Diameter Signaling Router OS Standard Features

5.1 Configuring NTP Servers

Each server added at the NOAM server under Administration > Configuration > Servers has the option to specify the NTP server details. The NTP servers field is visible after selecting a network element. The following screen displays a configured server with NTP server details.

Figure 5-1 NTP Configuration GUI

For more information about how to add a server, see the Inserting a Server section under the Servers chapter in the Operation, Administration, and Maintenance (OAM) Guide.

5.1.1 Configuring NTP for the Host OS of the Application Guest VM

This section describes the procedure to configure NTF setting for the host Operating System hosting the application guest (for example, TVOE).

Perform the following steps:

Log in or switch user to platcfg user on the TVOE server.
The platcfg main menu displays.
In the Main Menu, navigate to Network Configuration:

Figure 5-2 Main Menu
Select NTP.

Figure 5-3 Selecting NTP
The Time Servers screen shows the configured NTP servers and peers. Click Edit.

Figure 5-4 Time Servers
On the Edit Time Servers menu, enter the NTP Server information and click OK.

Figure 5-5 Edit Timer Servers Menu
To exit TVOE, perform the following:
1. Exit the platcfg menu.
2. Ensure the time is set correctly. For more information on how to set the time on the TVOE host, see Setting the Time on the TVOE Host section.

5.2 Setting the Time on the TVOE Host

At the time of DSR installation, the date and time is set on TVOE hosts as follows:

Log in as admusr

Run the following commands:

$ sudo /sbin/service ntpd stop
$ sudo /usr/sbin/ntpdate ntpserver1
$ sudo /sbin/service ntpd start

Result: The time is synchronized to the NTP server.

5.3 Configuring Password Settings for OS Users

This section describes the procedure to configure various password settings.

Perform the following procedure to configure various password settings for:

Minimum password length
Minimum time between password changes
Maximum number of days that a password can be used
Warning time for password expiration
Minumum number of character differences between passwords
Password history size (prevents reusing passwords)

Log in as admusr on the server.

login: admusr
Password: <current admin user password>

Run the following command to open the platcfg menu:
```
$ sudo su – platcfg
```
Select Security from the menu and press Enter.
Select Sec Password Restrictions option and press Enter.
Select Global Password Restrictions for New Users and press Enter.

Fill the appropriate settings:

Minimum acceptable size for the new password: 15
Minimum number of days allowed between password changes: 0
Maximum number of days a password may be used: 99999
Number of days a user is warned before password expiration: 7
Minimum number of characters different between passwords: 0
Minimum number of passwords between reuse: 5

Click OK and press Enter.
Select Exit in each of the menus until a command prompt is reached.

5.4 Configuring Passwords without Embedding Usernames

This section describes the procedure to ensure that the login name is not embedded in user passwords.

Perform the following steps to configure the password to not allow usernames to be embedded in it:

Log in as admusr on the server.

login: admusr
Password: <current admin user password>

Run the following command to check out the system-auth-ac file:
```
$ sudo rcstool co /etc/pam.d/system-auth-ac
```

Run the following command to add the reject_username setting to the system-auth-ac file:

$ sudo sed -i -e '/^password.*reject_username/n' \
-e '/^password.*pam_cracklib.so.*$/s/$/ reject_username/' \
/etc/pam.d/system-auth-ac

Run the following command to check in the system-auth-ac file:

$ sudo rcstool ci /etc/pam.d/system-auth-ac “reject_username”

5.5 Configuring Other Session and Account Settings for OS Users

You can configure various session and account settings for the following:

Session inactivity
Account locking for invalid login attempts
Account locking for inactive accounts

5.5.1 Configuring Session Inactivity for OS Users

This section describes the procedure to configure session inactivity for OS users.

Perform the following procedure to configure session inactivity for OS users:

Log in as admusr on the server.

login: admusr
Password: <current admin user password>

Run the following command to open the platcfg menu:
```
$ sudo su – platcfg
```
Select Security from the menu and press Enter.
Select Idle Terminal Timeout option from the security menu and enter the desired value in minutes for the Idle Terminal Timeout field.
Click OK and press Enter.
Select Exit in each of the menus until a command prompt is reached.

5.5.2 Configuring Number of Failed Login Attempts

This section describes the procedure to set the number of failed login attempts allowed before locking OS user accounts.

Perform the following procedure to configure the number of failed login attempts:

Log in as admusr on the server.

login: admusr
Password: <current admin user password>

Run the following command to open the platcfg menu:
```
$ sudo su – platcfg
```
Select Security from the menu and press Enter.
Select User Account Locking from the menu and press Enter.

Fill out the following settings:

Feature:  ( ) disable (*) enable
Deny after # of attempts:  <max tries>
Fail interval in minutes: <interval minutes>
Unlock time in minutes: <unlock time>

Click OK and press Enter.
Select Exit in each of the menus until a command prompt is reached.

5.5.3 Configuring Lockout Time for Inactive Accounts

This section describes the procedure to set lockout time for inactive OS user accounts.

Perform the following procedure to lock inactive OS user accounts:

Log in as admusr on the server.

login: admusr
Password: <current admin user password>

Run the following command to open the platcfg menu:
```
$ sudo su – platcfg
```
Select Security from the menu and press Enter.
Select Inactive user locking from the menu and press Enter.

Fill out the following settings:

Feature:  ( ) disable (*) enable
Deny after # of days of inactivity:  <max tries>

Click OK and press Enter.
Select Exit in each of the menus until a command prompt is reached.

5.6 Updating the TPD-Provd Cipher List

The procedure for this update defines the methods required to update the TPD-Provd cipher list and how to verify if the update was successful. For more detailed steps on performing these methods, refer to Appendix P in PMAC Configuration Guide.

5.7 Operational Dependencies on Platform Account Passwords

You must attempt to change passwords only on systems that are fully configured and stable. Modifying passwords during system installation is strongly discouraged. For detailed steps on performing these methods, refer to PMAC Configuration Guide.

5.8 Updating the SELinux Mode on the Server

By default, DSR ships with the SELinux mode as disabled. Run the following procedure to update the SELinux mode to permissive. You must run this procedure on each server in the topology.

The order of execution in the topology must be from A - level servers to C - level servers.

For A - level and B - level servers the sequence of execution must be Spare -> Stand-by -> Active.

Perform the following procedure to configure session inactivity:

Log in as admusr on the server.

login: admusr
Password: <current admin user password>

Run the following command to check out the file config and update the SELinux state to permissive:
```
$ sudo rcstool co /etc/selinux/config
$ sudo sed -i 's/^SELINUX=.*$/SELINUX=permissive/g' /etc/selinux/config
```
Run the following command to check in the file config:
```
$ sudo rcstool ci /etc/selinux/config
```
Run the following command to reboot the server:
```
$ sudo init 6
```