03 Mn1226eu09mn 0003 Security Management

Security Management Siemens

MN1226EU09MN_0003 2002 Siemens AG

1

Contents

1 Authorization Concept at SC 3

1.1 Access Restriction 4

1.2 The internal Login at the Network Element 6

1.3 Authentication 8

1.4 User Group Philosophy 10

2 Establishing a First Connection to the Network Element 13

2.1 Preconditions 14

2.2 Management of Network Element User IDs at the Switch Commander 16

2.3 Grant Network Element Access 18

2.4 Communication Link Setup 20

3 Access Restriction at SC Database 23

3.1 Access Restriction at SC and NE 24

3.2 Management of NT Users and User Groups 26

3.3 Management of Switch Commander Users and User Groups 30

3.4 Managing Task Trees 36

4 Access Restriction at the NE 47

4.1 Management of Network Element User ID at the Switch Commander 48

4.2 Access Restriction for DIALG (MML) at CP 52

4.3 Access Restriction for Q3 at MP 56

4.4 File Transfer Security Management 69

4.5 File Transfer Security Management at CP 70

4.6 File Transfer Security Management at MP 73

5 Assign Network Elements to User Groups 83

Security Management

Siemens Security Management

MN1226EU09MN_0003

2002 Siemens AG

2

5.1 Grant Network Element Access 84

5.2 Communication Link Setup 86

5.3 Summary 90



3

1 Authorization Concept at SC

Fig. 1


MN1226EU09MN_0003

2002 Siemens AG

4

1.1 Access Restriction

User Authorization / Authentication by WindowsNT

The only password which has to be entered to authorize for the execution of commands is the Windows NT password.

SC User Group

To be a switch commander user, a WinNT user must be member of at least one SC user group.

Network Elements

It is specific for every user group to which specific NEs the members of this user group have access to

Task Group

At the SC database it is specified for every NE-UG combination, which tasks can be executed.

SC Applications

The individual SC applications are assigned to the specific SC / WindowsNT user.



5

Access Authorization at SC

NT User

SC User

SC

Usergroup

SC

Applications

NE

Task

Group

NE NE NE

SC

Usergroup

Fig. 2 Access authorization at SC


MN1226EU09MN_0003

2002 Siemens AG

6

1.2 The internal Login at the Network Element

Automatic Login

The login at the network element (CP or MP) is not done any longer by the operator himself but automatically by the SC system.

One Userid per User Group

When the first user of a SC user group starts the execution of a command, the SC system opens a session at the network element.

Therefore an internal userid created at the SC and at the NE database is used.

This userid is assigned to the SC user group, which means all users of this user group appear with the same internal userid at the NE internal log file.

internal passwords

The passwords which are used for the internal user IDs have to be administered manually at the first time. This has to be done at the NE and at the SC database.

Later on, every time the NE password expires, the SC system automatically creates new internal passwords using a random figure system. These passwords are invisible.

Network Elements with Q3 interface

At network elements with Q3 interface a special internal user ID is used:

The user ID used in this case is a parameter, specified in the Q3 standard: The Application Entity Title (AET).

The AET consists out of two parts:

The Application Process Title (APT), which specifies a worldwide unique ID for the NE or the communication server (CS);

The Application Entity Qualifier (AEQ), which specifies the individual internal user ID on the NE or CS;



7

Internal Login at NE

NT User

Usergroup

Task

Group

Net Element

Login +

Password

NT User

SC UserSC User

internal login

CP Userid

Login +

Password

AET

Fig. 3 Internal Login at NE

SUMMARY In easy "words": APT + AEQ = AET

The APT consists of ten numbers. The first five numbers specify the network provider, the second five numbers are assigned to the specific NE or CS by the network provider.

TIP

At the MP database the internal User ID (AET) is called "Initiator".

The task to create an initiator is "CR INI".


MN1226EU09MN_0003

2002 Siemens AG

8

1.3 Authentication

Access protection is provided in two stages. In the first stage, the user must log on to the terminal (SC, other operating system) and identify himself as an authorized user. This involves the creation of user IDs, passwords and user groups using the resources of the operating systems available on this system. This user must also be configured as a Switch Commander user, so the must be member of at least one Switch Commander user group.

Only when authorized users have logged on under these conditions can they connect with the network node. The second stage of the access protection function, i.e. the Q3 access protection of a GSN or the user ID authentication mechanism of a Classic EWSD.

1. Depending on the kind of Switch Commander system the WindowsNT user ID information is stored on different machines (PDC for Client/Server) or at the same machine (SAM of a Single WS). These information is checked against the information entered during the login attempt. Additional information about access rights, available applications is stored in the oracle database of the File Server. Using this information the according profile (Start -> Programs -> Switch Commander) is recreated after the successful login. This procedure takes some seconds therefore you should patiently wait before you are going to launch a Switch Commander application.

2. Depending on the network element you are going to execute a command at, different authentication mechanism are implemented. At a Q3 based network element, like a GSN or STP, every Switch Commander user group has an initiator and a password to establish a Q3 session. Using e. g allow rules and deny rules for these initiators different Q3 tasks are granted to these user groups. Classic network element accessed via X.25 and MML-commands are using user IDs and passwords, too. Only those Switch Commander user groups having a valid user id/password pair at the network element are allowed to open a session and to execute a command. Like at the Q3 based network elements, these user id must be member of a network element authorization class to be allowed to perform a specific command.



9

Windows NT Login

1

2

Windows NT Login

CHECK (user/passwd)

3Switch

Commander

CHECK

(user group)

4

Network Element

CHECK (initiator)

CS

4

Network Element

CHECK

(userid/passwd)

CP MP

TCP/IP

X.25

CP

FS

PDC

Fig. 4


MN1226EU09MN_0003

2002 Siemens AG

10

1.4 User Group Philosophy

At the Switch Commander side there exists two different types of user groups:

WinNT User Groups

The Windows NT user groups are automatically generated during the installation of the Primary Domain Controller resp. the Workstation. Every Windows NT user must be member of at least one WinNT user group.

WinNT User Groups for Switch Commander

There are two special WinNT user groups generated during the installation of the Switch Commander. Both user groups are reserved for Switch Commander users and used to grant them access to the different Switch Commander directories.

The name of these user groups depends on the name of the special Switch Commander system. This name is given during the installation of the File Server and is used to identify the different SC systems within one WinNT domain.

Examples for these special user group names are:

SCName-SCAdmins and SCName-SCUsers where SCName is the name of the SC system.

Switch Commander User Groups

More influence on the access rights of a SC user than the membership in a WinNT user group has got the membership in a SC user group.

Via this member ship the access to different commands, directories and files are restricted or granted. Because a user can be a member of more than one group, the access/deny rights are a sum of all access/deny rights of the user groups the user is member of.

The SC user groups are stored at the Oracle database at the fileserver. The configuration of these SC user groups is done from the SC application "SC Administration".

WARNING

Do never assign a WinNT user manually (with the application WinNt User Manager) to the special WinNT user groups! The assignment is done automatically when the WinNT user becomes member of the first SC user group.



11

SCName-SCAdmins SCName-SCUsers

SC user group

Administrators

SC user group

1

SC user group

2

Windows

NT

Switch

Commander

User A User B User C

Fig. 5 Windows NT and Switch Commander user groups

SUMMARY A Switch Commander user must be member of a NT user group (stored at the PDC) to have access to Windows NT. Additionally he must be member of a Switch Commander user group (stored at the FS) to have access to the Switch Commander application. The commands he is allowed to execute at the network element depends on the SC user group he is member of.


MN1226EU09MN_0003

2002 Siemens AG

12



13

2 Establishing a First Connection to the Network Element

Fig. 6


MN1226EU09MN_0003

2002 Siemens AG

14

2.1 Preconditions

This part of the documentation gives you a sequence to establish a first connection to the network element.

This sequence only works if certain preconditions are fulfilled.

This sequence also just establishes a first connection to the network element, but things like security settings or alarm forwarding are not explained in this part. These things will be explained later on.



15

Preconditions for establishing a first connection to the

Network Element

All services have been activated and started

The corresponding SC users and user groups already exist

The settings for the Switch Commander and for the network element database have been done already

(according to chapter Communication Database)

The security setting of the MP is still in the default mode: Any internal userid (initiator) and any password will be

accepted

The default ftp userid (usually root) with the default password (usually root1#) still exists

Fig. 7


MN1226EU09MN_0003

2002 Siemens AG

16

2.2 Management of Network Element User IDs at the Switch Commander

Providing access to the different NEs is based on internal user IDs which are used for an automatic login by the Switch Commander.

All Switch Commander based security settings and settings for the internal user IDs are done from the application SC administration.

To enable access authorizations at network elements, you create NE user IDs:

To enable MML / DIALG connections to the classical EWSD components (CP) you create CP user authorizations with authorization of FTAM file transfer.

To authorize file transfer via FTP between the SC operations system and SSNC based NE components (MP) you create FTP initiator IDs.

To enable Q3 / CMISE communication between the SC operations system and SSNC based NE components (MP) you create application entity titles (AET - "APT +AEQ = AET") as MP initiators.

WARNING At Q3 based internal user IDs you have to use the AEQ as NE user ID!

The passwords of the NE user authorizations as you enter them at SC Administration are stored in encrypted form.

According to your requirements you create a set of user IDs for each network element, usually. Access right restrictions for these users can be created at the switch commander, using user groups, and at the different network elements using the network element specific commands.

Please take note, all network element user IDs will be assigned to a specific user group, not to a specific Switch Commander user.

TOOLS

SC Administration:

File -> Administer NE User



17

SC Administration

Fig. 8 Internal UserIDs

TIP For the first connection to the MP we will use the default setting of the MP security database:

A new MP database will accept any internal user ID (AET) and any password. This means, we can enter any valid user ID at SC Administration. "Valid" means, the APT and the AEQ is already created in the communication database.

The real access restriction will be described later on.

The security settings at the MP become active after the default access restriction has been switched off.


MN1226EU09MN_0003

2002 Siemens AG

18

2.3 Grant Network Element Access

Before a user can execute a command at a network element, the user must be member of a Switch Commander user group. This Switch Commander user group must have this network element assigned, too. These tasks has to be done using the SC Administration tool.

As the modification of the membership of a Switch Commander user, there are different possible ways to start the Switch Commander user group properties.

If you are going to create a new user group, you have to chance so specify whether the task tree of this user group should be "NE based" or "APS based".

NE based task tree:

In this case the network elements available for this user group appear in a tree structure. Every network element has got its own task tree.

APS based user groups:

In this case you have different task trees for different APS versions (software releases) but just one task tree for all network elements running on this software version. Each assigned task is available for all network elements running on the same APS version.

The task tree type you choose for a new user group depends on the task tree the users are allowed. If these task trees should be different you must choose a NE based task tree.

TOOLS

SC Administration -> User Group -> Properties

SC Administration -> User Group -> Create



19

Fig. 9 SC Application "SC Administration"


MN1226EU09MN_0003

2002 Siemens AG

20

2.4 Communication Link Setup

Select the network elements the users of the user group should have access to. The Switch Commander application reminds you not to forget to assign some tasks to the network element using . Click to proceed. The "NE Details" window appears.

Here you have to select via which Communication Server you like to access the network element. If possible you should always choose two, to guarantee redundancy. The values you can select depends on the kind of network (X.25 based, Q3 based) and on the values you have entered during the communication database setup. Additionally preconditions are already created network element user ids created using the tool "Administer NE user" explained above.

Primary CS Communication Server usually used to access the network element, e.g. CS4210

APT Application Process Title as entered during the communication database setup, e.g. {1 3 12 2 1107 3 0 2 2 1}

AEQ Application Entity Qualifier as created using the "Administer NE user" tool, makes up the AET, so the initiator at the network element, together with the APT, e.g. 2

Backup CS, should be used if more than one Communication Server is available.

Using different "Primary CS" for different user group you can create a static load sharing, because every user group will use its "own" Communication Server to access the network element, the total load will shared over all Communication Servers.

Selecting , you have to specify the link setting, via which link you like to access the network element. The parameters you can specify are generated during the communication database setup, again. You have to choose the parameters matching, e.g. the AEQ you have specified before. You need to do it twice, once for the "Primary CS", once for the "Backup CS" - hope you have specified one?



21

Check the box or do an

double click on the NE

Fig. 10 Assign Communication Server to the user group

Q3 Links

Local Link select the according link description you have entered before

local communication database link of the Communication Server, entered using "SC NE Administration", CS

Remote Link select the according link description you have entered before

remote communication database link to the network element, entered using "SC NE Administration", NE

Double check the parameters shown in the description part of the window.

Now you should be able to execute Q3 tasks at the MP!


MN1226EU09MN_0003

2002 Siemens AG

22



23

3 Access Restriction at SC Database

Fig. 11


MN1226EU09MN_0003

2002 Siemens AG

24

3.1 Access Restriction at SC and NE

Access restriction is realized in three Steps

1. The user identification is done by the WinNt authorization concept

2. At the Switch Commander internally the access restriction is done according to tasks (MML commands, Q3 script files, scenarios,)

3. At the NE the access restriction is done according to MML commands at the CP and according to the Q3 standard at the MP



25

CP MP

CT WinNT

PDC

FS

WinNt User ID + PasswordNT User -> SC User ->

SC user group (Tasks) ->

internal users IDs

MP: Q3 Security Concept

based on

Q3 Managed Object Classes

(MOCs)

+ allowed actions

(Q3 Request types)

On these MOCs

CP: CP User ID -> Autorization ->

Auth Classes -> MML Commands

AET

CP

UserID

Fig. 12 Access restriction at SC and NE


MN1226EU09MN_0003

2002 Siemens AG

26

3.2 Management of NT Users and User Groups

The Switch Commander application uses the Windows NT security facilities to grant access to the system. Therefore every user must have its own Windows NT login name and password. It is the task of the NT administrator to provide the user ids. Depending on the kind of Switch Commander, Client Server or Single Machine, the Administrator has to use the User Manager tool for Domains or the normal one.

In a client/server environment you should start the User Manager at a Windows NT Server. The User Manager at the Windows NT Workstation are used to manage the local users and user groups, only. If you intend to use a Workstation to manage the Domain you should copy the executable from any server to your local machine; e.g.

copy \\PDC4210\C\winnt\system32\Usmgr.exe C:\winnt\system32

TOOLS

Start the User Manager at a Windows NT Server system:

Start -> Programs -> Administrative Tools (Common) -> User Manager



27

Fig. 13 User Manager of the Domain: SCR4210


MN1226EU09MN_0003

2002 Siemens AG

28

A precondition to create a new Switch Commander user is, the user must have a valid Windows NT user account.

Depending on the future tasks of the user, he should become a member of at least one of the following user groups:

NT user group SC User SC Admin Domain Admin

Domain Admins X

Domain Users X X X

SC1-SCAdmins X

SC1-SCUsers X X

Using these NT user groups, the access to directories and files as the access to special applications - like the User Manager - is granted or restricted, As you can see, there is usually no need for a Domain Administrator to be a member of a Switch Commander NT user group.

Additional users, user groups can be created/assigned for special tasks, like

Account Operators

Backup Operators

Server Operators

If you like to create a new Switch Commander user, it might be easier to make a copy of the user profile of an existing Switch Commander user. E.g. Use the default Switch Commander Administrator user id, "SCadmin" to create a new Switch Commander user.

TOOLS

Application: "User Manager"

User -> Copy (F8)

TIP Please note, these user groups mentioned above are "Global Windows NT user groups". The additional mentioned user groups are "Local Windows NT user groups". A global user group can be a member of a local user group, but not the other way round.

A newly created user id is generated at the PDC, if you are using the BDC to check your login, you have to wait until the BDC database is updated before the user id can be used.



29

Fig. 14 Properties of the user "Scop1

Fig. 15 Copy the existing user profile of the user "SCadmin"


MN1226EU09MN_0003

2002 Siemens AG

30

3.3 Management of Switch Commander Users and User Groups

Special Switch Commander User Groups

As the Domain Administrator of Windows NT is using the "User Manager" to create new user id and assigning user groups to these users, the Switch Commander Administrator has to assign these users to Switch Commander user groups. As a difference these users groups do not grant/restrict the access to certain directories, but to certain network elements and certain command set at these network elements.

Every user who likes to use the Switch Commander must be member of at least on Switch Commander user group. A user who is not a member of any Switch Commander user group but who is going to start a Switch Commander application directly will get an error message only.

During the installation of the Switch Commander there are three SC user groups automatically created.

SC Administrators User being member of this user group are Switch Commander administrators, therefore they can start the SC Administration applications and can modify the database

SC Security All users of these user group will receive security alarm messages and notifications and have the right to modify the password at the network elements manually after they are expired.

SC Routing These users will receive notifications and alarm messages to update the alarm panel and to present them using the Switch Commander application Q3EPS (Q3 Event Presentation Service)

TOOLS

Start the Switch Commander Administration tool (SC Administration)

Start -> Programs -> Switch Commander -> SC Administration



31

Fig. 16 Error message of an unauthorized user id attempting to start a Switch Commander application

Fig. 17 SC Administration application


MN1226EU09MN_0003

2002 Siemens AG

32

There are different ways to assign a Windows NT user id to a Switch Commander user group, especially if you are going to modify an existing configuration.

via the properties of a Switch Commander user group

via the properties of a Switch Commander user

via the menu item add NT User

via the menu item add NT User group

The effect will be always the same. Every member of a Switch Commander user group will get the same rights as the user group itself. Therefore all members of a Switch Commander user group will have the same network elements they can access, they will have the same tasks they are allowed to execute at a specific network element and finally they will use the same set of network element user ids to execute all these tasks.

TOOLS

Double Click on a existing Switch Commander user group

Double Click on the existing Windows NT user group

UserGroup -> Add NT User

UserGroup -> Add NT User group



33

Fig. 18 Switch Commander user groups - Windows NT user assignment

Independent of the assignment to a specific Switch Commander user group every user has its own profile, Via this profile the Switch Commander administrator is able to specify which Switch Commander application a user is allowed to execute and which applications are not shown to the user.

Because this settings are Windows NT user id specific, there are shown only if you select a user before. You can use e.g. the Windows NT user properties to interrogate the current settings. The list of applications shown in the window depends on the applications installed at the File Server before. All applications are shown in its alphabetical order. For example:


MN1226EU09MN_0003

2002 Siemens AG

34

Fig. 19 SC User- Properties - possible Switch Commander applications



35

SC Application Description

Alarm Console Alarm Window for free running text messages

Alarm Surveillance Online Alarm Surveillance of the network elements

BMML Grants the optional BMML input window at a classical network element when using the workbench

DaRRT Upgrader

Floor Plan Editor Administrator tool to create site specific floor plans

GPRS Tracer Service Tool for tracing

Interactive Document Browser

Application to view the interactive online documentation using the Dynatext or the Acrobat Reader format

Log Viewer Tool to access the logging functions of the SC

NE Layer Management Administrator tool to adapt the communication database at the TCP/IP based network elements

ODM OEM Device Manager, used to access the OEM Devices via a telnet session

Panel Editor Administrator tool to create and modify Alarm panels

Q3 Event Presentation Service

Application to receive Q3 notifications from the network element, additionally to interrogate network element

logging files and an ease interface to check the hardware status of different modules

Scenario Upgrader Upgrade tool to upgrade scenarios from a previous version

Scenario Wizard Graphical based application to generate scenarios

Task Analyzer Application to verify the syntax of a task

Task Browser Tree based task browser used to start the workbench

Trace Configuration Service tool to activate software traces


MN1226EU09MN_0003

2002 Siemens AG

36

3.4 Managing Task Trees

Independent of the network element user id, the access rights to a specific network element is granted via the Switch Commander Administration tool. The access rights are granted to a specific Switch Commander user group, and therefore to all the users being member of this user group. Via the tasks the Administrator assigns to this user group, he can restrict the access to a certain subset of tasks, e.g. only DISPlay tasks, Furthermore, the Administrator can generate an own task tree for the all operators. Special network operator specific tasks can be added at any point of the task tree.

The Administrator is in duty to make sure, that all tasks assigned to a Switch Commander user group corresponds to the network element user id assigned to the Switch Commander user group.

TOOLS

1. SC Administrator -> double click on a user group

2. Select to activate the task wizard



37

Fig. 20


MN1226EU09MN_0003

2002 Siemens AG

38

3.4.1 User Group Specific Task Trees

The task management is done with Task Wizard, an application to easily assign tasks to a specific user group. Task Wizard supports the creation and management of task templates, which simplify the administrator's job. A task template is a convenient subset of tasks available for the purposes of a specific user group. You can create templates from the tasks provided by Siemens in reference folders and from global tasks.

When you start the task wizard using the "Switch Commander User Group Properties" there will three windows shown:

Reference Window

The reference tree (called Siemens Tree) as displayed in the "Reference" window shows the content of the installed task databases .A task database stores network element version specific data, that is, the tasks provided by Siemens for the operation of network elements (short name, long name, path and file name, help texts), the corresponding reference task tree, and the information needed for working with EMML (menu tree, command forms, help texts). A task database is specific for a network element version and language.

The global task tree (called Imported Tasks) is displayed in the "Reference" window as It contains all new tasks that you imported for all installed NE versions. The global tasks are NE version independent.

Template Window

The template tree is displayed in the "Template" window. It contains all templates and folders you create. These tasks are associated with a single NE version.

User Group Window

The content of the user group window depends on the user group which has started the task wizard. In user group window all network element assigned to the according user group are presented.



39

Fig. 21


MN1226EU09MN_0003

2002 Siemens AG

40

3.4.2 Task Wizard

When you start the task wizard using the "Switch Commander User Group Properties" there will three windows shown:

Reference Window

The reference tree (called Siemens Tree) as displayed in the "Reference" window shows the content of the installed task databases .A task database stores network element version specific data, that is, the tasks provided by Siemens for the operation of network elements (short name, long name, path and file name, help texts), the corresponding reference task tree, and the information needed for working with EMML (menu tree, command forms, help texts). A task database is specific for a network element version and language.

The global task tree (called Imported Tasks) is displayed in the "Reference" window as It contains all new tasks that you imported for all installed NE versions. The global tasks are NE version independent.

Template Window

The template tree is displayed in the "Template" window. It contains all templates and folders you create. These tasks are associated with a single NE version.

User Group Window

The content of the user group window depends on the user group which has started the task wizard. In user group window all network element assigned to the according user group are presented.

TOOLS

To assign a task, a branch or the whole task tree, select the according part in the "Reference Window" and move it, using drag and drop to the according destination. Only those tasks can be copied having the same network element version as the destination network element, (e.g.: GX7E8X26_3102).



41

Fig. 22


MN1226EU09MN_0003

2002 Siemens AG

42

3.4.3 Generating Templates

Using the task wizard it is possible to generate templates of tasks, branches or task trees to provide a predefined task set which can be copied to any existing or new user group. The assigned task can be a part of the template or the reference tree or any combination of it.

You can create and edit task templates by dragging and dropping tasks from the Reference to the Template window. Usually, this operation is only allowed if source and destination network element version are identical. Task Wizard performs network element version compatibility checks, preventing you from dragging tasks meant for a certain network element version to the wrong network element version. The global tasks present in the Imported Tasks tree in the Reference window can be copied to any network element version in the Template window.

TOOLS

SC Administration -> File -> Invoke Task Wizard

You can generate new templates and new folder to build up an own task tree which can be used for all user groups. Tasks and branches can be copied from one template to a second one, or from the "Reference -> Siemens Tree" as long as the network element version is the same. Imported tasks (global tasks) can be copied to any network element version without a version check. The Administrator must make sure, that the according task can be executed at the selected network element.



43

Fig. 23 Invoke "Task Wizard" to generate templates


MN1226EU09MN_0003

2002 Siemens AG

44

3.4.4 Importing Global Tasks

In the course "SC Operation" it is explained hoe to import so called "private tasks" to your personal task tree.

Such private tasks can be for example: scenarios, Q3 script files, MML command files,...

The Switch Commander system also provides the possibility for a SC Administrator to import a (global) task to the task tree, assigned to a SC user group.



45

1

2

3

Fig. 24 Import of Global Tasks

The import of a global task has to be done in three steps:

1. Copy the file to the "Global Task Files" folder: \\524sc91\SCBase\Databases\GlobalTaskFiles

2. Start the import with the "Import Task" button at the SC Administration -> task wizard

3. Specify the long and the short name of the task


MN1226EU09MN_0003

2002 Siemens AG

46



47

4 Access Restriction at the NE

ConvergedNetworks

MSC

VLRMSC

VLR

EIR

HLR/

AC

SGSN

GGSN

EWSD

Inno-

vation

UMSC

Switch

Commander

GSM

GPRSUMTS

Wireline

Fig. 25


MN1226EU09MN_0003

2002 Siemens AG

48

4.1 Management of Network Element User ID at the Switch Commander

To enable access authorizations at network elements, you create NE user IDs:

To enable dialog connections with EWSD Classic you create CP user authorizations with authorization of FTNEA and FTAM file transfer.

To authorize file transfer between the operations system and GPRS and STP network elements via FTP, you create FTP IDs.

To enable Q3 connections with EWSD STP and PowerNode network elements you create application entity qualifiers (AEQ) as MP user authorization.

The passwords of the NE user authorizations as you enter them in SCR Administration are stored in encrypted form.

According to your needs you create a set of userids for each network element, usually. Access right restrictions for these users can be created at the switch commander, using user groups, and at the different network elements using the network element specific commands. Please take note, all network element userids will be assigned to a specific user group, not to a specific Switch Commander user.

TOOLS

SC Administration:

File -> Administer NE User



49

Internal Login at NE

NT User

User Group

Task

Group

Net Element

Login +

Password

NT User

SC UserSC User

internal login

CP Userid

Login +

Password

AET

Fig. 26 Creating NE user authorizations


MN1226EU09MN_0003

2002 Siemens AG

50

Using this menu item the "NE User Administration" window appears. Here you get a list of userids already created. You can use

Control Icon Description

Add to create an additional userid

Modify to modify the password of an existing userid

Delete to cancel a userid

Close to end the "NE User Administration" tool

Help to get some help

Use "Add" to create a new user:

Parameter Value Description

NE Name e.g. GSN1 Symbolic name of the network element as created before

ID Groupings e.g. MP Group of application (protocols) used for the network element

CS Name e.g. CS4210 Communication Server used for the userid

APT Name 1 3 12 1107 3 0 2 2 1 Application Process Title for the network element (Q3 based NE only)

NE User ID e.g. 2 Application Entity Qualifier for MP, resp. userid of a Classic network element

Password e.g. 123

Confirm Password e.g. 123

Password not shown during input

CP, MP, FTP, FTAM, FTNEA

e.g. MP Application released for this userid

TIP User id for FTAM resp. FTNEA have to be created at the network element using the according APPLID (FTAM, NEABD).



51

Fig. 27 Assigning a user to a network element


MN1226EU09MN_0003

2002 Siemens AG

52

4.2 Access Restriction for DIALG (MML) at CP

Classic Network Element like a MSC/VLR, HLR/AC or EIR connected via X.25 and managed using MML-Commands are using user authorization classes to restrict the access to a specific command set.

There are 50 authorization classes. Of these, classes 2 through 49 are freely administrable. By default, authorization class 1 contains all MML commands and cannot be changed by the operator. Authorization class 50 contains the commands that can be used to maintain system operation at any time To facilitate their use and establish a more comprehensible structure, authorization classes are grouped in authorizations (max. character string 6 characters). Three of the possible maximum of 51 authorizations are permanently assigned. Authorization 0 does not contain an authorization class, authorization 1 contains the authorization class 1 for all commands. The SYSAUT authorization contains authorization class 50. The remaining 48 authorizations are at the operator's disposal for entering freely definable authorizations.

To every user id exactly one authorization is assigned to. The user will be allowed to execute all commands assign to the authorization classes the authorization is assigned to.



53

Authorization ClassAUTCL 2

CR LTG, CAN LTG,

DISP LTG, STAT LTG,DIAG LTG, CONF LTG,

MOD LTG, REC LTG

....


DISP LTG, STAT LTG,

DIAG LTG, CONF LTG....


DISP LTG, STAT LTG,

........

User A

Authorization AUT ADMIN

2

Authorization AUT EXPERT

2

3

Authorization AUT DSPUSR

49....

User B User C

Fig. 28 Relationship authorization class, authorization and user id


MN1226EU09MN_0003

2002 Siemens AG

54

Relevant MML commands:

CR USERID

USERID symbolic name, e.g. scrusr#9

AUT authorization, e.g. 1

APPLID additional application, e.g. NEABD

SCOPE REMOTE for Switch Commander

CRYPTPW Cryptic Password, left blank

PERMIT usually NONE

HLRID usually used for Subscriber Administration only

ENTR AUTCL

AUTCL Authorization Class, e.g. 40

CMDCOD commands assigned to the authorization class, e.g.

STATSN&STATMB

ENTR AUT

AUT symbolic name of the authorization, e.g. SCRAUT

AUTCL Authorization Classes, e.g. 40&41



55

Creation of CP User IDs

CRUSERID: USERID=SCRUSR#9, AUT=1, APPLID=FTA, SCOPE=REMOTE;

ENTRAUTCL: AUTCL=40,CMDCOD=STATSN&STATMB;

ENTRAUTCL: AUTCL=41, CMDCOD=DISPTIME&STATSSP;

ENTRAUT: AUT=SCRAUT, AUTCL=40&41;

MODUSERID: USERID=SCRUSR#9, AUT=SCRAUT, OAUT=1;

To see the result:

DISPUSERID:USERID=SCRUSR#9;

MSC5/SMTESTEXCH/D2MMPK1V16031298/113 00-08-18 12:20:36

3158 SC SCRUSR#1 2970/06300

DISPUSERID:USERID=SCRUSR#9; EXEC'D

TABLE OF USER-IDENTIFICATIONS:

USERID STATE APPLID SCOPE AUT AUTHORIZATION CLASS

---------+-------+-------+-------+-------+------------------------------

SCRUSR#9 UNLOCK NEABD REMOTE SCRAUT 40& 41

END JOB 3158

Fig. 29 Creation of CP userID


MN1226EU09MN_0003

2002 Siemens AG

56

4.3 Access Restriction for Q3 at MP

As at the MML based network elements there exist a network element based user restriction at the Q3 based network elements, too.

At these network elements there do not exist user id, but so called initiators. Every initiator is identified by his AET (Application Entity Title). The AET consist of the APT (Application Process Title) and the AEQ (Application Entity Qualifier).

The access control function administers access rights on the basis of rules, initiator groups and target groups. An initiator group is a number of initiators (AET), while a target group defines a number of object classes/object model branches and operations. A rule defines the access rights of an initiator group to a target group. In other words, it determines which types of access (operations on one or more object classes/object model branches) may be executed by an initiator.

At the Q3 based network elements a user is identified via its AET. This AET must have its corresponding initiator (INI) at the network element. To ease the restriction settings these initiators are combined in different initiator groups (ACINIGRP). On the other hand you generate some target groups (ACTARGRP) specifying according parts of the management base (object classes) and the access rights. Finally you have to generate the connections between these groups (initiator group and target groups) using different rules. Using allow rules you can specify which commands are granted for the user, using deny rules you can restrict the access.



57

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Initiator Initiator Initiator

Access Control Initiator Group

Admins

Access Control Target Group

All Commands

Object Class....


Op Commands

Object Class....


GETLIC

Object Class....

....



Operator

rules

Fig. 30 User groups, target groups and rules at the Q3 based network elements


MN1226EU09MN_0003

2002 Siemens AG

58

4.3.1 Initiators and Initiator Groups

Relevant Task:

CR INI (Create Initiator)

Initiator AET initiator, e.g. 1 3 12 2 1107 3 0 2 2 1 2

Initiator Name symbolic name of the initiator, e.g. OPERATOR

Password type

Replay Protected PW password protected against malicious reusing

Simple PW simple password string, like test#1

No PW no password necessary for the initiator

Password if used, password string, e.g. test#1

Verify password second time to verify input

Accept time range time range of replay protected password are accepted

Start time

Stop time

Daily intervals

Weekly intervals

time duration during the initiators will get access to the system

CR ACINIGRP (Create Access Control Initiator Group)

Initiator Group symbolic name, e.g. SECURITYGRP

AET list list of initiators, e.g.

1 3 12 2 1107 3 0 2 2 1 2

1 3 12 2 1107 3 0 2 2 1 3

1 3 12 2 1107 3 0 2 2 1 4

TIP A replay protected authentication can be used, if the Q3 based network element has to be accessed via an insecure network. Possible traced or snooped authentication sequences cannot be reused for an unauthorized login, because the life time of the password is set to 5 minutes only, by default. During this period, the connection is already in use by the authorized Switch Commander system.



59

GSN1/GX7E8X26_3102 2000-08-21 11:46:32

3-24996 CS4210/Administrator

DISPACINIGRP; STARTED

Initiator group | AET list

================================================================================

SCRGROUP" | { 1 3 12 2 1107 3 0 2 2 1 54 }

-------------------------------------------------------------------------------- "INIGROUP3" | { 1 3 12 2 1107 3 0 2 2 1 3 }

DISP ACINIGRP executed

ENDJOB

CRACINIGRP: Initiator group=SECURITYGRP,

AET list={ { iso identified-organization ecma(12)

member-company(2) siemens-units(1107) oen(3)

0 2 2 1 99 },{ iso identified-organization ecma(12)

member-company(2) siemens-units(1107) oen(3)

0 2 2 1 2 } }; STARTED

Initiator group | AET list

================================================================================

"SECURITYGRP" | { 1 3 12 2 1107 3 0 2 2 1 99 },

| { 1 3 12 2 1107 3 0 2 2 1 2 }

CR ACINIGRP executedENDJOB

Fig. 31 Interrogating and creating access control initiator groups

CS

LANInternet LAN

MPMP

Insecure Internet Connection

Internet

Snoop & Replay

Replay Protected Password

Fig. 32 Replay protected password


MN1226EU09MN_0003

2002 Siemens AG

60

4.3.2 Target Groups

A Target group is defined via a number of object classes (e.g. LIC, ALI, MP) resp. object models branches and the according operations. Using a target group you can define a certain subset of the network element tasks which can be later assigned to an initiator group using rules.

Relevant Tasks:

CR ACTARGRP (Create Access Control Target Group)

Target group symbolic name of the group, e.g. OPGRP1

Ref. target group symbolic name of a reference group which object classes and operations are taken instead of own settings (kind of template), e.g. REFGRP1

Object class list

Size number of object classes to be added to the group, e.g. 2

Detail

Detail

object class branch in the object model

Scope scope of the object classes/object model branches

Standard

Base Object base object class only, no subtree

First Level first level subordinate base object class

Whole subtree base object class and all subordinate object classes

Level n n level subordinate base object classes

Base to level n base object class and all object classes down to level n

Operation list List of allowed operations on these object class(es)

M-ACTION possible values Enabled or Disabled

M-CREATE possible values Enabled or Disabled

M-DELETE possible values Enabled or Disabled

M-GET possible values Enabled or Disabled

M-SET possible values Enabled or Disabled



61

object class

subordinate

object classes

first level

second level

third level

Fig. 33 Example branch of the object model, selection window


MN1226EU09MN_0003

2002 Siemens AG

62

4.3.3 Rules

A rule defines the access rights on an initiator group to a target group. In other words, it determines which types of access - operations on one or more object classes/object model branches - may be executed by an initiator. Initiators as well as target groups can be subject to a number of rules.

Following rule types may exist:

Allow rule authorizes access to objects defined via the target group, provided no deny rule exists

Deny rule rejects any attempted access to objects defined via the target group

Abort rule aborts the link to the initiator when access is attempted

Global rule independent of a target group, a global rule defines the access, or restrictions of an given initiator

Common rule independent of an initiator, a common rule defines the access rights to a particular target group

Relevant Tasks:

CR ACRULE (Create Access Control Rule)

Rule symbolic name of the rule, e.g. DENYRULE1

Rule Type kind of rule you are going to create

Allow allow rule

Deny deny rule

Abort abort rule

Initiator Group symbolic name of the initiator group, e.g. OPERATOR

without a value, a common rule is created

Target group symbolic name of the target group, .e.g. OPGRP1

without a value, a global rule is created

Start time

Stop time

Daily intervals

Weekly intervals

time duration during the rule will be valid



63



Admins

CR ACRULE:RULE=GLOBAL1,

RULE TYPE=Allow,Initiator Group=Admins;

Access Control Target GroupCOMGRP1

CR ACRULE:RULE=ALLOW1,

RULE TYPE=Allow,Initiator Group=Admins,

Target Group=ADMGRP1;

GLOBAL RULE ALLOW RULE

Access Control Target GroupADMGRP1

COMMON RULE

CR ACRULE:RULE=COMMON1,

RULE TYPE=Allow,Target Group=COMGRP1;

Fig. 34 Different rules at Q3 based network elements


MN1226EU09MN_0003

2002 Siemens AG

64

4.3.4 Global Access Parameters and Settings

There exist some standard settings for e.g. authentication of unknown initiators, or standard access rights. These standard setting are usually set to "Allow" for initiators and execution of all tasks, by default. These global parameters influences the tasks described above. Because these settings are global, their values overrules individual settings. To active authentication or access control the global definitions must be switched off.

Relevant Tasks:

MOD AUTHDEF (Modify Authentication Defaults)

defaultAuth how to react on a connection attempt of an unknown initiator

allow access to the system is allowed

abortAssociation abort the Q3 association request

denyWithResponse reject the Q3 association request

denialResp how to react on a connection attempt if the authentication fails

abortAssociation abort the Q3 association request

denyWithResponse reject the Q3 association request

WARNING Be extremely careful switching off global allow rights. If there is no valid allow rule for an initiator granting you access to the security tasks, there is no way to switch it on again. Generate at least one backup generate before, to have the chance to fall back.



65

GSN1/GX7E8X26_3102 2000-08-22 09:55:143-26190 CS4210/Administrator

DISPAUTHDEF; STARTED

Default authent. | Allow

Denial response | Deny with response

DISP AUTHDEF executed

ENDJOB

MODACCFG:Default access={ M-ACTION Deny,

M-CREATE Deny,

M-DELETE Deny,

M-GET Deny,

M-SET Deny },

Denial response=Deny,Rule restriction=grantRules; STARTED

Default access | M-ACTION: Deny

| M-CREATE: Deny

| M-DELETE: Deny

| M-GET : Deny

| M-SET : Deny

Denial response | Deny Access Control Config. | Error

================================================================================= - | Operation not allowed or not possible

MOD ACCFG partly executed

ENDJOB

Fig. 35 Example tasks to modify default authentication


MN1226EU09MN_0003

2002 Siemens AG

66

Relevant Tasks:

MOD ACCFG (Modify Access Control Configuration)

Default Access parameter defines the default access rights for the different Q3 operations

M-ACTION Deny

M-CREATE denyWithOutResponse

M-DELETE Abort

M-GET denyWithFailureResponse

M-SET

}

Allow

Denial Response parameter defines the response to a Q3 request which is rejected due to missing "default access" rights

Deny deny sending Q3 response "Access Denied"

Abort abort the Q3 association

Sec. administrator parameter defines the AET of the security administrator, which can be used after system recovery

Rule restriction which kind of rules are uses - it might make individual settings easier to use e.g. only deny rules

Deny rules only rules of the type deny/abort are supported

Allow rules only rules of the type allow are supported

All rules all rule types are supported

WARNING Remind warning above, be careful modifying global settings. Double check your security database. Verify your rules for .e.g. the M-GET operation only.



67

GSN1/GX7E8X26_3102 2000-08-22 10:33:20


DISPACCFG; STARTED

Default access | M-ACTION: Allow

| M-CREATE: Allow

| M-DELETE: Allow

| M-GET : Allow

| M-SET : Allow

Denial response | Deny

Rule restriction | All rules

Sec. administrator | { 1 3 12 2 1107 3 0 2 2 1 99 }

DISP ACCFG executed

ENDJOB

MODACCFG:Default access={ M-ACTION Allow, M-CREATE A

llow, M-DELETE Allow, M-GET Deny, M-SET Al

low },Denial response=Deny; STARTED

Default access | M-ACTION: Allow

| M-CREATE: Allow

| M-DELETE: Allow

| M-GET : Deny

| M-SET : Allow

Denial response | Deny

MOD ACCFG executed

ENDJOB

DISPACCFG; STARTED

Access Control Config. | Error

=======================================================================================

- | Operation not allowed or not possible

Access Control Config. | Error

=======================================================================================

- | Operation not allowed or not possible

DISP ACCFG not executed

ENDJOB

Fig. 36 Example for the task DISP, MOD ACCFG


MN1226EU09MN_0003

2002 Siemens AG

68



69

4.4 File Transfer Security Management

TCP/IP

CP MP

FTP

FTAM

FTAM

FTP

Fig. 37

For file transfer to the MP usually FTP via TCP/IP is used. If FTP file transfer to the MP has been configured, it is automatically possible to do FTP file transfer to the CP.


MN1226EU09MN_0003

2002 Siemens AG

70

4.5 File Transfer Security Management at CP

At the CP the authorization to do file transfer is related to the CP user Ids.

Relevant MML commands:

DISP USERID

USERID symbolic name of the user id, e.g. SCRUSR#1

X represents all possible user id

CR USERID

USERID symbolic name, e.g. scrusr#9

AUT authorization, e.g. 1

APPLID additional application for file transfer e.g. NEABD

NEABD for NEAB file transfer both directions

FTAMR for FTAM file transfer OS initiated only

SCOPE REMOTE for Switch Commander

CRYPTPW Cryptic Password, left blank

PERMIT usually NONE

HLRID usually used for Subscriber Administration only



71

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


4074 SC SCRUSR#1 2970/06300

DISPUSERID:USERID=SCRUSR#1; EXEC'D

TABLE OF USER-IDENTIFICATIONS:

USERID STATE APPLID SCOPE AUT AUTHORIZATION CLASS

---------+-------+-------+-------+-------+------------------------------

SCRUSR#1 UNLOCK NEABD REMOTE 1 1

END JOB 4074


4134 SC SCRUSR#1 2966/00007

CRUSERID:USERID=SCRUSR#8,AUT=1,APPLID=NEABD,SCOPE=REMOTE; EXEC'D

END JOB 4134

Fig. 38 Display and create user id


MN1226EU09MN_0003

2002 Siemens AG

72



73

4.6 File Transfer Security Management at MP

At Q3 based network element the standardized file transfer protocol ftp is used. Because of this, there must be user id created at the network element which has the right to open an ftp session.

FT INI FT INI FT INI

File Security Initiator Group

CR FSRULE:RULE=GLOBAL1,

RULE TYPE=Allow,Initiator Group=Admins;

File SecurityFile Group

CR FSRULE:RULE=ALLOW1,

RULE TYPE=Allow,Initiator Group=Admins,File Group=ADMGRP1;

GLOBAL RULE ALLOW RULE

File SecurityFile Group

COMMON RULE

CR FSRULE:RULE=COMMON1,RULE TYPE=Allow,

File Group=COMGRP1;

File Security Rules

Fig. 39


MN1226EU09MN_0003

2002 Siemens AG

74

File Transfer Initiator

According to the CR INI task for Q3 sessions, there exist a

CR FTINI

task to generate file transfer accounts.

Relevant tasks for file transfer accounts:

CR FTINI (Create File Transfer Initiator)

User identity symbolic name of the file transfer user

Password type

Replay protected PW password protected against malicious reusing

Simple PW simple password string

Password password string, e.g. ftppw#1

Verify Password second time to verify the input

ftType application used

All all applications allowed

FTAM only FTAM application allowed

FTNEA only FTNEA application allowed

FTP only FTP application allowed

Accept time range time range of replay protected password are accepted

Start time

Stop time

Daily intervals

Weekly intervals

time duration during the file transfer accounts are valid



75

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


CRFTINI:User identity=ftusr1,Password type=Simple PW,Password=*******,Verify password=*******,ftType={ FTP }; STARTED

User identity | ftusr1Password type | Simple PWFile transfer type | FTPAccept time range | -

Availability | -

CR FTINI executedENDJOB

DISPFTINI; STARTED

User identity | Password type | File transfer type | Accept time | Availability============================================================================================= root | Simple PW | All | - | -

--------------------------------------------------------------------------------------------- ftusr1 | Simple PW | FTP | - | -

DISP FTINI executedENDJOB

Fig. 40 File transfer accounts


MN1226EU09MN_0003

2002 Siemens AG

76

4.6.1 File Access Security Mechanism at Q3 based Network Elements

As already explained for the Q3 conversation, there exists the same mechanism for file access security.

Again, these previous created file transfer user ids, so called initiators, are combined using file security initiator groups (FSINIGRP). These groups are mapped to file security file groups (FSFGRP) using rules. File groups are generated specifying up to twenty (fully, partially qualified) filenames. Additionally a operations lists specifies the file operations allowed for this file group. Finally a rule applied to the file group determines whether or not these operations are permitted.

For protocols different to ftp, it is also possible to specify a password for each operation, which makes only sense together with allow rules (file security file group password, FSFGRPPW).

Relevant Tasks:

CR FSINIGRP (Create File Security Initiator Group)

Initiator group symbolic name of the file security initiator group

Initiator list file transfer users (initiators)

Size amount of file transfer users (initiators)

Detail file transfer user, e.g. ftusr1

Detail file transfer user, e.g. ftusr2



77

Relevant Tasks (continued):

CR FSFGRP (Create File Security File Group)

File group symbolic name of the file security file group

File list relevant file

Size amount of files (max 20)

File on MP/CP file location

Detail file name (also partially qualified)

Operations list allowed file operations

Size amount of operations

Create create file operation

Delete delete file operation

Read read file operation

Write write file operation

Read attributes read file attributes

CR FSRULE (Create File Security Rule)

Rule symbolic name of the rule, e.g. FSALLOW1

Rule Type kind of rule you are going to create

Allow allow rule

Deny deny rule

Initiator Group symbolic name of the file security initiator group,

e.g. FSOPS1

without a value, a common rule is created

File group symbolic name of the file group, .e.g. FSGRP1

without a value, a global rule is created

Start time

Stop time

Daily intervals

Weekly intervals

time duration during the rule will be valid


MN1226EU09MN_0003

2002 Siemens AG

78

GSN1/GX7E8X26_3102 2000-08-22 13:48:06


CRFSINIGRP:Initiator group=FTUSERS,Initiator list={ "ftusr1"

, "ftusr2" }; STARTED

Initiator group | Initiator list

==========================================================================================

FTUSERS | ftusr1 ftusr2

CR FSINIGRP executed

ENDJOB

CRFSFGRP:File group=FTUSERS1,File list={ File on MP : "\NET.CONFIG" },

Operations list={ { Operation Create }, { Operation Delete },

{ Operation Read

}, }

; STARTED

CR FSFGRP executed

ENDJOB

DISPFSFGRP; STARTED

File group | File list | Operations list | Password

========================================================================================================

FTUSERS1 | File on MP : NET.CONFIG | Create | No

| | Delete | No

| | Read | No

DISP FSFGRP executed

ENDJOB

CRFSRULE:Rule=NETCONFIG,Rule type=Deny,Initiator group=FTUSE

RS,File group=FTUSERS1; STARTED

Rule | Rule type | Initiator group | File group | Availability

| | | | status

=============================================================================

NETCONFIG | Deny | FTUSERS | FTUSERS1 | -

CR FSRULE executed

ENDJOB

Fig. 41 File security tasks, examples



79

For the File Transfer Security Management exists, as for the Q3 authentication, some global settings. By default there is no restriction switched on, every user having a valid file transfer account has access to all files.

Relevant Tasks:

MOD FSCFG (Create File Security Configuration)

Default access access right to the files on MP

Create Allow

Deny Deny

Read

Write

Read attributes

Rule restriction possible rule types

grantRules only allow rules

denyRules only deny rules

denyAndGrantRules both rule types are allowed


DISPFSCFG; STARTED

Default access | Rule restriction===============================================

Create Allow | All rules Delete Allow |

Read Allow | Write Allow |

Read attributes Allow |

DISP FSCFG executedENDJOB

Fig. 42 File security global configuration


MN1226EU09MN_0003

2002 Siemens AG

80


MODFSCFG:Default access={ Create Allow, Delete Allow, Read Deny, Write

Allow, Read attributes Allow }; STARTED

Default access | Rule restriction=============================================== Create Allow | -

Delete Allow | Read Deny |

Write Allow | Read attributes Allow |

MOD FSCFG executedENDJOB

Fig. 43 Read access restricted



81

C:\>ftp GSN1

Connected to GSN1.

220 SERVICE READY FOR NEW USER. PRO02OC0

User (GSN1:(none)): ftusr1

331 USER NAME OKAY, NEED PASSWORD. PRO01US0

Password:

230 USER LOGGED IN, PROCEED. AUTH0000

ftp> dir

200 COMMAND OKAY. PRO01PT0

553 REQUESTED ACTION NOT TAKEN; FILE NAME NOT ALLOWED. FSI00002

ftp> dir \


150 FILE STATUS OKAY; ABOUT TO OPEN DATA CONNECTION. PRO01RS0

SYS:\GT.Q3SECTR.LOG

SYS:\GU.SECADMIN

SYS:\NET.CONFIG

SYS:\NET.RESULT

226 CLOSING DATA CONNECTION; REQUESTED FILE ACTION SUCCESSFUL. PRO03CR0

73 bytes received in 0.14 seconds (0.52 Kbytes/sec)

ftp> get \NET.CONFIG


150 FILE STATUS OKAY; ABOUT TO OPEN DATA CONNECTION. PRO01RS0

226 CLOSING DATA CONNECTION; REQUESTED FILE ACTION SUCCESSFUL. PRO03CR0

4450 bytes received in 0.03 seconds (148.33 Kbytes/sec)

ftp> get \NET.CONFIG


550 REQUESTED ACTION NOT TAKEN; FILE UNAVAILABLE. FSV31100

ftp>

Fig. 44 No file access after "MODFSCFG"


MN1226EU09MN_0003

2002 Siemens AG

82



83

5 Assign Network Elements to User Groups

Fig. 45


MN1226EU09MN_0003

2002 Siemens AG

84

5.1 Grant Network Element Access

Before a user can execute a command at a network element, the user must be member of a Switch Commander user group. This Switch Commander user group must have this network element assigned, too. These tasks has to be done using the SC Administration tool.

As the modification of the membership of a Switch Commander user, there are different possible ways to start the Switch Commander user group properties.

If you are going to create a new user group, you have to chance so specify whether to user group should be a "NE based" or a "APS based" user group:

NE based user groups:

these user groups present the available network elements in a tree. Every network element does have its own task tree, having the network element at the top.

APS based user groups:

these user groups having one the task tree for all network elements, the network element APS version at the top. All assigned network elements are available for every task.

The user group type you choose for a new network element depends on the task tree the users are allowed. If these task trees should be different you must choose the NE based user group.

TOOLS

SC Administration -> User Group -> Properties

SC Administration -> User Group -> Create



85

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . .

Documents

03 Mn1226eu09mn 0003 Security Management