Routine Procedures

3 Routine Procedures

This chapter explains the procedures that system administrators regularly perform. These procedures include establishing remote login procedures, starting up and shutting down the LSMS system, setting the system clock, and managing user accounts.

Introduction

The procedures in this chapter assume that you are familiar with the LSMS hardware. For more information about the hardware, refer to Application B Card Hardware and Installation Guide.

Using Login Sessions

To use the command line for any of the following functions:
- To access the lsmsmgr text interface, which is used for configuring and maintaining the LSMS system
- To enter LSMS commands (generally used for managing LSMS applications); for more information, see Commands
To use the graphical user interface (GUI), which is generally used for the following functions:
- Configuration (for more information, refer to Configuration Guide)
- Database administration (for more information, refer to the Database Administrator's Guide)
- Synchronization of the LSMS LNP database with the LNP databases at network elements (for more information, refer to LNP Database Synchronization User's Guide)

Support of Multiple Users

The LSMS allows, as a standard feature, a maximum of eight simultaneous users. The Support for Additional Users optional feature enables you to have a maximum of 25 simultaneous users. A user is defined to be any of the following:

lsmsmgr user (a user who logs in as the lsmsmgr user to start the lsmsmgr text interface)
Web-based GUI user (a user who has logged into the active server GUI over the web; this function requires the IP User Interface optional feature)
lsmsclaa user (a user who is using the optional LSMSCommand Class Management optional feature)

Establishing Login Sessions

From any network-connected terminal, you can establish a variety of sessions with the active server or with a specific server in one of the following ways:

Display the lsmsmgr text interface of either the active server or of a specific server.
Display the command line of either the active server or a specific server for entering commands; see Logging In to LSMS Server Command Line.
Display the GUI remotely (if the optional IP User Interface feature is installed) by using a web browser; see Starting an Web-Based LSMS GUI Session.

Logging In to LSMS Server Command Line

You can log into the LSMS active server or into a specific server from any terminal that has a Secure Shell (ssh) client installed.

Note:

If your terminal does not already have ssh installed, PuTTY (Oracle does not make any representations or warranties about this product) is an open source ssh utility for Windows that you can download from the web.

You must have a user ID and password before you can log in to LSMS.

From a command-line prompt on a Windows-based or Linux-based terminal, enter one of the following commands (depending on the terminal operating system) to start a secure shell session with the LSMS server:

ssh -X <username>@<server_IP_address>

For <username> and <server_IP_address>, specify values shown in Table 3-1 that are appropriate to the procedure you are performing:

Table 3-1 Parameters Used in Accessing Server Command Line

Parameter Value

Parameter	Value
<username>	Use one of the following: `lsmsmgr` to access the `lsmsmgr` text interface for configuration, diagnostics, and other maintenance functions `syscheck` to run the `syscheck` command with no options, which returns overall health checks and then exits the login session (for more information about the `syscheck` command, see syscheck) Other user names, as directed by a procedure
<server_IP_address>	Use one of the following: Virtual IP address (VIP) to access the LSMS Web GUI IP address of the specific server, when directed by a procedure to access a particular server

Use one of the following:

lsmsmgr to access the lsmsmgr text interface for configuration, diagnostics, and other maintenance functions
syscheck to run the syscheck command with no options, which returns overall health checks and then exits the login session (for more information about the syscheck command, see syscheck)
Other user names, as directed by a procedure

<server_IP_address>

Use one of the following:

Virtual IP address (VIP) to access the LSMS Web GUI
IP address of the specific server, when directed by a procedure to access a particular server

When prompted, enter the password associated with the user name.
You can now continue with any of the following functions:
- If you entered lsmsmgr as the username, the lsmsmgr text interface displays. You can use any of the lsmsmgr functions.
  
  Figure 3-1 lsmsmgr Text Interface Main Menu
  
  Note:
  Selections in the lsmsmgr text interface are made by either using the Up and Down Arrow keys on your keyboard or typing the first letter of any menu item to change which menu item is highlighted. When the desired menu item is highlighted, press the Enter key.
  In this manual, menu selections are indicated as a series; for example, select Maintenance, and then Start Node indicates that you should highlight the Maintenance item on the main menu, press Enter, then highlight the Start Node item on the next menu, and press Enter.
- If you entered syscheck as the username, the command line window displays the System Health Check output. For more information about syscheck, see syscheck.
- If you entered any other username the command line prompt displays a prompt that shows the username and host name, similar to the following example (in this example, the user logged in as the lsmsadm user to the server whose host name is lsmspri):
  [lsmsadm@lsmspri lsmsadm] $
  
  Note:
  In this manual, the prompt will be indicated simply by $.
  
  LSMS commands can be entered at this prompt. If you need to start an LSMS GUI session, see Starting an Web-Based LSMS GUI Session.

Logging in from One Server to the Mate’s Command Line

Sometimes it may be necessary to have access to the command line interfaces for both servers. You can log into each server separately using ssh, or you can use ssh to go back and forth between servers.

To log in from one server’s command line to the mate server’s command line, use the following procedure:

Log in as any user except lsmsmgr or syscheck, using the procedure described in “Logging In to LSMS Server Command Line” to log into a server command line.

Enter the following command to access the command line on the mate server:

$ ssh mate

If you have not previously logged into the mate, the following information displays:


The authenticity of host 'mate (192.168.1.1)' can't be established.
RSA key fingerprint is 1c:14:0e:ea:13:c8:68:07:3d:7c:4d:71:b1:0c:33:04.
Are you sure you want to continue connecting (yes/no)?

Type yes, and press Enter.

When prompted, enter the password for the same user name.
The prompt on your terminal now displays the host name of the mate server, and you can enter commands for the mate server.
Following is an example of the sequence of commands and prompts that display during this procedure:
```
[lsmsadm@lsmspri lsmsadm]$ ssh mate
lsmsadm@mate's password:
[lsmsadm@lsmssec lsmsadm]$
```

Starting an Web-Based LSMS GUI Session

The LSMS offers, as the optional IP User Interface feature, a web-based graphical user interface (GUI) intended for remote users. The web-based GUI can be run:

On a PC with Microsoft® Windows installed, using Microsoft Internet Explorer (version 8.0, 9.0, 10.0, or 11.0)
A 32-bit installation of Windows uses 32-bit Internet Explorer and 32-bit Java. A 64-bit installation of Windows includes both the 32-bit and 64-bit Internet Explorer. If you are using the 32-bit Internet Explorer, 32-bit Java is required, and if you are using the 64-bit Internet Explorer, 64-bit Java is required. You can check the Internet Explorer version by clicking on Tools, and then About Internet Explorer. If 64-bit Edition is displayed as shown in the following example, you are using the 64-bit edition. If 64-bit Edition is not displayed, you are using the 32-bit edition.

Figure 3-2 About Internet Explorer
On a Linux workstation, using Mozilla® Firefox® 3.0.0 or later

The web-based GUI is accessible from any machine that can access the network on which the LSMS resides. The functionality of the web-based GUI is the same as that of the server-side GUI.

Note:

When you have completed logging into thea web-based LSMS GUI, the session has these operating characteristics:

Pressing the Back button from the browser from which the GUI was launched terminates that GUI session. To reopen the GUI, you must click the Refresh button and begin the login process again.
Pressing the Refresh button from the browser from which the GUI was launched terminates that GUI session. To reopen the GUI, you must begin the login process again.
You cannot use a browser window that was started by selecting File > New > Window from the browser window to launch another web-based LSMS GUI session.
If the GUI is idle for an extended period, you may receive Server not responding or Invalid Session ID errors; close the existing GUI session and start a new GUI session.

The HTTPS support on LSMS feature allows you to configure the protocol(s) used for the GUI:

Secure Hypertext Transfer Protocol (HTTPS)
Hypertext Transfer Protocol (HTTP)
Both HTTPS and HTTP

Both HTTPS and HTTP are enabled by default. HTTPS supports encryption of data exchanged between the web server and the browser, thus facilitating data privacy. HTTP is not encrypted/secure, allowing data to be captured by any network analyzer and viewed.

A script (/usr/TKLC/lsms/bin/httpConfig.pl) is provided to toggle between protocols or to check what is currently enabled. The script can be run by the lsmsadm user with one of the following parameters:

https: Results in HTTPS being enabled and HTTP being disabled.
http: Results in HTTP being enabled and HTTPS being disabled.
both: Results in both HTTPS and HTTP being enabled. This is the default.
status: Displays whether HTTPS and HTTP are enabled or disabled.

Note:

After changing the protocol, the GUI must be refreshed to reflect the changes. A GUI notification will be displayed.

To start the web-based GUIverify that the IP User Interface feature has been activated and, perform the following procedure:

Start your web browser (Mozilla® Firefox® or Internet Explorer).
Specify https or http followed by the LSMS Virtual IP (VIP) address in the Location: or Address: field, or the application VIP in a segmented network. For http, add :8200.
- https://<VIP_address>
- http://<VIP_address>:8200
The <VIP_address> is the Virtual IP address used by your LSMS system. (The VIP address is always associated with the active server; when switchover occurs, the VIP address association is switched over from previously active server to the newly active server.)
Press Return and the Oracle Communications LSMS start page is displayed.
Note:
If using HTTPS, you must click through some security warnings that are displayed, which differ depending on the browser in use:
- For Internet Explorer, click on Continue to this website (not recommended) on the following screen:
  
  Figure 3-3 Problem with Security Certificate
- For Mozilla Firefox, click on I Understand the Risks on the following screen:
  
  Figure 3-4 Connection is Untrusted
  
  Then click on Add Exception on the following screen:
  
  Figure 3-5 Connection is Untrusted (continued)
  
  Then enter the site in the Location field and click on Confirm Security Exception:
  
  Figure 3-6 Add Exception for Untrusted Connection
The Oracle Communications LSMS start page displays:

Figure 3-7 Oracle Communications LSMS Start Page
If you are logging in for the first time from this terminal, click the Java Setup button and follow the instructions on the displayed page to install a Java plug-in and set up a security policy.
Otherwise, go to step 5.
Open the Java Control Panel for your terminal, go to the Security tab as shown in Figure 3-8, and click on Edit Site List.
Note:
- The actual screens displayed might differ from these examples depending upon the specific Java version in use.
- If using both https and http, both must be added to the exception site list (https://<VIP_address> and http://<VIP_address>:8200).
Figure 3-8 Security Tab of Java Control Panel
After clicking on Edit Site List, click on Add:

Figure 3-9 Adding to the Exception Site List
Type in the location of your LSMS server (https://IP_address or http://IP_address:8200):

Figure 3-10 Adding the LSMS Server to the Exception Site List
Click OK.
The Security tab will now show the server in the Exception Site List, as shown in the following example:

Figure 3-11 Exception Site List Including the LSMS Server

Note:
If you are adding an http site, a warning similar to the following warning is displayed:

Figure 3-12 Security Warning for HTTP Location

Click Continue to add the server to the Exception Site List.
Click OK to exit the Java Control Panel and return to the GUI.
If using HTTPS and Internet Explorer, install the security certificate as follows. Otherwise, go to step 11.
1. Back at the Oracle Communications LSMS Start Page, click on Certificate error at the right of the address bar, and then click on View certificates in the popup window titled Certificate Invalid.
  
  Figure 3-13 Certificate Error
  
  The Certificate screen is displayed:
  
  Figure 3-14 Certificate Screen
2. Click on Install Certificate.
  The Certificate Import Wizard opens:
  
  Figure 3-15 Certificate Import Wizard
3. Click on Next >, and then select the radio button to Place all certificates in the following store:
  
  Figure 3-16 Certificate Import Wizard (continued)
4. Click on Browse to go to the Select Certificate Store window, and select Trusted Root Certification Authorities:
  
  Figure 3-17 Select Certificate Store
5. Click OK and Next, and verify the settings:
  
  Figure 3-18 Completing the Certificate Import Wizard
6. Click Finish, and then verify that you want to install the certificate:
  
  Figure 3-19 Certificate Installation Security Warning
7. Click Yes to import the certificate:
  
  Figure 3-20 Certificate Import Successful
8. Click OK, and then OK again to exit the Certificate window.
9. Restart Internet Explorer.
Back at the Oracle Communications LSMS Start Page, click on the Web Interface button.

Note:
If using HTTPS, click Yes and then Continue for the following security warnings:

Figure 3-21 Insecure Content Warning

Figure 3-22 Untrusted Website Warning
Check the box to accept the risk to run the application, and click Run:

Figure 3-23 Application Security Warning

The LSMS Web GUI Start Page displays:

Figure 3-24 LSMS Web GUI Start Page with Login Button
Click the Login button.
The LSMS Login screen appears. From this point on, the web-based GUI works exactly like the server-side GUI. Next, perform the procedure described in “Logging Into the LSMS Console Window”.

Figure 3-25 LSMS Welcome/Login Window

Note:
If you log out of this web-based LSMS GUI session, you must start a new browser to log back in. If you only want to change user, select User/Session>Change User from the main LSMS menu.

Logging Into the LSMS Console Window

After one or more SPIDs have been defined, use the following procedure to log into the LSMS console.

After you have completed the procedure described in Starting an Web-Based LSMS GUI Session, the LSMS Welcome/Login Window displays.

Figure 3-26 LSMS Welcome/Login Window
Enter the Service Provider ID (SPID), username, and password, which must be as follows:
- The username and password must have been defined as described in Managing User Accounts (the group definition determines to which GUI menu items the username will have access).
- The SPID must be one that has been defined on this LSMS, as described in “Service Provider Contact Information” in Configuration Guide. In addition, if the SPID Security feature has been enabled, you must enter a username that has been authorized to access the SPID you enter. For information about authorizing usernames to SPIDs, refer to Configuration Guide.
Click Login.
- If the Customizable Login Message feature is not enabled (or it is enabled, but no message text has been created), the LSMS Console window displays:
Figure 3-27 LSMS Console Window
- If the Customizable Login Message feature is enabled and there is user-defined login message text configured, the Login Message dialog displays the message as shown in Figure 3-28 before the LSMS Console window is displayed. System administrators are responsible for creating the customizable login message text (for information about how to create this message text, refer to Configuration Guide). Oracle Customer Service is responsible for enabling the feature.
Figure 3-28 Example of Login Message Dialog

The Login Message dialog displays a 10 line by 80 character viewing area, with a scrollable text area up to a maximum of 5000 characters. Users must acknowledge this message by clicking the OK button.

Modifying Title Bar in LSMS Console Window

After you successfully log in to LSMS, the console window displays. If the /usr/TKLC/lsms/config/LSMSname file exists and contains a (0–30 character) unique LSMS name, the name (in this example, “Oracle - Morrisville”) is displayed in the title bar along with the SPID and user name. If the file does not exist or is empty (null), no name will be displayed and the title bar will look as before—displaying only the SPID and user name.

Figure 3-29 LSMS Console Window with Modified Title Bar

img/r_modifying_title_bar_in_lsms_console_window_mm-fig1-r13.jpg

Powering On the LSMS

For information about powering on the LSMS servers (LSMSPRI and LSMSSEC), refer to Application B Card Hardware and Installation Guide.

Note:

Powering on the LSMS servers (which can be done in any order) does not start the LSMS application and MySQL database services. To start those functions after restoring power to the servers, perform the following steps:

Log in to LSMSPRI as lsmsmgr.
(For information about logging in, see “Logging In to LSMS Server Command Line”.)
Select Maintenance, and then Start Node to initiate the following activities:
- Uninhibit LSMSPRI
- Transition LSMSPRI to the HAACTIVE state
  
  Note:
  The database on LSMSPRI becomes the master.
Log in to LSMSSEC as lsmsmgr.
(For information about logging in, see “Logging In to LSMS Server Command Line”.)
Select Maintenance, and then Start Node to initiate the following activities:
- Copy the database on LSMSPRI to LSMSSEC
- Begin database replication on LSMSSEC.
  
  Note:
  The LSMSSEC database becomes a slave.
- HA uninhibits LSMSSEC, allowing LSMSSEC to transition to a HASTANDBY state
  LSMSPRI is now active and running the LSMS application; LSMSSEC is in a standby state.

Powering Off the LSMS

Before you turn off the system power, all applications on each server must be stopped and the operating system on each server must be stopped. Use the following procedure to power off the LSMS; contact the unresolvable-reference.html#GUID-646F2C79-C167-4B5A-A8DF-7ED0EAA9AD66 if additional assistance is needed.

warning:

Do not disconnect or connect any cables to the system while the power is on. This action can damage the internal circuits.

On the inactive server:
1. Log in to the inactive server as root.
  (For information about logging in, see “Logging In to LSMS Server Command Line”.)
2. Enter:
  # init 0
  The inactive server shuts down and powers off.
3. Check to ensure the Power Indicator on the T1100 is off.
  
  Figure 3-30 T1100 Showing Power LEDs
On the active server:
1. Log in to the active server as lsmsmgr.
  (For information about logging in, see “Logging In to LSMS Server Command Line”.)
2. Select Maintenance, and then Stop Node (see Figure 3-31 and Figure 3-32 for example screens that display after selecting Stop Node).
  
  Figure 3-31 Example Cautionary Message - Displayed after Selecting Stop Node
3. Select Yes to continue the Stop Node process.
  
  Note:
  Selecting Yes on this screen stops the LSMS application and it also stops the MySQL database services from running.
  
  Figure 3-32 Example Message - Stop Node Completed Successfully
4. Press any key to continue.
5. Exit the lsmsmgr interface by highlighting Exit and pressing Enter until you have completely exited.
6. Log in as root on the active server.
  (For information about logging in, see Logging In to LSMS Server Command Line.)
7. Enter:
  # init 0
  The active server shuts down and powers off.
8. Check to ensure the Power LEDs on the T1100 are off (see Figure 3-30).

Managing the System Clock

T he NPAC and LSMS system times must be within five minutes of each other, with the NPAC serving as the master. If the NPAC and LSMS system times are not within five minutes of each other, one of the following GUI notifications may be posted:


[Critical]:  <Timestamp> 2003: NPAC [<PRIMARY|SECONDARY>] Connection Aborted by PEER : Access Control Failure


[Critical]:  <Timestamp> 2012: NPAC [<PRIMARY|SECONDARY>]  Connection Attempt Failed : Access Control Failure

If one of these notifications appears, verify and, if necessary, reset the LSMS time using the methods described in either of the following sections:

Automatically Controlling the LSMS Time Using NTP. Using the Network Time Protocol (NTP) requires access to accurate NTP servers, but results in the LSMS rarely, if ever, being out of synchronization with the NPAC. This section describes how to troubleshoot the rare problems with NTP.
Manually Controlling the LSMS Time Without an External NTP Source. Using only manual methods to control the LSMS time can result in cases of the LSMS being out of synchronization with the NPAC.

Automatically Controlling the LSMS Time Using NTP

The LSMS allows you to configure the LSMS as an industry-standard Network Time Protocol (NTP) client that communicates with one or more NTP servers elsewhere in your network. NTP reads a time server’s clock and transmits the reading to one or more clients with each client adjusting its clock as required.

Configuring the LSMS as an NTP Client

The NTP client protocol is incorporated with the operating system that is included with LSMS. If you choose to implement the LSMS as an NTP client, you must set up one or more NTP servers in your own network (or synchronize with some portion of the existing NTP subnet that runs on the Internet) and configure the LSMS to contact those NTP servers. For information about selecting NTP servers and configuring the LSMS as an NTP client and about displaying current settings for NTP, refer to the Configuration Guide.

If you prefer not to configure the LSMS as an NTP client, you can manually reset the LSMS time when it drifts out of synchronization with the NPAC time, as described in Manually Controlling the LSMS Time Without an External NTP Source.

Verifying NTP Service

Use the following procedure to verify that the time server is working.

$ ntpdate -q ntpserver1

If the time server is working, output similar to the following displays:

server 198.89.40.60, stratum 2, offset 106.083658, delay 0.02632
22 May 14:23:41 ntpdate[7822]: step time server 198.89.40.60 offset 106.083658 sec

If the time server is not working or is unavailable, output similar to the following displays:

server 198.89.40.60, stratum 0, offset 0.000000, delay 0.000000
22 May 14:33:41 ntpdate[7822]: no server suitable for synchronization found

Troubleshooting NTP Problems

If you configure the LSMS to communicate with several NTP servers, you should rarely encounter any problems with NTP. This section describes how to troubleshoot the following rare, but possible, error conditions:

Reference Time Off By More Than Twenty Minutes

The LSMS’s NTP client daemon expects that the LSMS system time has been set close to the real time. If the reference time received from the NTP server is significantly different from the LSMS system time, the daemon waits up to twenty minutes until it sets the time. However, if the reference time is off more than about twenty minutes (which is rare), the daemon terminates and does not set the system time.

If you think that the daemon may have terminated, perform the following procedure:

Determine whether the ntpddaemon process is running by logging in as root and entering the following command:
# ntpq -p
If the daemon is not running, check the /var/log/messages file.
To set the system clock, either perform the process described in Manually Controlling the LSMS Time Without an External NTP Source or enter the following command:
# ntpdate <IP_address_of_NTP_server>
Start the ntpddaemon by entering the following commands:
# /etc/rc4.d/S58ntpd start
Verify that the ntpddaemon started by repeating step 1.

Violation of Maximum Oscillator Frequency in Network

The NTP protocol specifies that systems should have a maximum oscillator frequency tolerance of plus or minus 100 parts-per-million (ppm). This tolerance allows relatively inexpensive workstation platforms to use the NTP protocol. For platforms that meet this tolerance, NTP automatically compensates for the frequency errors of the individual oscillator, such that no additional adjustments are required to either the configuration file or to various kernel variables.

However, some platforms routinely violate this tolerance, and their violation can affect other time servers or time clients in a network. Although the LSMS meets the tolerance requirement, if your network contains other systems that do not meet the tolerance requirement, you may need to adjust the values of certain kernel variables.

Manually Controlling the LSMS Time Without an External NTP Source

If you choose not to configure the LSMS to use an NTP server, you can use the following procedure to resynchronize the LSMS system time with the NPAC time when one of the notifications described in Managing the System Clock is posted:

Generally, the following procedure is used only when the LSMS is first installed. However, if you are not able to use another method of synchronizing time with an NPAC (as described in Automatically Controlling the LSMS Time Using NTP), you can contact the NPAC administrator, inquire the time used at the NPAC, and use the following procedure to manually set the LSMS system time and date.

Internal system times are stored in GMT; however, the time and date are typed in the local time zone and converted automatically. If you need to check the local time zone, you can use the env command with the TZ variable.

Log in to active server as lsmsmgr.
(For information about logging in, see Logging In to LSMS Server Command Line.)
From the main lsmsmgr menu, select Server Configuration, and then Set Clock.
A window similar to Figure 3-33 displays.

Figure 3-33 Set Clock Window
If you need to change the current date or time, press Enter while the Edit button is highlighted.
A window similar to Figure 3-34 displays.

Figure 3-34 Change Date and Time Window
Use the down and up arrow keys to move to the field that you want to change.
Within a field, use the right and left arrow keys to move within a field, delete digits by pressing the Delete key and enter digits by typing them in. When you the values are what you want, press the down arrow key until the OK button is highlighted, and then press Enter. The window shown in Figure 3-33 is displayed again, and it should now display the date and time you set in this step.
Log in to the standby server as lsmsmgr, and repeat steps 1 through 4.
If you have changed the time by more than five minutes, it is recommended that you reboot each server.

Managing User Accounts

This section provides information about the following topics:

Overview information about user names and passwords
Overview information about the SPID Security feature
Non-configurable permission groups
Configurable permission groups
Managing user accounts on the primary and secondary servers
Managing user accounts on the administration console
Changing account passwords using Linux commands
Activating the SPID Security feature

Overview of User Names and Passwords

The system administrator assigns user names and passwords. Each user name is assigned to one of the following permission groups:

Note:

It is possible for an individual user name to have the same value as a group name. For example, usually a user named lsmsadm is assigned to the lsmsadm permission group. Some LSMS commands require the user to be logged in with the lsmsadm user name.

lsmsall
lsmsadm
lsmsuser
lsmsuext
lsmsview

The permission groups govern which commands and which GUI functions the user is allowed to use.

Overview of SPID Security Feature

In addition, the LSMS offers the optional SPID Security feature that allows the LSMS administrator to assign only certain usernames to be allowed to log on with a specified Service Provider Identifier (SPID). Alternatively, the LSMS administrator can assign a username to be given access to all SPIDs; such a user is called a “golden user.”

Association of a username with a SPID allows the LSMS system administrator to restrict access to the following types of locally provisioned data (for more information about associating usernames with SPIDs, see Activating the SPID Security Feature):

Default global title translation (GTT)
Override GTT
GTT Groups
Telephone number (TN) filters
Assignment of GTT groups and TN filters to an Element Management System (EMS). For more information about GTT groups, refer to the Database Administrator's Guide.

Accessibility to these types of data are protected by SPID security for any access method (for example, through the GUI, through input data by file, audit, and reconcile).

The SPID Security feature is especially useful for LSMS customers that act as service bureaus, offering LSMS services to other service providers. The service bureau may administer locally provisioned data for a client and may choose to allow the client to administer or view its own data without allowing that client to view or change data belonging to other clients.

Note:

Without this optional feature, any user can log in using any SPID that is defined on the LSMS. The user is able to view any data for any SPID, and depending on which user privileges were assigned to that username, may be able to change data associated with any SPID.

Non-Configurable Permission Groups

Table 3-2 shows a summary of privileges allowed to each user type.

Table 3-2 User Types

User type	Privileges	User secondary group name	SPID value for logging in
System Administration User	Allows the user to inherit all the privileges of all other user types	`lsmsall`	NPAC-assigned SPID (refer to the Configuration Guide).
System Configuration User	Allows the user to: Create, modify and maintain the LNP systems, key lists, associations, and the MySQL databases Stop automatic audits. Inherit all the privileges of the Viewer User	`lsmsadm`	NPAC-assigned SPID (refer to the Configuration Guide).
Database Administration User	Allows the user to: Modify and maintain the NPAC and supported service provider data Have unlimited access to all LNP related-logs, data, and tables Inherit all the privileges of the Viewer User	`lsmsuser`	Any SPID. If a shadow LSMS exists, use the same SPID for similar functions on main and shadow LSMS.
External User	Allows the user the same access as `lsmsuser`, but the user is not permitted access to the NPAC menu on LSMS GUI	`lsmsuext`	Any SPID. If a shadow LSMS exists, use the same SPID for similar functions on main and shadow LSMS.
Viewer User	Allows the user: Read access to the LNP data and tables Limited read access to resource displays and logs Unlimited access to viewing and acknowledging all alarms	`lsmsview`	Any SPID.

User Permissions for LSMS Commands

Table 3-3 shows the commands each user type has permission to execute. For more information about the commands, see Commands.

Table 3-3 Access to LSMS Commands

Command	root	lsmsadm	lsmsuser	lsmsview	lsmsall	lsmsuext
Command permissions: X = Users in this group have permission to use this command. lsmsadm = The user must be logged in with the name lsmsadm to have permission to use this command. root = The user must be logged in with the name root to have permission to use this command.
`autoxfercfg`		X
`chglct`		X
`chkfilter`		X
`eagle`		lsmsadm
`import`		X	X	X	X	X
`keyutil`		lsmsadm
`lsms`		lsmsadm
`lsmsdb`	root	X	X	X	X	X
`lsmsSNMP`		X
`lsmssurv`	root
`massupdate`		lsmsadm
`measdump`			X	X	X	X
`npac_db_setup`		lsmsadm
`npacimport`		lsmsadm
`report`		X	X	X	X	X
`resync_db_setup`		lsmsadm
`SAagent`		X
`spidsec`		lsmsadm
`sup`		lsmsadm
`sup_db_setup`		lsmsadm
`survNotify`	root	X	X	X	X	X
`syscheck`	root

User Permissions for GUI Functions

For information about the GUI functions each permission group can access, refer to the tables in the Configuration Guide (Admin GUI Access, Configure User Access, and Keys GUI Access) and the Database Administrator's Guide (User/Session GUI Access, NPAC GUI Access, LSMS GUI Access, Reports GUI Access, Logs GUI Access, and Popup Menus GUI Access).

Configurable Permission Groups (LSMS Command Class Mgmt)

When the optional LSMS Command Class Management feature is enabled, LSMS supports configurable GUI permission groups in addition to the five non-configurable GUI permission groups (lsmsadm, lsmsuser, lsmsview, lsmsall, and lsmsuext).

The LSMS supports the creation of 128 additional, configurable GUI permission groups that can be used to ensure a specific and secure environment. After creating the new, configurable GUI permission groups, the system administrator can assign users to the appropriate group.

The configurable GUI permission groups control access to GUI commands, the CLAA (Command Line Administration Application) equivalent, or any command-line equivalent of GUI functions.

A method to control access to a fixed set of commands is provided. Existing commands, executables, and scripts are classified as follows:

Command-line equivalents of GUI commands (Reports and functions of CLAA)
These commands are controlled by the assignment of the corresponding GUI function.
Optional command-line capability for Report Generator (LQL)
This command may be assigned individually, similar to GUI commands, to one or more permission groups.
Root privilege-only commands
These commands are root-only and are not assignable to any permission group.
Other commands owned by lsmsadm
These commands include those used by the LSMS application, those used to control processes, and those for setup and configuration. Commands in this category are grouped as a single set of administration commands. Users may or may not be granted access to this command-line group, in addition to being assigned to the appropriate GUI group.

Some commands in this group, although owned by lsmsadm, are accessible to non-owners for limited operation, such as status. The incorporation of this feature will not have any impact on the current privileges of commands for non-owners.

Example:

To set up a custom environment, system administrators should define the GUI permission groups and populate those groups with the appropriate commands:

Table 3-4 Define GUI Permission Groups and Assign Command Privileges

GUI Permission Group	Command Privileges
Custom GUICONFIG	All Configuration Commands
Custom GUIEMS	All EMS-related Commands
Custom GUISUPER	All GUI Commands

Optionally, assign users (for example, Mike, Sally, and Bill) to a specific command-line permission group (in this example, lsmsadm) or GUI permission group.

Table 3-5 User Assignment Examples

User	Linux Permission Group	GUI Permission Group
Mike	`lsmsadm`	Custom GUICONFIG
Joe	`lsmsall`	Custom GUIEMS
Sally	`lsmsadm`	`lsmsadm`
Bill	`lsmsadm`	Custom GUISUPER

Note:

Secure activation is required because this is an optional feature.

After activating this feature, you can create permission groups and assign users to these new groups.

Note:

Changes in privileges do not automatically occur upon feature activation.

Permission Group Naming

The LSMS supports the ability to uniquely name each configurable GUI permission group.
A group name can consist of a minimum of one character to a maximum of 40 characters (only alphanumeric characters are permitted).

Permission Group Contents

Each configurable GUI permission group supports any or all of the LSMS GUI commands.

Note:
The GUI command represents the function, via either the GUI, CLAA, or command-line equivalent of GUI commands.
Any GUI command may be associated with multiple GUI permission groups.
The optional LQL command for the Report Generator feature can be placed in GUI permission groups.
The LSMS supports a group containing the current LSMS lsmsadm commands with the exception of Report, Audit, and LQL.

Permission Group Commands

The LSMS enables you to perform the following tasks:

Create and modify GUI permission groups.
Assign a user to a single GUI permission group.
Assign a user access to the command group in addition to a GUI permission group.
Retrieve the names of all permission groups, all the commands permitted within a permission group, and the names of all permission groups that contain a particular command.

Permission Group Processing

GUI Functions:

The LSMS allows a GUI user access to GUI commands, CLAA commands, or command-line equivalents of GUI commands only if that user is an authorized user.

Command-Line-Level:

The LSMS allows a user access to command-line-level scripts and executables only if that user is an authorized user.

Note:

For more information about command class management and configurable permission groups, refer to the Configuration Guide.

Managing User Accounts on the Primary and Secondary Servers

To manage user accounts, LSMS utilizes the lsmsdb command. This command allows you to add and delete user accounts, change passwords, and list users. The lsmsdb command makes the appropriate changes in the system /etc/password file.

The following topics explain how to use the lsmsdb command to administer LSMS user accounts:

Adding a User
Deleting a User
Setting the System Level Password Timeout Using the Command Line
Setting the User Level Password Timeout Using the Command Line
Displaying All LSMS User Accounts

Note:
The lsmsdb command modifies files on the local system (the system on which lsmsdb is executed). It does not modify or update global network databases.
Therefore, if you add or modify users on one server, make the same change on the other server. Sometimes, for specific administration purposes, you might add or modify users on the servers without adding or modifying them on the administration console.

The following topics explain how to use the LSMS GUI to administer LSMS user accounts:

Adding a User

Use the following procedure to add a user account:

Log in as root and type your password.
For more information, see Logging In to LSMS Server Command Line.
Execute lsmsdb with the adduser command option:
$ cd $LSMS_TOOLS_DIR
$ lsmsdb -c adduser -u <username>
When the following prompt appears, enter the user password.
```
Enter password:
```
When the following prompt appears, enter the user password again.
```
Re-enter password:
```
Note:
If you did not enter the same password in Steps 3 and 4, the following warning is displayed:
```
WARNING: Passwords must match.
#
```
In this case, go back to Step 1; otherwise, proceed with Step 5.
When the following prompt is displayed, select the LSMS group name (lsmsadm, lsmsuser, lsmsview, lsmsuext, or lsmsall) for the user by entering the corresponding number in the CHOICE field, then press <return>.
```
Select Secondary Permission Group From List:
1) lsmsadm
2) lmsuser
3) lsmsview
4) lsmsuext
5) lsmsall
CHOICE:
```
When the following prompt appears, enter Y or N in the CHOICE field to indicate whether you want to enter an expiration date for this login.
```
Set expiration date? Y/N
CHOICE:
```
Note:
If you enter an expiration date, the user will not be allowed to login to this account after that date.
If you enter Y in the CHOICE field, the following prompt appears:
```
Enter expiration date (mm/dd/yyyy):
```
When the following prompt appears, enter Y or N in the CHOICE field to indicate whether you want to enter an Inactivity Value (in days) for this account.
```
Set inactivity value? Y/N
CHOICE:
```
Note:
If you enter a value (in days), the account will be declared invalid and the user will not be allowed to use that account for the number of days specified.
If you enter Y in the CHOICE field, the following prompt appears:
```
Enter a number (of days):
```
If any other error or warning message displays, contact the unresolvable-reference.html#GUID-646F2C79-C167-4B5A-A8DF-7ED0EAA9AD66.
Repeat on other server, if desired.

Deleting a User

Use the following procedure to remove a user account:

Log in as root and type your password.
For more information, see Logging In to LSMS Server Command Line.
Execute lsmsdb with the rmuser command option:
$ cd $LSMS_TOOLS_DIR
$ lsmsdb -c rmuser -u <username>

Upon completion of the command, the prompt will be returned.
If an error or warning message displays, contact the unresolvable-reference.html#GUID-646F2C79-C167-4B5A-A8DF-7ED0EAA9AD66.

Changing a User Password

Use the following procedure to change a user password:

Note:

The lsmsdb -c chguserpw -u <username> command must be run on both the primary and the secondary servers to completely change the password.

Log in as root, or as the user for which the password is going to be changed, and type your password.
For more information, see Logging In to LSMS Server Command Line.
Execute lsmsdb with the chguserpw command option:
$ cd $LSMS_TOOLS_DIR
$ lsmsdb -c chguserpw -u <username>
When the following prompt appears, enter the current user password.
```
Enter current password:
```
When the following prompt appears, enter the new user password.
```
Enter new password:
```
When the following prompt appears, enter the new user password again.
```
Re-enter new password:
```
Note:
If you did not enter the same password in Steps 3 and 4, the following warning is displayed:
```
WARNING: Passwords must match. #
```
In this case, go back to Step 1; otherwise, proceed with Step 6.
If any other error or warning message displays, contact the unresolvable-reference.html#GUID-646F2C79-C167-4B5A-A8DF-7ED0EAA9AD66.

Setting the System Level Password Timeout Using the Command Line

Use the following procedure to set the system level password timeout using the command line:

Log in as lsmsadm and type your password.
For more information, see Logging In to LSMS Server Command Line.
Execute lsmsdb with the syspwexp command option:
$ cd $LSMS_TOOLS_DIR
$ lsmsdb -c syspwexp
When the following prompt appears, enter Y.
```
Configured value: -1
Set password expiration interval? Y/N
```
Note:
A configured value of -1 indicates the password timeout has not been configured. A configured value of 0 indicates the password timeout has been configured and the password is valid for an indefinite period of time.

When the following prompt appears, enter the password timeout interval.


Set maximum number of days before password expires for users.
This will set the default password expiration interval for all users.
Valid values are 0 (never expire) or 1 to 180 days.
Enter value:

Setting the System Level Password Timeout Using the GUI

Use the following procedure to set the system level password timeout using the GUI:

Log in to the LSMS Console as a user in the lsmsadm or lsmsall group.
From the main menu, select Admin, and then Password Timeout, and then System Level, and then Modify.

Figure 3-35 Modifying the System Level Password Timeout
Click Modify, and the Modify System Level Password Timeout dialog displays.

Figure 3-36 Modify System Level Password Timeout
Type in the number of days for the password timeout interval, then click OK .
If you have successfully modified the password timeout, then the Update Successful dialog displays.

Figure 3-37 Update Successful
Click OK .

Setting the User Level Password Timeout Using the Command Line

Use the following procedure to set the system level password timeout using the command line:

Log in as lsmsadm and type your password.
For more information, see Logging In to LSMS Server Command Line.
Execute lsmsdb with the usrpwexp command option:
$ cd $LSMS_TOOLS_DIR
$ lsmsdb -c usrpwexp -u <username>
When the following prompt appears, enter Y.
```
Configured value: -1
Set password expiration interval? Y/N
```
Note:
A configured value of -1 indicates the password timeout has not been configured. A configured value of 0 indicates the password timeout has been configured and the password is valid for an indefinite period of time.

When the following prompt appears, enter the password timeout interval.


Set maximum number of days before password expires for the user.
Valid values are 0 (never expire) or 1 to 180 days.
Enter value:

Setting the User Level Password Timeout Interval Using the GUI

Use the following procedure to set the system level password timeout using the GUI:

Log in to the LSMS Console as a user in the lsmsadm or lsmsall group.
From the main menu, select Admin, and then Password Timeout, and then User Level, and then Modify.

Figure 3-38 Modifying the User Level Password Timeout Interval
Click Modify, and the Modify User Level Password Timeout dialog displays.

Figure 3-39 Modify User Level Password Timeout
Select a user whose password timeout interval you want to modify.
Type in the number of days for the password timeout interval, then click OK .
If you have successfully modified the password timeout, then the Update Successful dialog displays.

Figure 3-40 Update Successful
Click OK .

Displaying All LSMS User Accounts

Use the following procedure to display a list of all LSMS GUI Users:

Log in as root and type your password.
For more information, see Logging In to LSMS Server Command Line.
Execute lsmsdb with the users command option:
$ cd $LSMS_TOOLS_DIR
$ lsmsdb -c users

The configured LSMS users will be output one user per line.

Viewing the Active User List

Use the following procedure to display a list of active LSMS GUI Users:

Log in to the LSMS Console as a user in the lsmsadm or lsmsall group.
From the main menu, select User/Session, and then View Active User Sessions.

Figure 3-41 Select User/Session, and then View Active User Sessions
After clicking View Active User Sessions, the View Active User Sessions dialog displays.

Figure 3-42 View Active User Sessions Dialog

Note:
Timed-out sessions are included in the active sessions list.
Click OK when you are done viewing the Active User list.

Terminating an Active User Session

Use the following procedure to terminate the session of an active LSMS GUI User:

Log in to the LSMS Console as a user in the lsmsadm or lsmsall group.
From the main menu, select User/Session, and then Terminate User Session.

Figure 3-43 Select User/Session, and then Terminate User Session
After clicking Terminate User Session, the Terminate User Session dialog displays.

Figure 3-44 Terminate User Session Dialog
Click on the user session you want to end and click Terminate.
If you are sure you want to terminate the session, click Yes in the Confirm Delete dialog, otherwise click No.

Figure 3-45 Confirm Delete Dialog
After you successfully terminate a user session, click OK in the Delete Successful dialog.

Figure 3-46 Delete Successful Dialog

Activating the SPID Security Feature

This feature is activated by Oracle customer service using secure activation procedures. Once the feature is activated, the following actual usernames (not user group names) are defined to be “golden users” having access to all SPID and all other usernames are defined to have no access to any SPIDs:

lsmsadm
lsmsview
lsmsall
lsmsuser
lsmsuext

After the feature has been activated, the LSMS administrator (lsmsadm) is advised to immediately define associations between usernames and SPIDs as described in the following procedure:

Log in as lsmsadm on the active server.
If you do not wish the username lsmsadm to have access to all SPIDs, enter the following command to remove the username from golden access:
$ spidsec -r -u lsmsadm -s golden
If desired, repeat step 2 for the usernames lsmsview, lsmsall, lsmsuser, and lsmsuext.
To display all the usernames currently defined on the LSMS, see Displaying All LSMS User Accounts.
For each displayed username, determine which SPIDs you wish to allow this user access to and enter the following command to authorize this username for the specified SPID:
$ spidsec -a -u <username> -s {<spid>|golden}
The following parameters and options apply to this command:

<username>

A valid LSMS username that has been provisioned using admintool

<spid>

A valid SPID defined on the LSMS (alternatively, you can enter golden to allow this username access to all SPIDs defined on the LSMS)

To authorize this username to multiple SPIDs, but not for all SPIDs, you must enter the command once for each SPID.
Repeat step 5 for each user displayed in step 4.