Security Management for ZTE Core Nodes

Chapter 2

Security Management Function

The security management provides the following functions: l

Ensuring the legal use of the system.

l Managing users, command sets, and roles.

l Preventing illegal users from accessing the system through the login authentication. l

Providing security control for various security management operations through the

operation authorization.

The security management function is implemented by the Operation & Maintenance

Module (OMM) server and clients.

l The OMM clients process data in the login window and the command tree of security

management and display the processing result.

l The OMM server implements login authentication and operation authorization.

Basic Components

Users, roles, command sets, and operation commands are basic components of the

security management.Figure 2-1 shows the inclusion relationships (referred to as affiliated

relationships) between users, roles, command sets, and operation commands.

2-1

SJ-20120730093520-013|2012-10-31(R1.0) ZTE Proprietary and Confidential

ZXUN iCX(MSCS) General Operation Guide

Figure 2-1 Relationships Between Users, Roles, Command Sets and Operation Commands

l Users

Users are operators who log in to the OMM client and perform related operations.

The administrator restricts the users’ permissions by defining their roles.

l Roles

Roles are the permissions provided to the corresponding users, which in essence

assign the operation permissions to a group of users by defining the operation

command sets.

Table 2-1 lists the default roles in the ZXUN iCX(MSCS).

Table 2-1 Default Roles

ID Role Highest Permission Valid or Not

1 Administrator All Yes

2 Operator Configuration Yes

3 Maintenance System maintenance Yes

personnel

4 Supervisor Data query Yes

l Command Sets

2-2 SJ-20120730093520-013|2012-10-31(R1.0) ZTE Proprietary and Confidential

Chapter 2 Security Management

A command set is a set of commands and represents a set of operation permissions.

Multiple command sets can be assigned to the same role. à Table 2-2 lists the command sets for the administrator.

Table 2-2 Command Sets for the Administrator

Role Highest Permission Command Set

ID

Command Set

Administrator All 1 Command sets of operation

management permission.

2 Command sets of

configuration permission.

3 Command sets of system

maintenance permission.

4 Command sets of data

query permission.

à Table 2-3 lists the command sets for operators.

Table 2-3 Command Sets for Operators


ID

Command Set

Operator Configuration 2 Command sets of

configuration permission.

3 Command sets of system

maintenance permission.


query permission.

à Table 2-4 lists the command sets for maintenance personnel.

Table 2-4 Command Sets for Maintenance Personnel


ID

Command Set

Maintenance System maintenance 3 Command sets of system

personnel maintenance permission.


query permission.

à Table 2-5 lists the command sets for supervisors.



Table 2-5 Command Sets for Supervisors


ID

Command Set

Supervisor Data query 4 Command sets of data

query permission.

You can run the SHOW CMDSET MEMBER command to check the specific command

corresponding to the command set.

For example, to check the commands related to the operation management

permission, run the following command:

SHOW CMDSET MEMBER:IID=1;

SHOW CMDSET MEMBER:NAME="Command sets of operation management permissio

n";

l Operation Commands

Operation commands are used to perform operations after users log in to the OMM

client.

Table of Contents

Adding a Command Set ................................................................................................ 2-4

Adding a Role ................................................................................................................ 2-7

Adding a User .............................................................................................................. 2-10

Modifying Own Password ............................................................................................ 2-15

Adding a Login IP Range ............................................................................................. 2-16

Disconnecting A Login User Forcibly .......................................................................... 2-18

Modifying the Password Policy of OAM User .............................................................. 2-19

Modifying the Account Policy of OAM User ................................................................ 2-22

Unlocking a User Manually .......................................................................................... 2-24

Inner Control Management .......................................................................................... 2-25

2.1 Adding a Command Set This procedure describes how to add a command set and add operation command

members to the command set.

Steps

1. To add a command set, perform the following operations:

a. In the command box of the Terminal window, enter the ADD CMDSET command.

The ADD CMDSET configuration area is displayed, see Figure 2-2.

2-4



Figure 2-2 ADD CMDSET Configuration Area

b. Enter Command Set Name, which cannot be identical with the name used by an

existing command set. For example: test.

c. Click . Figure 2-3 shows the execution result.

Figure 2-3 Result of Adding a Command Set

Note:

Command Set ID is assigned by the system automatically.

2. To add command set members, perform the following steps:

a. In the command box of the Terminal window, enter the ADD CMDSET MEMBER

command. The ADD CMDSET MEMBER configuration area is displayed, see

Figure 2-4.

Figure 2-4 ADD CMDSET MEMBER Configuration Area

2-5



b. Enter the parameters in accordance with your actual situations. For the parameter

description, refer to Table 2-6.

Table 2-6 ADD CMDSET MEMBER Parameter Description

Parameter Description Setting

Command Set ID The internal ID of a command Enter either one of the two

set, which is automatically parameters. You can query the

allocated by the system when command set ID and the command

this command set is added. set name to be set with the SHOW

Command Set Name The name set when a

command set is added.

CMDSET command.

Command ID List Command ID You can add several operation

commands to a customized

command set. If these commands

have been assigned, you cannot

repeat the operation.

You can find the command ID to

be configured with the SHOW

CMD command.

c. Click to add one or more command set members.

Example: The Command Set Name is “test”, the Command ID is “1402000”.

Figure 2-5 shows the execution result.

Figure 2-5 Result of Adding Command Set Members

- End of Steps -

Related Operation

For related operation commands, refer to the following table.

Operation Command Command Function

Delete Cmdset DEL CMDSET Deletes a command set.




Copy Cmdset COPY CMDSET Copies an existing command set to create a command

set including the same operation commands.

Delete Cmdset

Member

DEL CMDSET

MEMBER

Deletes an existing command set member.

Show Cmdset SHOW CMDSET Queries the command set ID and name.

Member MEMBER

Show Role by

Cmdset

SHOW CMDSET

ROLE

Queries roles corresponding to a command set.

2.2 Adding a Role This procedure describes how to add a role and add a command set for the role, to assign

the operation permissions of the command set to the role.

Steps

1. To add a role, perform the following steps:

a. In the command box of the Terminal window, enter the ADD ROLE command.

The ADD ROLE configuration area is displayed, see Figure 2-6.

Figure 2-6 ADD ROLE Configuration Area



Table 2-7 ADD ROLE Parameter Description


Role Name Name of the customized role. Enter a role name different from any

existing name for easy recognition.

You can specify a maximum of 50

characters.

2-7




Role Description User-defined role description Enter the information about the

information. role so that users can get familiar

with the role. You can specify a

maximum of 128 characters.

Valid Role (Yes or No) Validates the role or not. Including:

l Yes indicates that this role is

effective.

l No indicates that this role is not

effective.

The default value is Yes.

c. Click to add the role.

Example: Add and validate role TEST. Figure 2-7 shows the execution result.

Figure 2-7 Result of Adding a Role

Note:

The Role ID is assigned by the system automatically.

2. To add a role command set, perform the following steps:

a. In the command box of the Terminal window, enter the ADD ROLE CMDSET

command. The ADD ROLE CMDSET configuration area is displayed, see Figure

2-8.

2-8



Figure 2-8 ADD ROLE CMDSET Configuration Area



Table 2-8 ADD ROLE CMDSET Parameter Description


Role ID Internal ID of a role, Enter either one of the two

automatically assigned by parameters.

the system when the role You can find the parameters to be

is added. configured with the SHOW ROLE

Role Name The name set when a role

is added.

Command Set ID List Command set ID

command.

You can add several operation

command sets to a customized role.

If these command sets have been

assigned, you cannot repeat the

operation.

You can find the parameters to be

configured with the SHOW CMDSET

command.

c. Click to add a role command set.

Example: The role name is “TEST”, the command set ID is “5”. Figure 2-9 shows

the execution result.

Figure 2-9 Result of Adding a Command Set for a Role

- End of Steps - 2-9



Related Operation



Delete Role DEL ROLE Deletes a role.

Modify Role SET ROLE Modifies parameters of a role.

Copy Role COPY ROLE Copies an existing role to create a role quickly.

Delete Role Cmdset DEL ROLE CMDSET Deletes one or more command sets of a

customized role.

Show Role Cmdset SHOW ROLE CMDSET Queries command sets of a role.

Show User by Role SHOW ROLE USER Queries users of a role.

2.3 Adding a User This procedure describes how to add a user and assign roles to the user, so that the user has

the operation permissions of the roles.

Steps

1. To add a user, perform the following steps:

a. In the command box of the Terminal window, enter the ADD USER command,

and then select the More... check box. The ADD USER configuration area is

displayed, see Figure 2-10.

Figure 2-10 ADD USER Configuration Area


description, refer to Table 2-9. 2-10



Table 2-9 ADD USER Parameter Description


User Name Name of the new user. A user name is allowed to include

English letters (case sensitive), digits,

and some special characters ( - ! @ %

& () - + ). This name cannot be identical

with the name of another existing user.

Description Description of a user. Description of a user.

Valid User(Yes or Set whether the user Default: Yes.

No) status is effective.

Mobile Mobile phone number of

the user.

Enter the mobile phone number of the

user.

Email E-mail address of the Enter the E-mail address of the user.

user.

Maximum Login

Count

The maximum number

of concurrently login

users with the same user

account.

Default: 10.

If this parameter is set to 0, it means that

the system the number of concurrently

login users with the same user account

is not restricted.

Restrict Password If the Restrict Password

Validity Validity is set to Yes, the

user has to modify the

expired password before

logging in to the system.

Default: No. This means that the

password is always effective.

Password Validity(d) Validity of the password. If the Restrict Password Validity is set

to Yes, this parameter is required.

User Password Password for logging in User password must match the password

to the system. policy of the current system (you can

view the password policy in Supper

Management).

User Confirm

Password

User Confirm Password The confirm password must be

consistent with the user password.

Restrict Operable Set whether to restrict If this parameter is set to Yes, the

Date the user to perform Operable Start Date and Operable End

any operation on the Date are required.

OMM system during the

specified days.




Operable Start Date Start date of restricting If the Restrict Operable Date is set to

the user to perform any Yes, this parameter is required.

operation on the OMM

system.

Operable End Date End date of restricting

the user to perform any


system.

If the Restrict Operable Date is set to

Yes, this parameter is required.

Restrict Operable Set whether to restrict

Time the user to perform

any operation on the

OMM system during the

specified period.

If this parameter is set to Yes, the

Operable Start Time and Operable

End Time are required.

Operable Start Time Start time of restricting



system.

If the Restrict Operable Time is set to

Yes, this parameter is required.

Operable End Time End time of restricting If the Restrict Operable Time is set to

the user to perform any Yes, this parameter is required.


system.

Restrict Operable

Day of Week

Set whether to restrict



system on specified days

of a week.

If this parameter is set to Yes, the

Operable Day of Week is required.

Operable Day of Days in a week of Click the Operable Day of Week text

Week restricting the user to box, and select days from the Operable

perform any operation Day of Week dialog box.

on the OMM system.

c. Click to add the user.

Example: Add user “test” with other parameters using their default values. Figure

2-11 shows the execution result.

2-12



Figure 2-11 Result of Adding a User

Note:

The User ID is generated by the system automatically.

2. To add a user role, perform the following steps:

a. In the command box of the Terminal window, enter the ADD USER ROLE

command. The ADD USER ROLE configuration area is displayed, see Figure

2-12.

Figure 2-12 ADD USER ROLE Configuration Area



Table 2-10 ADD USER ROLE Parameter Description


User ID Internal ID of a Enter either one of the two parameters.

user, automatically You can find the parameters to be

generated by the configured with the SHOW USER

system when the user command.

is added.

User Name The name set when the

user is added.




Role ID List Role ID You can add several roles to a customized

user. If some roles have been assigned,

you cannot assign them again.

You can find the parameters to be

configured with the SHOW ROLE

command.

c. Click to add user roles.

Example: The user name is “test”, the role ID is “5”. Figure 2-13 shows the

execution result.

Figure 2-13 Result of Adding User Roles

- End of Steps -

Related Operation



Delete User DEL USER Deletes a user.

Modify User SET USER Modifies information of a user.

Show User SHOW USER Queries information of a user, including user ID, name,

validity, mobile phone number, E-mail address, whether

the user is restricted to perform any operation during

specified days, the maximum number of concurrently

login users with the same user account, and whether to

restrict the password validity.

Copy User COPY USER Copies an existing user to create a new user quickly.

Delete User Role DEL USER ROLE Deletes roles of a customized user.

Show User Role SHOW USER ROLE Queries roles of a user.



2.4 Modifying Own Password Once a user account is created, the user can modify its own password. This procedure

describes how to modify the password.

Steps

1. In the command box of the Terminal window, enter the SET PASSWORD command.

The SET PASSWORD configuration area is displayed, see Figure 2-14.

Figure 2-14 SET PASSWORD Configuration Area

2. Enter the parameters in accordance with your actual situations. For the parameter


Table 2-11 SET PASSWORD Parameter Description


Old Password The old password you want to You must type the correct old

modify password. Leaving this parameter

blank means that the old password

is empty.

New Password New password of the user Leaving this parameter blank

means that the new password is

empty.

Confirm Password The confirm password has to be Leaving this parameter blank

the same with the new password. means that the confirm password

is empty.

3. Click to modify the password.

- End of Steps -

Related Operation

For related operation commands, refer to the following table. 2-15




Set All Common Users SET ALLUSERSTATUS Only the administrator can set all common

to be Effective or Not users to be effective or not. Be cautious to

run this command.

Set All Common Users’

Password

SET ALLUSERPASSWD Only the administrator can modify the

password of all users. Be cautious to run this

command.

2.5 Adding a Login IP Range This procedure describes how to add a login IP range for a user.

Steps

1. In the command box of the Terminal window, enter the ADD USER IPSEC command.

The ADD USER IPSEC configuration area is displayed, see Figure 2-15.

Figure 2-15 ADD USER IPSEC Configuration Area

2. Enter the parameters in accordance with your actual situations. For the parameter


Table 2-12 ADD USER IPSEC Parameter Description


User ID ID of the user. You must and can only set

User Name Name of the user. one of User ID and User

Name.

To query the user ID and

name, run the SHOW USER

command.

Description Description of the login IP address Range: 0 to 50 characters.

range.




IP Section The IP address range. Required.

i. Click this text box. The

IP Section dialog box is

displayed.

ii. In the IP Section dialog

box, set the Start IP and

End IP.

A maximum of 50 IP

address segments can be

configured for a user.

3. Click to add a login IP address range for a user.

Example: The user name is “test”, the start IP address is “10.40.53.45”, and the end IP

address is “10.40.53.47”. Figure 2-16 shows the execution result.

Figure 2-16 Result of Adding a Login IP Range for a User

- End of Steps -

Related Operation



Delete User IP Range DEL USER IPSEC Deletes an IP range of a user.

Show User IP Range SHOW USER IPSEC Queries the IP ranges of a

user.

Delete User All IP Range DEL USER ALLIPSEC Deletes all IP ranges of a user.



2.6 Disconnecting A Login User Forcibly When performing system maintenance or detecting that a department user tries to perform

illegal operations, an administrator can disconnect the user compulsorily.

Prerequisite

You have logged in to the Local Maintenance Terminal page as the system administrator

admin.

Steps

1. To query information of a login user, including user name, IP address, login time and

login type, perform the following steps:

a. In the command box of the Terminal window, enter the SHOW LOGINUSER

command. The SHOW LOGINUSER configuration area is displayed, see Figure

2-17.

Figure 2-17 SHOW LOGINUSER Configuration Area

b. Enter the name of the user (If you leave it blank, you queries all users logging in

to the LMT).

c. Click to query information of a login user.

Example: Query all users logging in to the LMT. Figure 2-18 shows the execution

result.

Figure 2-18 Result of Querying All Login Users

2-18



2. To disconnect a login user forcibly, perform the following steps:

a. In the command box of the Terminal window, enter the RMV USERLINK

command. The RMV USERLINK configuration area is displayed, see Figure

2-19.

Figure 2-19 RMV USERLINK Configuration Area



Table 2-13 RMV USERLINK Parameter Description


User Name Name of the user to be You can specify a maximum of

disconnected 30 characters.

IP Address IP address of the terminal where

this login user is located.

IP address format

Login Time Time when this login user logged Time format: YYYY-MM-DD

in to the OMM system. HH:MM:SS

Type Type of the terminal through which

this user logs in to the OMM

system.

Terminal types are OMM

Client, TELNET Client, NDF

Client and SSH Client.

c. Click to disconnect the login user compulsorily.

– End of Steps -

2.7 Modifying the Password Policy of OAM User This procedure describes how to modify the password policy of the security management

system.

Prerequisite


admin.

2-19



Steps

1. To query current password policy, perform the following steps:

a. In the command box of the Terminal window, enter the SHOW PASSWORDTAC

TIC command. The SHOW PASSWORDTACTIC configuration area is displayed.

Parameter setting is not required.

b. Click to query current password policy.

2. To modify the password policy of OAM user, perform the following steps:

a. In the command box of the Terminal window, enter the SET PASSWORDTACTIC

command. The SET PASSWORDTACTIC configuration area is displayed, see

Figure 2-20.

Figure 2-20 SET PASSWORDTACTICConfiguration Area



Table 2-14 SET PASSWORDTACTIC Parameter Description


Mininum Length of Minimal length of a password Integer from 0 to 20, with a

Password default of 0. It is recommended

to change it to 6.




Enable Password The password complexity policy

Complexity means:

Requirement l A password must contain

characters from three of the

following four categories:

English uppercase

characters, English

lowercase characters, base

10 digits and non-alphabetic

characters.

l A password cannot be

identical with the user name.

l A password cannot be the

reverse of the user name

string.

Including:

l Yes: the password

complexity policy is enabled.

l No: the password

complexity policy is disabled.

Reminding Days

Before Password

Expired

Warns a user before N days ago

when the password is overdue.

Integer from 0 to 90.

Must Modify Specifies whether it is required to

Expired Password modify an expired password.

Including:

l Yes: The expired password

must be modified.

l No: The expired password

needs not to be modified.

Count of Latest

Passwords Cannot

Be Reused

The new password cannot any

latest password that has been

entered for N times.


Day of Latest The new password cannot be any Integer from 0 to 180.

Passwords Cannot latest password that has been

Be Reused entered within N days.

Must Modify

Password When

User Login First

- l If this parameter is set to

Yes, the user must modify

the password at the first

login.

l If this parameter is set to

No: the user do not need to

modify the password at the

first login.

2-21




Must Modify - l If this parameter is set

Password When to Yes, the user who

Alarmed User successively enters the

Login incorrect password for

three times but still remains

unlocked must modify the

password after the login. l If

this parameter is set

to No, the user who

successively enters the

incorrect password for

three times but still remains

unlocked do not need to

modify the password after

the login.

c. Click to modify the password policy.

– End of Steps -

2.8 Modifying the Account Policy of OAM User This procedure describes how to query the account policy of the security management

system.

Prerequisite

You have logged in to the Local Maintenance Terminal as the system administrator

admin.

Steps

1. To query current account policy, perform the following steps:

a. In the command box of the Terminal window, enter the SHOW USERTACTIC

command. The SHOW USERTACTIC configuration area is displayed. Parameter

setting is not required.

b. Click to query current account policy.

2. To modify the account policy, perform the following steps:

a. In the command box of the Terminal window, enter the SET USERTACTIC

command. The SET USERTACTIC configuration area is displayed, see Figure

2-21.

2-22



Figure 2-21 SET USERTACTIC Configuration Area



Table 2-15 SET USERTACTIC Parameter Description


Lock Status Account lock policy Including:

l Never Lock: indicates that the

system does not lock this user

even if the user types a wrong

password many times.

l Policy Lock: indicates that the

system does not lock this user

if the number of times that the

user successively enter a wrong

password exceeds the preset

number. The user is unlocked after

preset auto unblocking time.

l Lock Forever: indicates that the

system locks a user the number of

times that the user successively

types a wrong password exceeds

the preset number. The user can

only be manually unlocked.

Lock User by IP Whether to lock an

account in accordance

with the IP address of

the login client of the

account.

You need to set this parameter when

the lock status is Policy Lock or Lock

Forever. Including:

l Yes: Lock an account in

accordance with the IP address of

the login client that this account.

l No: Lock an account not in

accordance with the IP address of

the login client that this account.

2-23




Max. Times of The maximum number

Incorrect Password of times that a user can

Enter enter a wrong password.

The account is locked if

the number exceeds the

preset value.



Forever.

Auto Unlock Time

(Hr)

The time when the

system automatically

unlocks a user.



Forever. The range is from 1 to 72.

Lock-Check Period Period of lock status Set the period for a lock status

(d) detection. detection. Integer from 1 to 999.

Reminding Days

before Account

Expired

Number of days before

account expiration to

start reminding the user.


c. Click to modify the account policy.

– End of Steps -

2.9 Unlocking a User Manually The user account rules define conditions for locking users, that is, the number of times a

wrong password is entered. If a user types a wrong password for up to the specified times, the

account is locked. The system administrator can manually unlock a user.

Prerequisite


admin.

Steps

1. To query locked user, perform the following steps:

a. In the command box of the Terminal window, enter the SHOW LOCKEDUSE

R command. The SHOW LOCKEDUSER configuration area is displayed, see

Figure 2-22.

2-24



Figure 2-22 SHOW LOCKEDUSER Configuration Area

b. Enter the User Name. If no name is entered, the system queries all locked users.

c. Click to query information of a locked user.

2. To unlock a user manually, perform the following steps:

a. In the command box of the Terminal window, enter the UNLOCK USER

command. The UNLOCK USER configuration area is displayed, see Figure 2-23.

Figure 2-23 UNLOCK USER Configuration Area



Table 2-16 UNLOCK USER Command Parameter Description


User Name Name of the user you You can find the user name and IP

want to unlock Address to be configured with the

IP Address IP address of the client

through which the user

logs in to OMM system.

SHOW LOCKEDUSER command.

c. Click to manually unlock the user.

– End of Steps -

2.10 Inner Control Management Inner control management supports the management of inner control accounts in the OMM

system, including data file accounts and file transfer service accounts. With this function,

maintenance engineers can perform operations, such as modifying the password of an

inner control account. 2-25



Inner control management and inner control account are described as follows:

l An inner control account is created during installation. It is used for accessing data

files or other resources in the system. For the application of an inner control account,

see Figure 2-24.

l Inner control management adopts its own policy, which is different from the policy of

managing permission users.

l The user having the inner control management permission can query and set the inner

control management policy as required.

Inner control management covers modification of account password, inner control

password policy. The following table provides the description for related operation

commands.

Figure 2-24 Inner Control Account Application

2.10.1 Modifying the Information of Inner-Control Accounts

This procedure describes how to modify information of a specified inner control account,

including account description, password validity, and password of the account.

Prerequisite


admin.

Steps

1. To query information of inner control accounts, perform the following steps:

a. In the command box of the Terminal window, enter the SHOW ACCOUNTINF

O command. The SHOW ACCOUNTINFO configuration area is displayed, see

Figure 2-25. 2-26



Figure 2-25 SHOW ACCOUNTINFO Configuration Area

b. Click to query the information of all inner control accounts. If you want to query

information of an inner control account, select the type of the account from the

Account Type list or enter the name of the account in the Account Name text

box. For the parameter description, refer to Table 2-17.

2. To modify description or password validity of an inner control account, perform the

following steps:

a. In the command box of the Terminal window, enter the SET ACCOUNTINFO

command. The SET ACCOUNTINFO configuration area is displayed, see Figure

2-26.

Figure 2-26 SET ACCOUNTINFO Configuration Area

b. Enter the command parameters as needed. For parameter descriptions, refer to

Table 2-17.

Table 2-17 SET ACCOUNTINFO Parameter Descriptions


Account Type Type of the inner control Options:

account l Data File Account

l File Transfer Account

l OMP File Transfer Account

l OMP TELNET Account

Account Name Name of the inner

control account

Case-insensitive.

Enter the name of an existing inner

control account in the text box.

To query the name of an existing inner

control account in the system, run the

SHOW ACCOUNTINFO command.

2-27




Account Description Description of the inner Range: 0-128 characters.

control account Enter the new description for the inner

control account.

Password Validity(d) Validity of the inner

control account

password

Range: 1-90 days.

Enter the new password validity.

c. Click to modify description of an inner control account.

Example: Modify description of the file transfer account 1_FTP to FTP, and set the

password validity to 60. Figure 2-27 shows the execution result.

Figure 2-27 Result of Modifying Description of an Inner Control Account

3. To modify the password of an inner control account, perform the following steps:

a. In the command box of the Terminal window, enter SET ACCOUNTPASSWD

command. The SET ACCOUNTPASSWD configuration area is displayed, see

Figure 2-28.

Figure 2-28 SET ACCOUNTPASSWD Configuration Area

b. Enter the command parameters as needed. For parameter descriptions, refer to

Table 2-18.

2-28



Table 2-18 SET ACCOUNTPASSWD Parameter Descriptions


Account Type Type of the inner

control account

Options:

l Data File Account

l File Transfer Account

l OMP File Transfer Account

l OMP TELNET Account

Account Name Name of the inner

control account

whose password is

to be modified

Case-insensitive.

Enter the name of an existing inner control

account in the text box.

To query the name of an inner control

account, run the SHOW ACCOUNTINFO

command.

Old Password Original password You must enter the correct original number

of the inner control before running the command.

account

New Password New password of

the inner control

account

The new password must comply with the

inner control password policy.

Confirm Password Confirm password The confirm password must be the same

of the inner control with the new password.

account

c. Click . The Confirm dialog box is displayed.

d. Click Yes to modify the password of an inner control account.

- End of Steps -

2.10.2 Modifying the Password Policy of Inner-Control Accounts

This procedure describes how to modify the parameters of the password policy of

inner-control accounts, including Min Length of the Password, Max Length of the

Password, Weak Password Check, Password Repeat Count, Days Before the

Password Is Invalid, and Need to Send Alarm When Invalid.

Prerequisite


admin.

Steps

1. Query the password policy of inner-control accounts.

2-29



a. In the command box of the Terminal window, enter SHOW PASSWDTACTIC

command. The SHOW PASSWDTACTIC configuration area is displayed. The

parameter setting is not required.

b. Click to query the current inner control password policy.

2. Modify the password policy of inner-control accounts.

a. In the command box of the Terminal window, enter SET PASSWDTACTIC

command. The SET PASSWDTACTIC configuration area is displayed, see

Figure 2-29.

Figure 2-29 SET PASSWDTACTIC Configuration Area

b. Enter the command parameters as needed. For the parameter description, refer

to Table 2-19.

Table 2-19 SET PASSWDTACTIC Parameter Description


Min Length of Minimum length of a Range: 1-32. The minimal length

Password password of a password must be not greater

than the maximum length of the

password.

Max Length of

Password

Maximum length of a

password

Range: 1-32. The maximum

length of a password must be not

less than the minimal length of the

password.




Weak Password The password complexity

Check policy means:

l A password must

contain characters

from three of the

following four categories:

English uppercase

characters, English

lowercase characters,

base 10 digits

and non-alphabetic

characters.

l A password should not

be the same as the user

name or the combination

of double user names.

l A password cannot be

the reverse of the user

name string.

Including:

l Yes: The password complexity

policy is enabled.

l No: The password complexity

policy is disabled.

Can Not Use Recently

Used Password Times

Keeps password history for

N passwords remembered.

Range: 1-50.

Reminding Days Specifies the number of days

Before Password you are prompted to change

Expired the password before the

password expires.

You need to set this parameter

when Send Alarm or Not When

Password Expired is set to Yes.

Range: 0-90. If this parameter is

set to 0, you are prompted when a

password expires.

Send Alarm or Not

When Password

Expired

Specifies whether the system

prompts you of password

expiration.

Including:

l Yes: The system prompts the

user of password expiration.

l No: The system does not

prompt user of password

expiration either before or after

a password expires.

c. Click to modify the password policy of inner-control accounts.

– End of Steps -

2-31



This page intentionally left blank.

2-32


Documents

Security Management for ZTE Core Nodes