT320    9600-7-O-1  NONE  30    5     00:30:00
   14   VT320    9600-7-E-2  SW    30    8     00:30:00
   15   VT320    9600-7-N-2  HW    30    5     00:30:00
   16   VT320    9600-7-E-2  BOTH  30    3     00:30:00
   
   TRM  TYPE      LOC              TMOUT MXINV DURAL      SECURE
   17   TELNET    2107             60    5     00:30:00
   18   TELNET    2107             60    5     00:30:00
   19   TELNET    2107             60    5     00:30:00
   20   TELNET    2107             60    5     00:30:00
   21   TELNET    2107             60    5     00:30:00
   22   TELNET    2107             60    5     00:30:00
   23   TELNET    2107             60    5     00:30:00
   24   TELNET    2107             60    5     00:30:00
   25   TELNET    2108             60    5     00:30:00
   26   TELNET    2108             60    5     00:30:00
   27   TELNET    2108             60    5     00:30:00
   28   TELNET    2108             60    5     00:30:00
   29   TELNET    2108             60    5     00:30:00
   30   TELNET    2108             60    5     00:30:00
   31   TELNET    2108             60    5     00:30:00
   32   TELNET    2108             60    5     00:30:00
   33   TELNET    2111             60    5     00:30:00
   34   TELNET    2111             60    5     00:30:00
   35   TELNET    2111             60    5     00:30:00
   36   TELNET    2111             60    5     00:30:00
   37   TELNET    2111             60    5     00:30:00
   38   TELNET    2111             60    5     00:30:00
   39   TELNET    2111             60    5     00:30:00
   40   TELNET    2111             60    5     00:30:00
   
   TRM  LOGINTMR LOGOUTTMR PNGTIMEINT PNGFAILCNT
        (sec)    (sec)     (msec)
   17   none     none      none       1
   18   none     none      none       1
   19   none     none      none       1
   20   none     none      none       1
   21   none     none      none       1
   22   none     none      none       1
   23   none     none      none       1
   24   none     none      none       1
   25   none     none      none       1
   26   none     none      none       1
   27   none     none      none       1
   28   none     none      none       1
   28   none     none      none       1
   30   none     none      none       1
   31   none     none      none       1
   32   none     none      none       1
   33   none     none      none       1
   34   none     none      none       1
   35   none     none      none       1
   36   none     none      none       1
   37   none     none      none       1
   38   none     none      none       1
   39   none     none      none       1
   40   none     none      none       1
   
   TRM  TRAF LINK SA  SYS PU  DB  UIMRD
   1    NO   YES  NO  YES NO  YES YES
   2    NO   NO   NO  NO  NO  NO  NO
   .
   .
   .
   39   NO   NO   NO  NO  NO  NO  NO
   40   NO   NO   NO  NO  NO  NO  NO
   
        APP  APP
   TRM  SERV SS  CARD CLK DBG GTT GWS MEAS MON MPS SEAS SLAN
   1    YES  YES YES  YES YES YES YES YES  YES YES NO   NO
   2    YES  YES YES  YES YES YES YES YES  YES YES NO   NO
   .
   .
   .
   39   NO   NO  NO   NO  NO  NO  NO  NO   NO  NO  NO   NO
   40   NO   NO  NO   NO  NO  NO  NO  NO   NO  NO  NO   NO
   

   Note:

   If the rtrv-trm output in step 7 shows no telnet terminals, skip steps 8 through 11, and go to step 12.
8. Display the status of the IPSMs by entering the rept-stat-card command with the card location of each IPSM shown in the output of step 7.

   rept-stat-card:loc=2107

   This is an example of the possible output.

   rlghncxa03w 06-10-01 16:43:42 GMT  EAGLE5 36.0.0
   CARD   VERSION      TYPE      GPL        PST            SST        AST
   2107   114-001-000  IPSM      IPS        IS-NR          Active     -----
   
     ALARM STATUS       = No Alarms.
     BPDCM GPL          = 002-122-000
     IMT BUS A          = Conn
     IMT BUS B          = Conn
   Command Completed.
   

   rept-stat-card:loc=2108

   This is an example of the possible output.

   rlghncxa03w 06-10-01 16:43:42 GMT  EAGLE5 36.0.0
   CARD   VERSION      TYPE      GPL        PST            SST        AST
   2108   114-001-000  IPSM      IPS        IS-NR          Active     -----
   
     ALARM STATUS       = No Alarms.
     BPDCM GPL          = 002-122-000
     IMT BUS A          = Conn
     IMT BUS B          = Conn
   Command Completed.
   

   rept-stat-card:loc=2111

   This is an example of the possible output.

   rlghncxa03w 06-10-01 16:43:42 GMT  EAGLE5 36.0.0
   CARD   VERSION      TYPE      GPL        PST            SST        AST
   2111   114-001-000  IPSM      IPS        IS-NR          Active     -----
   
     ALARM STATUS       = No Alarms.
     BPDCM GPL          = 002-122-000
     IMT BUS A          = Conn
     IMT BUS B          = Conn
   Command Completed.
   

   If all the IPSMs are out of service, shown by the entry OOS-MT-DSBLD in the PST column, skip steps 9 and 10, and go to step 11.

9. Display the status of the terminals by entering the rept-stat-trm command.

   This is an example of the possible output.

   rlghncxa03w 06-10-01 15:08:45 GMT EAGLE5 36.0.0
   TRM   PST           SST           AST
   1     IS-NR         Active        -----
   2     IS-NR         Active        -----
   3     IS-NR         Active        -----
   4     IS-NR         Active        -----
   5     IS-NR         Active        -----
   6     IS-NR         Active        -----
   7     IS-NR         Active        -----
   8     IS-NR         Active        -----
   9     IS-NR         Active        -----
   10    IS-NR         Active        -----
   11    IS-NR         Active        -----
   12    IS-NR         Active        -----
   13    IS-NR         Active        -----
   14    IS-NR         Active        -----
   15    IS-NR         Active        -----
   16    IS-NR         Active        -----
   17    IS-NR         Active        -----
   18    IS-NR         Active        -----
   19    IS-NR         Active        -----
   20    IS-NR         Active        -----
   21    IS-NR         Active        -----
   22    IS-NR         Active        -----
   23    IS-NR         Active        -----
   24    IS-NR         Active        -----
   25    IS-NR         Active        -----
   26    IS-NR         Active        -----
   27    IS-NR         Active        -----
   28    IS-NR         Active        -----
   29    IS-NR         Active        -----
   30    IS-NR         Active        -----
   31    IS-NR         Active        -----
   32    IS-NR         Active        -----
   33    IS-NR         Active        -----
   34    IS-NR         Active        -----
   35    IS-NR         Active        -----
   36    IS-NR         Active        -----
   37    IS-NR         Active        -----
   38    IS-NR         Active        -----
   39    IS-NR         Active        -----
   40    IS-NR         Active        -----
   
   Command Completed.
   

   Note:

   If all the terminals associated with the IPSMs being taken out of service are out of service, shown by the entry OOS-MT-DSBLD in the PST column, skip step 10 and go to step 11.

10. Place the terminals associated with the IPSMs being taken out of service using the rmv-trm command with the terminal number shown in step 7.

    For this example, enter these commands.

    rmv-trm:trm=17

    rmv-trm:trm=18

    rmv-trm:trm=19

    rmv-trm:trm=20

    rmv-trm:trm=21

    rmv-trm:trm=22

    rmv-trm:trm=23

    rmv-trm:trm=24

    rmv-trm:trm=25

    rmv-trm:trm=26

    rmv-trm:trm=27

    rmv-trm:trm=28

    rmv-trm:trm=29

    rmv-trm:trm=30

    rmv-trm:trm=31

    rmv-trm:trm=32

    rmv-trm:trm=33

    rmv-trm:trm=34

    rmv-trm:trm=35

    rmv-trm:trm=36

    rmv-trm:trm=37

    rmv-trm:trm=38

    rmv-trm:trm=39

    rmv-trm:trm=40

    Caution:

    Placing these terminals out of service will disable any Telnet sessions running on these terminals.

    If the status of any terminals associated with the IPSM being removed shown in the PST field in step 9 is OOS-MT-DSBLD (out-of-service maintenance disabled), the terminal is already out of service and the rmv-trm command does not need to be executed for that terminal.

    When these commands have successfully completed, this message should appear.

    rlghncxa03w 06-10-01 15:08:45 GMT EAGLE5 36.0.0
    Inhibit message sent to terminal
    
    rlghncxa03w 06-10-01 15:08:45 GMT EAGLE5 36.0.0
    Command Completed.
    

11. Place the IPSMs out of service using the rmv-card command, specifying the card location of the IPSM.

    For this example, enter this command.

    rmv-card:loc=2107

    rmv-card:loc=2108

    rmv-card:loc=2111

    When this command has successfully completed, this message should appear.

    rlghncxa03w 06-10-01 09:12:36 GMT  EAGLE5 36.0.0
    Card has been inhibited.
    

12. The controlled feature enabled in step 6 must be activated using the chg-ctrl-feat command, specifying the controlled feature part number used in step 6 and the status=on parameter.

    For this example, enter this command.

    chg-ctrl-feat:partnum=893400001:status=on

    When the chg-ctrl-feat command has successfully completed, the following message should appear.

    rlghncxa03w 06-10-01 21:15:37 GMT EAGLE5 36.0.0
    CHG-CTRL-FEAT: MASP B - COMPLTD
    

13. Verify the changes by entering the rtrv-ctrl-featcommand with the part number specified in step 12.

    rtrv-ctrl-feat:partnum=893400001

    The following is an example of the possible output.

    rlghncxa03w 06-10-01 21:16:37 GMT EAGLE5 36.0.0
    The following features have been permanently enabled:
    Feature Name              Partnum    Status  Quantity
    EAGLE OAM IP Security     893400001  on      ----
    

    Note:

    If steps 7 through 11 were not performed, skip steps 14 and 15, and go to step 16.

14. Place the terminals that were taken out of service in step 10 back into service by entering the rst-trm command with the terminal numbers specified in step 10.

    For this example, enter these commands.

    rst-trm:trm=17

    rst-trm:trm=18

    rst-trm:trm=19

    rst-trm:trm=20

    rst-trm:trm=21

    rst-trm:trm=22

    rst-trm:trm=23

    rst-trm:trm=24

    rst-trm:trm=25

    rst-trm:trm=26

    rst-trm:trm=27

    rst-trm:trm=28

    rst-trm:trm=29

    rst-trm:trm=30

    rst-trm:trm=31

    rst-trm:trm=32

    rst-trm:trm=33

    rst-trm:trm=34

    rst-trm:trm=35

    rst-trm:trm=36

    rst-trm:trm=37

    rst-trm:trm=38

    rst-trm:trm=39

    rst-trm:trm=40

15. Place the ISPMs back into service by entering the rst-card command with the card locations specified in step 11.

    For this example, enter this command.

    rst-card:loc=2107

    rst-card:loc=2108

    rst-card:loc=2111

    When this command has successfully completed, this message should appear.

    rlghncxa03w 06-10-01 09:12:36 GMT  EAGLE5 36.0.0
    Card has been allowed.
    

    When the IPSMs are placed into service with the rst-card command, UIM 1494, SSH Host Keys Loaded, is displayed. UIM 1494 contains the public host key fingerprint which is used to establish a secure connection with an SSH client. If the secure connection is to be made with the FTRA, the public host key fingerprint displayed in UIM 1494 must be added to the hosts.xml file in the FTRA. Record the public host key fingerprint information displayed in UIM 1494 if a secure connection to the FTRA will be made. For more information about editing the hosts.xml file on the FTRA, see FTP Table Base Retrieval User 's Guide.

16. Backup the new changes using the chg-db:action=backup:dest=fixedcommand.

    These messages should appear, the active Maintenance and Administration Subsystem Processor (MASP) appears first

    .

    BACKUP (FIXED) : MASP A - Backup starts on active MASP.
    BACKUP (FIXED) : MASP A - Backup on active MASP to fixed disk complete.
    BACKUP (FIXED) : MASP A - Backup starts on standby MASP.
    BACKUP (FIXED) : MASP A - Backup on standby MASP to fixed disk complete.
    

Figure A-2 Activating the EAGLE OA&M IP Security Enhancement Controlled Feature

Sheet 1 of 4

Sheet 2 of 4

Sheet 3 of 4

Sheet 4 of 4