Implementing LSMS Security

4.1 Managing User Accounts

The system administrator assigns user names and passwords, and each user name is assigned to one of the following permission groups:

lsmsall
lsmsadm
lsmsuser
lsmsuext
lsmsview

The permission groups govern which commands and which GUI functions the user is allowed to use.

Note:

It is possible for an individual user name to have the same value as a group name. For example, usually a user named lsmsadm is assigned to the lsmsadm permission group. Some LSMS commands require the user to be logged in with the lsmsadm user name.

For more information about managing user accounts, refer to the Alarms and Maintenance Guide.

4.2 Managing Password Security

By default, the LSMS does not provide any password expiration limit. The password expiration limit must be set by the system administrator using the LSMS GUI.

You can set the limit for password expiration from 1-180 days. After a password expires, the user cannot log in without changing the password.

For more information about setting password timeout values, refer to Alarms and Maintenance Guide.

4.3 Managing SPID Security

Association of a user name with a SPID enables the LSMS system administrator to restrict access to the following types of locally provisioned data:

Default global title translation (GTT)
Override GTT
GTT groups
Telephone number (TN) filters
Assignment of GTT groups and TN filters to an element management system (EMS)

Accessibility to these types of data is protected by SPID Security for any access method (for example, through the GUI, or through input data by file, audit, and reconcile).

The optional SPID Security feature is activated by Oracle customer service using secure activation procedures. After the feature is activated, the LSMS system administrator is advised to immediately define associations between user names and SPIDs. For information about associating user names with SPIDs, refer to Alarms and Maintenance Guide.

4.4 Modifying the MySQL Port

This optional feature enhances the security of LSMS databases by enabling the system administrator to change the MySQL port. By default, MySQL uses port 3306, and because this is a well-known port you should change it.

Through the LSMS GUI, the MySQL port can be configured to ports 34000-34099. The port can be maintained through the GUI, and any changes to the port setting will raise an alarm on the LSMS. The MySQL port can also be changed back to the default port if necessary.

For information about how to modify the MySQL port, refer to Alarms and Maintenance Guide.

4.5 Using Login Sessions

You can log into the LSMS command line or the LSMS GUI to configure and maintain the LSMS system.

You can access the command line from any terminal that has the Secure Shell (ssh) client installed.
If your terminal does not already have ssh installed, PuTTY (Oracle does not make any representations or warranties about this product) is an open source ssh utility for Windows that you can download from the web.
You can access the GUI through a web browser if you activate the optional IP User Interface feature.
If you have not activated the IP User Interface feature, you can establish a login session first from an X-windows compatible terminal and then start a GUI session.
By default, both HTTP and HTTPS are enabled for the GUI. The lsmsadm user can disable HTTP using the following command at the LSMS command line:
```
lsmsadm@lsmspri bin]$ httpConfig.pl https
```
The httpConfig.pl script is located in the /usr/TKLC/lsms/bin directory.

You must have a user ID and password before you can log in to LSMS.

For more information about using login sessions, refer to Alarms and Maintenance Guide.

4.6 Installing an SSL Certificate for LSMS With Customized Parameters

Perform the following steps to install a certificate with customized parameters:

Sign the certificates on the LSMS A server:

Log in to the LSMS A server as admusr.

The certificate files have been generated for the same IP.

Sign both certificate files with the same IP using the following command:

sudo /usr/bin/openssl req –x509 -sha<SHA Hash> -nodes -days <No of days to certify the certificate for, after which the certificate shall expire> –subj "/CN=<LSMS A GUI IP address >" -newkey rsa:<RSA Key Management> -keyout /usr/TKLC/plat/etc/ssl/server.key -out /usr/TKLC/plat/etc/ssl/server.crt

Sign the certificates on the LSMS B server.
Execute the same scenario that is executed on the LSMS A server.

Restart the httpd service on both the LSMS A and B servers using the following command:

[admus	r@mps-A ~]$ sudo service httpd restart
[admusr@mps-B ~]$ sudo service httpd restart

Open the LSMS A and B GUI using https and Install the SSL Certificate.
Use the following command to open LSMS GUI using Active server IP:
```
https://<LSMS Active GUI IP>
```
Verify that the certificate is installed successfully and the LSMS A and B GUI is opened successfully.

Copy key and cert files for the tpdProvd process running on Port 20000.

cp /usr/TKLC/plat/etc/ssl/server.key /usr/TKLC/plat/etc/ssl/server.pem
cp /usr/TKLC/plat/etc/ssl/server.crt /usr/TKLC/plat/etc/ssl/server.cert

Restart the tpdProvd process by killing the existing process and letting it restart.

ps -eaf | grep tpdProvd
Output:
tpdProvd 13468     1  0 03:42 ?        00:00:04 /usr/TKLC/plat/bin/tpdProvd
kill -9 <pid>
Example: kill -9 13468
Run ps again to check process is restarted
ps -eaf | grep tpdProvd
Output:
tpdProvd  9090     1  3 04:09 ?        00:00:00 /usr/TKLC/plat/bin/tpdProvd

Repeat Steps 6 and 7 on LSMS B, as well.

4.7 Installing an SSL Certificate for LSMS from a Trusted Certificate Authority

Perform the following steps to install an SSL certificate from a trusted Certificate Authority (CA):

Log in as the root user on both the LSMS A and B servers, create a new directory in the root directory, and change to that new directory.
In the following example, a certificate directory is created:
```
 [admusr@mps-A ~]$ pwd
/home/admusr
[admusr@mps-A ~]$ sudo mkdir /var/TKLC/lsms/free/certificate
```
Give permissions to the new directory:
```
[admusr@mps-A ~]$ sudo chmod 777 /var/TKLC/lsms/free/certificate
```
Move to the new directory using the following command:
```
[admusr@mps-A ~]$ cd /var/TKLC/lsms/free/certificate
```

Generate certificate signing request (CSR) and private key files for the LSMS A server using the following commands from within the certificate directory.

Enter the following commands on the LSMS A server:
```
sudo /usr/bin/openssl req -x509 -sha<SHA Hash> -nodes -days <No of days to certify the certificate for, after which the certificate shall expire > -newkey rsa:2048 -nodes –keyout server.key –out server.csr -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/OU=Example Org Unit/CN=<LSMS GUI IP address, e.g, 1.1.1.1>/emailAddress=xxx@yyy.com"
```
Note:
The -subj option in the previous commands has example fields, which must be replaced with your organization-specific domain information.
/C = Country, /ST = State, /L = Location, /O = Oganization, /OU = Organizational Unit, /CN = Common Name Field which is the IP address or fully-qualified domain name that you want to use with your certificate.

These commands generate the following files on the LSMS A server:
```
[admusr@mps-A certificate]$ ls –lrt 
-rw-r----- 1 root root 1679 May 21 11:08 server.key
-rw-r----- 1 root root 968 May 21 11:08 server.csr
```

Enter the following commands on the LSMS A server:

sudo /usr/bin/openssl req -x509 -sha -nodes -days -newkey rsa:2048 -nodes
      –keyout server.key –out secserver.csr -subj "/C=US/ST=New York/L=Brooklyn/ O=Example
      Brooklyn Company/OU=Example Org Unit/CN=/emailAddress=xxx@yyy.com"

The following files will be generated on the LSMS B server:

[admusr@mps-B certificate]$ ls –lrt 
-rw-r----- 1 root root 1679 May 21 11:02 server.key 
-rw-r----- 1 root root 968 May 21 11:02 secserver.csr

Send the generated CSR files server.csr and secserver.csr to the CA. The CA will provide signed certificate files server.crt and secserver.crt in return.
Copy the appropriate files to the appropriate ssl directory, and rename (in the B server only) as needed:
1. On the LSMS A server, copy the two files generated through the openssl commands (server.key and server.csr) and the files provided by the CA (server.crt) to the /usr/TKLC/plat/etc/ssl directory.
2. On the LSMS B server, copy the two files generated through the openssl command (server.key and secserver.csr) and the file provided by the CA for the LSMS B server (secserver.crt) to the /usr/TKLC/plat/etc/ssl directory.
3. After copying secserver.crt to the /usr/TKLC/plat/etc/ssl directory on the LSMS B server, rename it to server.crt.

Restart the httpd service on both the LSMS A and LSMS B servers using the following command:

[admusr@mps-A certificate]$ sudo service httpd restart
[admusr@mps-B certificate]$ sudo service httpd restart

Open the LSMS A and B GUI using https and install the SSL Certificate.
Use the following command to open LSMS Active GUI:
```
https://<LSMS Active GUI IP>
```
Verify that the certificates installed successfully and the LSMS A and B GUI opened successfully.
If the LSMS GUI does not open, follow these steps on the LSMS A and B servers:
1. Open the /etc/httpd/conf.d/ssl.conf file:
```
[admusr@mps-A certificate]$ sudo vi /etc/httpd/conf.d/ssl.conf
```
2. Edit /etc/httpd/conf.d/ssl.conf and un-comment the appropriate code:
  - If the CA provides ca.crt (CA intermediate certificate), change from:
```
#SSLCertificateChainFile /etc/httpd/conf/ssllcrt/ca.crt
to 
SSLCertificateChainFile /etc/httpd/conf/ssllcrt/ca.crt
```
  - If the CA provides CA certificate(s), change from:
```
#SSLCACertificatePath /etc/httpd/conf/ca-cert
#SSLCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
to
SSLCACertificatePath /etc/httpd/conf/ca-cert
SSLCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
```
3. Make sure that these files (CA certs) are copied to the right path on both servers, as mentioned in /etc/httpd/conf.d/ssl.conf.
4. Restart the httpd service using the following command on both servers:
```
[admusr@mps-A certificate]$ sudo service httpd restart
[admusr@mps-B certificate]$ sudo service httpd restart
```
5. Verify that the LSMS A GUI opens successfully.

Copy key and cert files for the tpdProvd process running on Port 20000.

cp /usr/TKLC/plat/etc/ssl/server.key /usr/TKLC/plat/etc/ssl/server.pem
cp /usr/TKLC/plat/etc/ssl/server.crt /usr/TKLC/plat/etc/ssl/server.cert

Restart the tpdProvd process by killing the existing process and letting it restart.

ps -eaf | grep tpdProvd
Output:
tpdProvd 13468     1  0 03:42 ?        00:00:04 /usr/TKLC/plat/bin/tpdProvd
kill -9 <pid>
Example: kill -9 13468
Run ps again to check process is restarted
ps -eaf | grep tpdProvd
Output:
tpdProvd  9090     1  3 04:09 ?        00:00:00 /usr/TKLC/plat/bin/tpdProvd

Repeat Steps 9 and 10 on LSMS B, as well.

4.8 Installing an SSL Certificate for VIP With Customized Parameters

Perform the following steps to install the certificate for VIP with customized parameters.

Sign the certificate on the LSMS A server.

Sign the certificate file using the following command:

sudo /usr/bin/openssl req –x509 -sha<SHA Hash> -nodes -days <No of days to certify the certificate for, after which the certificate shall expire> –subj "/CN=<LSMS A VIP  address >" -newkey rsa:<RSA Key Management> -keyout /usr/TKLC/plat/etc/ssl/server_vip.key -out /usr/TKLC/plat/etc/ssl/server_vip.crt

Sign the certificates on the LSMS B server:
Execute the same scenario that is executed on LSMS A.

Restart the httpd service on both the LSMS A and B servers using the following command:

[admusr@mps-A ~]$ sudo service httpd restart
[admusr@mps-B ~]$ sudo service httpd restart

Open the GUI using VIP IP using https and Install the SSL Certificate.
Use the following command to open the GUI using VIP IP:
```
https://<LSMS  VIP  IP>
```
Verify that the certificate is installed successfully and the GUI is opened successfully.

4.9 Installing an SSL Certificate for VIP from a Trusted Certificate Authority

Perform the following steps to install an SSL certificate from a trusted Certificate Authority (CA).

Log in as admusr on both LSMS A and B servers.
Generate certificate signing request (CSR) and private key files for the LSMS A server using the following commands from within the certificate directory.
Enter the following commands on the LSMS A server:
```
sudo /usr/bin/openssl req -x509 -sha<SHA Hash> -nodes -days <No of days to certify the certificate for, after which the certificate shall expire > -newkey rsa:2048 -nodes –keyout server_vip.key –out server_vip.csr -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/OU=Example Org Unit/CN=<LSMS VIP IP address>/emailAddress=xxx@yyy.com"
```
Note:
The -subj option in the previous commands has example fields, which must be replaced with your organization-specific domain information.
/C = Country, /ST = State, /L = Location, /O = Oganization, /OU = Organizational Unit, /CN = Common Name Field which is the IP address or fully-qualified domain name that you want to use with your certificate.

These commands generate the following files on the LSMS A server:
```
These commands generate the following files on the LSMS A server:
[admusr@mps-A certificate]$ ls –lrt 
-rw-r----- 1 root root 1679 May 21 11:08 server_vip.key
-rw-r----- 1 root root 968 May 21 11:08  server_vip.csr
```
Generate the CSR and private key files for the LSMS B server by executing steps 1 - 3. Execute the same scenario that is executed on the LSMS A server from step 2 on the LSMS B server. Use the server_vip.csr and serverB_vip.csr files for the LSMS B server.
The following files will be generated on the LSMS B server:
```
[admusr@mps-B certificate]$ ls –lrt 
-rw-r--r-- 1 root root 1679 May 21 11:02 server_vip_v4.key
-rw-r--r-- 1 root root 968 May 21 11:02  serverB_vip_v4.csr
```
Send the generated CSR files (server_vip.csr, serverB_vip.csr) to the CA. The CA will provide signed certificate files (server_vip.crt, serverB_vip.crt) in return.
Copy the appropriate files to the appropriate ssl directory, and rename as needed:
1. On the LSMS A server, copy the two files generated through the openssl commands (server_vip.key and server_vip.csr) and the files provided by the CA (server_vip.crt) to the /usr/TKLC/plat/etc/ssl directory.
2. On the LSMS B server, copy the two files generated through the openssl command (server_vip.key and secserverB_vip.csr) and the file provided by the CA for the LSMS B server (secserverB_vip.crt) to the /usr/TKLC/plat/etc/ssl directory.
3. After copying secserverB_vip.crt to the /usr/TKLC/plat/etc/ssl directory on the LSMS B server, rename it to server_vip.crt.

Restart the httpd service on both the LSMS A and LSMS B servers using the following command:

[admusr@mps-A certificate]$ sudo service httpd restart
[admusr@mps-B certificate]$ sudo service httpd restart

Open the LSMS GUI using VIP IP using https and install the SSL Certificate.
Use the following command to open LSMS GUI using VIP IP:
```
https://<LSMS VIP  IP>
```
Verify that the certificates installed successfully and the LSMS A and B GUI opened successfully.
If the LSMS GUI does not open, follow these steps on the LSMS A and B servers:
1. Open the /etc/httpd/conf.d/ssl.conf file:
```
[admusr@mps-A certificate]$ sudo vi /etc/httpd/conf.d/ssl.conf
```
2. Edit /etc/httpd/conf.d/ssl.conf and un-comment the appropriate code:
  - If the CA provides ca.crt (CA intermediate certificate), change from:
```
#SSLCertificateChainFile /etc/httpd/conf/ssllcrt/ca.crt
to 
SSLCertificateChainFile /etc/httpd/conf/ssllcrt/ca.crt
```
  - If the CA provides CA certificate(s), change from:
```
#SSLCACertificatePath /etc/httpd/conf/ca-cert
#SSLCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
to
SSLCACertificatePath /etc/httpd/conf/ca-cert
SSLCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
```
3. Make sure that these files (CA certs) are copied to the right path on both servers, as mentioned in /etc/httpd/conf.d/ssl.conf.
4. Restart the httpd service using the following command on both servers:
```
[admusr@mps-A certificate]$ sudo service httpd restart
[admusr@mps-B certificate]$ sudo service httpd restart
```
5. Verify that the LSMS GUI opens successfully.