Data Storage Security

Considerations When Enabling Data Storage Security

The features in this group make your system more secure, and in doing so they correspondingly make it difficult for an outsider to tamper both with sensitive information used for IPSec, TLS, and HDR and with your passwords in secure-password mode.

If you use these security measures, you should be careful to:

Guard against losing your secure data password.
Enable secure-password mode in Upgrade to Acme Packet Release C5.0 and when you are certain you will not need to fall back to an earlier software image.

Note that the password-secure mode feature does not default to enabled on your system. This is for backward compatibility, so you need to enable password-secure mode if you want to use it and you should exercise caution when you enable it.

About Oracle Communications Session Border Controller Password Features

This section describes the multiple ways that password support has been expanded and improved to provide your system with a greater degree of security. It contains information about new password support for configurations, configuration migration, new password requirements and backwards compatibility.

Protected Configuration Password for TLS IPSec and HDR

You can now set a password for your configuration to guard sensitive information for TLS, IPSec, and HDR configurations.

Once you set the protected configuration password, the older configuration can become unusable unless you set the password back to the old value when creating the backup configuration. During the verification and activation of a configuration, the Oracle Communications Session Border Controller checks these values. If there is a conflict and the Oracle Communications Session Border Controller cannot access encrypted data using the password information you set, it displays a message notifying you of the fact.

Note that for HA nodes, the Oracle Communications Session Border Controller requires you to update the new password manually both on the active and on the standby systems.

Configuration Migration

If you want to move a configuration file from one Oracle Communications Session Border Controller to another, the Oracle Communications Session Border Controller checks passwords during the verification and activation processes. If there is a conflict and the Oracle Communications Session Border Controller cannot access encrypted data using the password information you set, it displays a message notifying you of the fact.

However, you can still reuse this configuration. Simply enter the correct protected configuration password information, and then verify and activate the configuration again.

Password Requirements

Since we are inclined to select passwords that are easy for us to remember, the Oracle Communications Session Border Controller has several requirements for passwords that make them more difficult to tamper with. The passwords you enter on the Oracle Communications Session Border Controller must be:

Between 8 and 20 characters in length
Comprised of both alphabetical and numeric characters, where your password must have at least one non-alphabetical character
Comprised of both upper and lower case letters, where your password must have at least one upper case character and one lower case character
Void of any of the passwords commonly used as default on the Oracle Communications Session Border Controller: default, password, acme, packet, user, admin

Note on Backwards Compatibility

Since the password requirements for previous releases of the Acme Packet OS clearly do not meet with the new criteria that have been defined for Acme Packet Release C5.0, the password-secure mode is disabled by default. Once you are certain that you want to run Acme Packet Release C5.0, you can enable the new password feature.

When you enable the password-secure mode, all old passwords become invalid. These old passwords are rendered useless in order to close any possible holes in security.

Password Reset and Recovery

The enhancements to password protection on the Oracle Communications Session Border Controller have been intentionally implemented so that password recovery and reset are not accessible through the ACLI. Acme Packet strongly recommends that you treat this password information with care and take all precautions against losing it.

For both password secure mode and the protected configuration password, the process for recovery and reset involves loading a diagnostics image on your system. For information about loading and running diagnostics, contact Acme Packet Customer Support.

Password Policy

When you use password secure mode on your Oracle Communications Session Border Controller, you can now configure the minimum acceptable length for a secure password if you have Superuser (administrative) privileges. The maximum password length is 64 characters.

In password secure mode, your password requires three out of four of the following:

Upper case letters
Lower case letters
Numbers
Punctuation marks

However, secure mode password cannot contain any of the following strings in any variations of case: default, password, acme, user, admin, packet.

Any change you make to the password length requirement does not go into effect until you configure a new password (and are in password secure mode). Pre-existing passwords can continue to be used until you go to change them.

Upgrade to ACP

Another measure Acme Packet Release C5.0 takes to provide enhanced security is upgrading the version of the Acme Control Protocol (ACP) from version 1.0 to version 1.1. Version 1.0 uses normal digest authentication, but version 1.1 uses advanced digest authentication. Advanced digest authentication does not require that credentials be stored using reversible format; it uses a pre-calculated hash to construct the digest value. In ACP version 1.1, there is an additional directive (user credentials hash algorithm) in the Authentication header so that the server (such as the Acme Packet EMS) can calculate the proper digest.

SSH Password Considerations

Your existing SSH password will still work after you upgrade to Acme Packet Release C5.0. However, because this password is no longer stored in the /code/ssh directory, a warning will appear every time the SSH server accesses the file for user authentication:

ORACLE# Cannot check the integrity of SSH password storage.
Should consider reset the SSH password.

As of Acme Packet Release C5.0, the hash of the password is saved. The file with the password also contains information that guards integrity to prevent tampering.

Resetting your password will prevent the warning messages and make your SSH sessions more secure. The procedure for setting your SSH password is the same as in prior releases.

Password Administration

This section shows you how to set a password policy.

Setting a Protected Configuration Password Matching Configurations

You set a protected configuration password using the ACLI secret command. As the system warning indicates when you start this process, changing the password makes backup and archived configurations unusable and requires you to change the password on the standby system in an HA node (if applicable).

When your saved and active configurations match, the process will proceed as in the sample below. However, when the saved and active configuration are out of sync, the Oracle Communications Session Border Controller requires you to correct the condition by activating the configuration (using the ACLI activate-config command).

To set a protected configuration password when configuration data is in synch:

In Superuser mode, type secret config at the system prompt and press Enter.
```
ORACLE# secret config
```

The Oracle Communications Session Border Controller issues a warning for the change you are about to make, and asks you to confirm whether or not you want to proceed. Type a y and press Enter to continue; type an n and press Enter to abort the process.

--------------------------------------------------
WARNING:
Proceed with caution!
Changing the configuration password will result in any
previous backup/archive configuration unusable.
You also need to change the password on any stand-by
SDs when you have changed the password successfully
--------------------------------------------------
Are you sure [y/n]?: y

Then the system asks for the old configuration password.
```
Enter old password  : [your entry will not echo]
```
If your entry does not match the old password, the system displays an error message: % Password mismatch - aborted.

If your entry matches, you will be asked for the new password.
Enter the new configuration password. Your entry must confirm to the Password Requirements for Acme Packet Release C5.0.
```
Enter new password  : [your entry will not echo]
```
Confirm the new configuration password and press Enter. The Oracle Communications Session Border Controller first displays a message letting you know that it is changing the password, and then another message confirming the change. It also prompts you to save and activate your configuration.
```
Enter password again: [your entry will not echo]
Changing the configuration password...
Be patient. It might take a while...
Preparing backup...
Creating backup...
Done
Removing backup...
Done
Configuration password changed
ORACLE#
```

Setting a Protected Configuration Password Mismatched Configurations

When the saved and active configuration are out of sync, the Oracle Communications Session Border Controller requires you to correct the condition by activating the configuration (using the ACLI activate-config command). Once this is complete, you can carry out the process for setting a protected configuration password.

To set a protected configuration password when the saved and active configurations are different:

In Superuser mode, type secret config at the system prompt and press Enter.
```
ORACLE# secret config
```

The Oracle Communications Session Border Controller issues a warning for the change you are about to make, and asks you to confirm whether or not you want to proceed. Type a y and press Enter to continue; type an n and press Enter to abort the process.

--------------------------------------------------
WARNING:
Proceed with caution!
Changing the configuration password will result in any
previous backup/archive configuration unusable.
You also need to change the password on any stand-by
SDs when you have changed the password successfully
--------------------------------------------------
Are you sure [y/n]?: y
Currently active (137) and saved configurations (138) do not match!
To sync & activate, run 'activate-config' or 'reboot activate'.
ORACLE#

Use the activate-config command to synchronize the saved and active configurations.

*ORACLE# activate-config
Activate-Config received, processing.
waiting 120000 for request to finish
Request to 'ACTIVATE-CONFIG' has Finished,
Activate Complete

Continue with the process described in Setting a Protected Configuration Password: Matching Configuration.

Setting a Protected Configuration Password Committing Changes

This section describes the process of committing the changes you have made by saving and activating configurations when both the configuration data and password have been updated. Committing the changes means saving and activating your configuration.

To commit your protected configuration password changes:

Carry out the process described in Setting a Protected Configuration Password: Matching Configuration.

After you have finished and the system is done creating a backup, the system reminds you that you need to save and activate.

Preparing backup...
Creating backup...
Done
updating cert-record name: end
updating cert-record name: ca
updating security-association name: sa1
Removing backup...
Done
----------------------------------------------
WARNING:
Configuration changed, run 'save-config' and
'activate-config' commands to commit the changes.
----------------------------------------------

Save your configuration using the save-config command.

ORACLE# save-config
Save-Config received, processing.
waiting 1200 for request to finish
Copy OK: 8516 bytes copied
Copy OK: 8517 bytes copied
Request to 'SAVE-CONFIG' has Finished,
Save complete

Activate your configuration using the activate-config command.

*ORACLE# activate-config
Activate-Config received, processing.
waiting 120000 for request to finish
Request to 'ACTIVATE-CONFIG' has Finished,
Activate Complete

Changing Protected Configuration Password on a Standby System in an HA Node

When changing the protected configuration password for an HA node, you carrying out the Setting a Protected Configuration Password: Matching Configuration process (or one of the related processes) on the active system, and then must manually change it on the standby. However, changing the protected configuration password on the standby is an abbreviated process.

To change the protected configuration password on a standby system in an HA node:

On the stand-by system, delete the configuration using the delete-config command.
```
ORACLE2# delete-config
```
On the active system, update the configuration password.
```
ORACLE1# secret config
```
Carry out all of the subsequent confirmations, paying close attention to the warnings.
On the stand-by system, update the configuration password. Ensure that the password you set on the stand-by matches the password you set on the active system
```
ORACLE2# secret config
```
Carry out all of the subsequent confirmations, paying close attention to the warnings.
On the stand-by system, acquire the configuration from the activate system using the acquire-config command.
```
ORACLE2# acquire-config
```
Reboot the stand-by system.
```
ORACLE2# reboot
```

Confirming Synchronous Protected Configuration Password and Configuration

To confirm that your protected configuration password and configuration are synchronized:

In Superuser mode, type verify-config at the system prompt and press Enter.

ORACLE2# verify-config
Checking configuration data...
OK: configuration password is in sync with the configuration data

Configuration Migration

This section provides with instructions for how to move your configuration file from one Oracle Communications Session Border Controller to another. Additional checking has been added to the verification and activation processes. To describe how to migrate a configuration, this section uses the designations Oracle Communications Session Border Controller1 and Oracle Communications Session Border Controller2, where:

Oracle Communications Session Border Controller1 has the configuration you want to copy and move
Oracle Communications Session Border Controller2 is the system to which you want to migrate the configuration from Oracle Communications Session Border Controller1

Note:
For Acme Packet OS Release C5.0, the protected configuration password only applies if you are using TLS, IPSec, and/or HDR. The coverage (range of Oracle Communications Session Border Controller configurations) offered by the protected configuration password might expand in the future.

To migrate a configuration from Oracle Communications Session Border Controller1 (where the password configuration has been set) to Oracle Communications Session Border Controller2:

Ensure that the protected configuration password on Oracle Communications Session Border Controller1 and Oracle Communications Session Border Controller 2 are the same.
On Oracle Communications Session Border Controller1, back up a well-working configuration that you also want to use on Oracle Communications Session Border Controller2. Use the backup-config command. The ACLI tells you when the back up has been saved.
```
ORACLE1# backup-config copyConfig1
task done
```
On Oracle Communications Session Border Controller2, update the protected configuration password if necessary.
On Oracle Communications Session Border Controller2, delete the configuration using the delete-config command.
```
ORACLE2# delete-config
```

On Oracle Communications Session Border Controller2, use the restore-backup-config command with the appropriate file name for the backup from Oracle Communications Session Border Controller1. Save the configuration once the backup is restored.

ORACLE2# restore-backup-config copyConfig1
Need to perform save-config and activate/reboot activate for changes to take effect...
task done
ORACLE2# save-config
Save-Config received, processing.
waiting 1200 for request to finish
Request to 'SAVE-CONFIG' has Finished,
Save complete
Currently active and saved configurations do not match!
To sync & activate, run 'activate-config' or 'reboot activate'.

Before activating the configuration, verify it.

ORACLE2# verify-config
…
Checking configuration password...
OK: configuration password is in sync with the configuration data
…

Activate the configuration on Oracle Communications Session Border Controller2.

ORACLE2# activate-config
Activate-Config received, processing.
waiting 120000 for request to finish
Request to 'ACTIVATE-CONFIG' has Finished,
Activate Complete

Setting the Password Policy

In the security ACLI path, you will find the password-policy configuration. It contains the min-secure-pwd-len parameter where you set the length requirement—between 8 and 64 characters—to use for passwords when password secure mode is enabled. For example, if you set this value to 15, then your password must be a minimum of 15 characters in length.

To set the minimum password length to use for password secure mode:

In Superuser mode, type configure terminal and press Enter.
```
ORACLE# configure terminal
ORACLE(configure)#
```

Type security and press Enter.

ORACLE(configure)# security
ORACLE(security)#

Type password-policy and press Enter.

ORACLE(system-config)# password-policy
ORACLE(password-policy)#

min-secure-pwd-len—Enter a value between 8 and 64 characters that defines the minimum password length to use when in password secure mode. This parameter defaults to 8.
Save and activate your configuration.