(10) IManager U2000 Security and Data Management

1 . U 2 0 0 0 S e c u r i t y

Management . . . . . . . . . . . . . . . . . . . .Page 3

2 . U 2 0 0 0 D a t a b a s e

M a n a g e m e n t . . . . . P a g e 3 2

P-0

Confidential Information of Huawei. No Spreading Without Permission

iManager U2000 Security and Data Management

References

iManager U2000 Administrator Guide

iManager U2000 Operation Guide

iManager U2000 Online Help

P-1



P-2



P-3



security management strategy: The security management function provides the

role-based and domain-based management for the U2000 and NEs. With this

function, the U2000 can also monitor in real time the users that already log in to

the U2000 and NEs. In this way, the network and data security ensures that login

failures or illegal operations are captured.

P-4



After installing U2000 on Solaris platform, there will be three system users: root,

sybase, nmsuser. Usually we use nmsuser to log in the JDE and start U2000 server.

root: this user is the super user of the OS and it has the highest authority

in the system. The root user is used to create other users with relevant

authorities. The default password of root is Changme_123 on Solaris and

Changme_123 on Linux.

sybase: this user is the database operation user. It is responsible for setting

Sybase environment variables, installing, maintaining and managing the

Sybase database, As the owner of the directory /opt/sybase, the sybase

user can manage the Sybase database, for example, configuring Sybase

environment variables and starting/stopping the Sybase service.

nmsuser: During the U2000 installation, the software creates a nmsuser

user of the operating system automatically. The nmsuser user is

responsible for setting environment variables of the U2000 server and

starting the U2000 server. The nmsuser user has all the rights of its home

directory. The file .profile in this directory records environment variables

for the U2000 running.

After database initialization, there are two default users: sa and NMSuser.

sa is the super user of the database. The default password is

Changeme_123.

NMSuser is the database user which is used for U2000 to login database.

The default password is NMSuser

NM User: The one to login U2000 Server.

NE User: The one to login NEs by U2000 or other software.

P-5



After the Solaris OS, Sybase database and the U2000 are successfully installed on

a server, the following OS users are generated:

root: The root user is the default administrator of the Solaris OS. With the

highest administrative rights, the root user can control all resources, create

other users, assign rights to these users, and perform all the operations

supported by the OS.

ossuser: During the installation of the U2000, the ossuser user is

automatically created by the U2000 as an OS user. The ossuser user can

set the environment variables of the U2000 server and start the U2000

client on the server. The ossuser user has all the rights to edit the

"/export/home/ossuser" directory.

dbuser: During the installation of the NMS, the Sybase database is

automatically installed and the OS user dbuser is automatically created.

The dbuser user can set the environment variables of the Sybase database,

install the Sybase software, and manage and maintain the Sybase

database.

If the OS is SUSE Linux, the system user sybase will be created instead of

dbuser.

The database system generates two database users:

sa/system: The sa user is the default system administrator of the database.

The sa user has the highest management rights of the database.

dbuser: During the installation of the U2000, the dbuser user is

automatically created by the U2000 as a database user. You can use the

dbuser user to access the database when the U2000 is running.

P-6



The logs include the U2000 security log, the U2000 operation log, the system logs

and the NE log. The logs record operations performed by operators to the U2000

or an NE.

Security logs record the security operations that the user performs in the

U2000, for example, login, logout, locking, and unlocking. By viewing the

logs, an administrator can track and check the security operations of the

users.

Operation logs record the information about the non-security operations

that the user performs in the U2000, for example, creating subnets, and

muting and unmuting the alarm sound. By viewing the logs, an

administrator can track and check the user operations.

System logs record the operations or tasks that the U2000 performs

automatically, for example, scheduled tasks and system tasks.

The NE syslog running logs record the running information of U2000 NEs.

By obtaining all NE syslog running logs from NEs through the U2000, you

can view the NE syslog running logs managed by the U2000 through the

U2000, instead of viewing the NE syslog running logs on each NE.

P-7



Procedure:

Choose Administration > Log Management > Query Operation Logs. You can also

select Query System Logs or Query Security Logs to browse system or security

logs.

In the Filter window as follows, set the filtering conditions, and then click OK.

Right-click in the query window and perform the operations listed in the picture.

P-8



Procedure:

Choose Administration > Log Management > Operation Log Statistics from

the main menu. You can also select System Log Statistics or Security Log

Statistics items.

In the Statistic Filter window, set the statistical items and statistical

conditions, and then click OK.

P-9



Dump log can avoid that the logs reach the maximum storage capacity of the

database and that the system performance is degraded.

There are three types of dump: scheduled dump, manual dump and overflow

dump.

Setting the log timing dump:

Choose Administration > Task Schedule > Task Management from the

main menu.

In the Task Management window, select Database Capacity Management

in the navigation tree.

Double-click the Operation Log Dump task in the task list. You can

configure the timing dump parameters as follows and the presentation.

The file type support CSV and XML.

P-10



In the network planning, you can configure and plan the data transmission

according to certain network security isolation policy. In this way, you can ensure

the security and reliability of the network and data of the U2000 system, and

avoid illegal login and data loss or theft.

P-11



After the SSL(Security Socket Layer) protocol is enabled, the communication between the

client and server is encrypted and secured. This can avoid hacker attacks.

Procedure:

If the OS is Windows, enter ssl_adm -cmd query to query the communication

mode in command line interface as administrator. You have to Log in to the Linux

or Solaris OS on the U2000 server as ossuser (nmsuser for VIR6) user and do as

follows to query the communication mode in use: $ ssl_adm -cmd query .

Stop U2000 processes. In the U2000 software installation path, for example,

D:\oss\server\platform\bin (D:\U2000\server\bin for VIR6), run the stopnms.bat file

to stop U2000 processes. For Linux or Solaris, Run the following command to stop

U2000 processes.

$ cd /opt/oss/server/platform/bin (cd /opt/U2000/server/bin for V1R6)

$ ./stopnms.sh

Set the communication mode for the U2000 server and client. Enter ssl_adm -cmd

setmode ssl and set the communication mode for the U2000 server and client. For

Linux or Solaris, enter $ ssl_adm -cmd setmode ssl

Start U2000 processes. In the U2000 software installation path, for example,

D:\oss\server\platform\bin (D:\U2000\server\bin for VIR6),, run the startnms.bat

file to start U2000 processes. For Linux or Solaris, Run the following command to

start U2000 processes. $ cd /opt/oss/server/platform/bin ($ cd

/opt/U2000/server//bin for V1R6)

$ ./startnms.sh

P-12



The ACL (Access Control List) is a secure access control mechanism. It restricts a

user to log in to the server through only the clients with the specified IP addresses.

Procedure:

Choose Administration > NMS Security > ACL from the Main Menu. The

ACL dialog box is displayed

Click Add and the New System Access Control Item box is displayed

Set parameters of the IP address or network segment, and click OK

Click Close to close the System ACL dialog box

P-13



Procedure:

Choose Administration > NMS Security > NMS User Management from the

Main Menu.

In the NMS User Management area, double-click Users and select a desired

user.

In the right-hand pane, click the ACL Settings tab.

Select Use all the ACLs in the system or Use the specified ACLs according

to requirements.

Click Set ACL and the ACL dialog box is displayed.

NOTES:

If you select Use System ACL, the U2000 user can log in to the clients

corresponding to all IP addresses or network segments in the list by

default.

If you select Use User ACL, you need to select an IP address or network

segment of the client that the U2000 user can log in.

P-14



Procedure:

Click Add and the New System Access Control Item dialog box is displayed.

Set parameters of the IP address or network segment, and click OK.

Click Close to close the Set ACL dialog box.

P-15



Procedure:

Optional: If Use the specified ACLs is selected, you need to check the

Access Permitted check box corresponding to the IP address or network

segment. Click Apply.

P-16



P-17



Procedure:

Choose Administration > NMS Security > Security Policies from the Main

Menu. The Security Policy dialog box is displayed

In the Security Policy dialog box, click the Password Policy tab.

Set the basic and advanced parameters of the password policy as required.

Click OK.

In the Security Policy dialog box, click the Account Policy tab.

Set the account policy as required.

Click OK.

P-18



Procedure:

Log in the Msuite system.

In the main menu ,select System > Change Password.

P-19



The U2000 remote maintenance function allows login to the U2000 server from a

remote client. Strict management for the remote maintenance user not only

ensures U2000 system security, but also makes maintenance operations easier.

Procedure:

Choose Administration > NMS Security > Remote Maintenance User

Management from the Main Menu. The Remote Maintenance User

Management dialog box is displayed. Enable the remote maintenance user

and set its other parameters

Set the Operation Authority. You can select Query or Configuration as

needed

Set Valid Forever or Not to No

Set Validity Period

Click OK

P-20



By DCN or other types, you can access the U2000 server by remote maintenance

user. Then maintenance command can be done by this function.

Remote maintenance client login procedure.

On the Windows platform, click startup_cmdclient_global.bat under the

\U2000\client directory;

Input the user and password, then the windows display as the slide;

Double click the NE, and input the command.

P-21



The U2000 remote maintenance function allows login to the U2000 server from a

remote client. Strict management for the remote maintenance user not only

ensures U2000 system security, but also makes maintenance operations easier.

Procedure:

Choose Administration > NMS Security > Remote Maintenance User

Management from the main menu.

In the Set Remote Maintenance User Parameter dialog box, enable the

remote maintenance user.

Input the NE User Name and NE User Password.

Click Select NE. In the dialog box that is displayed, select the NE.

Click OK.

Follow-up Procedure

After the remote maintenance user is enabled, an NE user can log in to the

NE from the U2000 remote maintenance terminal.

NOTE: By default, you can log in to the NE from the U2000 remote

maintenance terminal only as an NMS user that has rights of the

Maintenance Group group or higher-level rights.

P-22



User: The user name and password of a U2000 user identifies the U2000

management rights entitled to the user. When a user is added to a user group,

the user has all the operation rights of this user group. The U2000 provides a

default user: admin. It is the super user of the system and has a higher authority

than the system administrator group. You can neither modify the rights of the

user admin, nor add user admin to other user groups.

Procedure:


Main Menu

In the NMS User Management area, double-click Users, right-click and

choose New User from the shortcut menu

Complete the information in the New User dialog box

For network maintenance purposes, you can create U2000 users and assign

different authorities to them. Apart from user admin, all the users to operate the

U2000 need to create corresponding accounts, that is, the U2000 user accounts.

P-23



You can specify the user group of a U2000 user so that the user can have the

management rights and operation rights of the user group.

Usually, we assign the user with certain user authorities by adding the user to a

user group rather than assigning specific authorities for the user.

Procedure:


Main Menu

In the NMS User Management area, double-click Users and select a desired

user

In the right-hand pane, click the Groups tab

Optional: Select a desired user group and click Delete

Click Add and the Add User Groups dialog box is displayed

Select a user group that you want to add, and click OK

In the right-hand pane, click the Operation Rights tab

Optional: Select a desired user operation rights and click Delete

Click Add and the Add Rights dialog box is displayed

Select a user group that you want to add, and click OK

P-24



User Group: This is a collection of the U2000 users that have the same

management rights. The default user groups are maintainer group, manager

group, monitor group, operator group and security manager. The attributes of the

user groups include name, description, member and authority.

Procedure:


Main Menu.

In the NMS User Management area, double-click User Group, right-click

and choose New User Group from the shortcut menu. In the New User

Group dialog box that is displayed, input the information of a new user

group.

Click OK.

P-25



The principle of assigning user authorities is as follows:

After creating a U2000 user, you assign the user with certain user

authorities by adding the user to a user group rather than assigning

specific authorities for the user.

If the user authorities are limited, and the user cannot perform certain

operations after the user is added to a default user group, you can create

user group. After adding authorities to this user group, you can assign the

user to this new user group.

In practice, you may need to add or delete specific authorities for a user

without creating new user groups. In this case, follow the rules below.

To modify specific authorities for a number of NEs, do not directly

select these NEs. Creating an Object Set for the NEs that require

more authorities, and assign authorities for the equipment set.

To assign a number of operation authorities to a user, do not

directly select all these operation authorities. Creating an Operation

Set for these operations and assign the operation set to the user.

If you want to add one or more authorities to a user, you can select

the user that you want to set the authority directly. Select the

Operation Rights tab, and click select to add the corresponding

operation authorities to the user.

P-26



Operation Set: This is a collection of client-side operations. Operation sets are

established to facilitate the user right management. Different client-side

operations have different impacts on the system security. Those operations that

impose similar impacts on the system security are allocated to the same operation

set. In this way, if a user (or user group) is authorized with the rights of an

operation set, the user (or user group) can perform all the operations in the

operation set. If the default operation sets do not meet the requirements for the

right allocation, you can create new operation sets as required.

Procedure:


Main Menu.

In the NMS User Management area, right-click Operation Set and choose

New Operation Set from the shortcut menu.

In the New Operation Set dialog box displayed, input the information of a

new operation set.

Click the Members tab. Click the Select button or Copy member from

operation button to add members to the operation set.

Click OK.

U2000 supports modifying an operation set, deleting an operation set, exporting

or importing operation sets.

P-27



Object Set: It is a collection of manageable devices and device services. By default,

the U2000 provides All Objects. If a user or user group can manage an object set,

it indicates that the user or user group can manage all the objects in the object

set. The administrator can create an object set, add objects that can be managed

in a centralized manner to the object set, and specify a user or user group to

manage the objects in the object set. In this way, the management cost of the

administrator can be reduced.

Procedure:


Main Menu

In the NMS User Management area, click Object Set, right-click and choose

New Object Set from the shortcut menu

In the New Object Set dialog box that is displayed, input the information

of a new equipment set

Click the Members tab. Check the Select button (display in the slide) or

Copy members from object button to add device to the object set.

Click OK.

U2000 supports modifying an object set, deleting an object set.

P-28



Procedure


Main Menu

In the NMS User Management area, double-click User Groups, and select a

U2000 user group

In the right-hand pane, click the Operation Rights tab

Optional: Select one or more desired operation authorities and click Delete

Click Select and the Select Operation Rights dialog box is displayed

Select the operation and operation set

Click OK

P-29



Procedure:


main menu

In the NMS User Management navigation tree, expand the User Groups

node, and then select a user group

Click the Domain tab to view the managed domain of the user group

Click Select button. In the Select Domain dialog box, select the devices and

object sets.

Click OK

P-30



P-31



You can back up and restore the U2000 data in two ways: Back up and restore all

data in U2000 databases, and back up and restore the U2000 network

configuration data by using scripts.

The following data is not backed up when you back up the U2000 database:

The data save at the NE side that cannot be uploaded.

The custom options of the system.

Comparison of Two Data Maintenance Methods

Method Characteristics Application Scenario

Backing up and

restoring all data

in the U2000

databases

1. Backs up the structure and contents

of the U2000 database. The data is in

the binary mode.

2. Backs up all data.

3. The processing speed is fast, and the

backup file is big.

The backed up data for

a certain type of

database cannot be

restored to the data for

a different type of

database.

Backing up and

restoring the

U2000 network

configuration

data by using the

script files

1. Exports the configuration data in the

U2000 to a txt file that is similar to the

MML format. This is done to save data.

You can directly understand the

configuration contents of the txt file.

2. Backs up only some of the data,

including the basic configuration data,

port naming data and user-defined data.

3. The processing speed is slow and the

backup file is very small.

This method is usually

used to upgrade the

U2000.

P-32



Databases used by U2000 NMS and LCT

Sybase 15 database (Solaris OS/Linux OS)

a relational database which uses tables to store data

MS SQL Server database (Windows OS)

the function is similar to Sybase, which supports graphic user

interface. MS SQL Server 2008 is used by U2000.

Sybase database server

All the operations about backup and restoration are implemented via

backup server

Precondition: backup server and master server must be installed in

the same computer

Procedure: sends out backup or restore commands by SQL language,

the backup server executes data input or output of disk after

receiving the commands

P-33



Back up is a method used to store important data to prevent the damage of the

original data. You can back up network configuration data, alarm data and

performance data.

Dump is a method used to store the log information in databases as operating

system files in text format, to clear database space. The dumped objects are

various types of logs, including alarm events, abnormal events, operation logs and

different types of performance events.

P-34



Procedure :

Choose Administration > Back Up/Restore NMS Data > Database Backup

from the Main Menu

Set a backup directory for the server, and click Backup. The U2000 starts

to back up the database. A progress bar is displayed showing the status of

the operation.

Notes:

For V1R6 U2000, The default directory for database backup is as below:

On the UNIX/Linux platform, /opt/U2000/server/var/backup

On the Windows platform, d:\U2000\server\var\backup

For V1R8 U2000, The default directory for database backup is as below:

on Windows platform, the default backup path is d:\oss\server\var\backup.

on Solaris/SUSE Linux OS, the default backup path is

/opt/oss/server/var/backup.

P-35



Procedure:

1. Login to the U2000 client.

2. Choose Administration > Task Schedule > Task Management from the

main menu.

3. Click New. The New Task dialog box is displayed.

4. Select DB Backup as the task type and enter a name for the scheduled

task. Select Period as the run type. Then click Next.

5. In Time Setting, set the planed start time of the task. In Period Setting,

set the planed period and execution times of the task. Then, click Next.

6. Select Back up the data to the local server and enter a backup path on

the local server. Then click Finish. The created scheduled task is displayed

in the Task Management window.

It supports backing up the U2000 data to a remote server.

P-36



Procedure for backup:

1. Start the NMS Maintenance Suite. On Window platform, double-click the

U2000 NMS Maintenance Suite shortcut icon on the desktop and then wait about

one minute. The Login dialog box is displayed. In Solaris and Linux, run the

following commands (V1R8):

$ cd /opt/oss/client/engineering

$ ./startclient.sh

Note: For V1R6, the command lines are

# cd /opt/HWENGR/engineering

# ./startclient.sh

2. Log in to the MSuite. The default user name and password are both admin.

3. Select Back Up and Restore -> Back Up System Data.

Procedure for Restore:

1. Shut down U2000 client and server.

2. Start the U2000 MSuite, login MSuite client.

3. On the NMS maintenance tool client, choose Backup and Restore > Restore

System Data.

4. Select the backup file and click Next.

5. The system starts the restoration preprocessing and data restoration, and

displays the restoration progress in a progress bar. Wait patiently.

6. After the backup is complete, click Finish.

7. Start U2000 server and client.

Prerequisite for backup:

On Solaris or Linux, the current user is root and the Sybase database must be

started.

On Windows, the current user must have the administrator authority of the

operating system. The MS SQL database server must also be started.

P-37



Procedure for backup:

4. Select Data Backup Binary Mode (Recommended). Then click Next.

5. Select Back up the data to the local server.

6. Set the backup path on the local server. Then click Next.

7. The system starts the backup preprocessing and data backup process. A

progress bar is displayed to show the backup progress. Wait patiently.

8. After the backup is complete, click Finish.

Backing Up U2000 Data to a Remote Server by FTP mode.

P-38



Procedure for Initialization:

1. Start the U2000 MSuite

2. Log in to the client. The default user name and password are both

admin.

3. Choose System > Initialize NMS from the main menu. .

4. Click Next.

5. The system starts initializing the database and displays the initialization

progress in a progress bar. Wait patiently.

6. After the initialization is complete, click Finish

Prerequisite for database initialization:

The U2000 server application is stopped.

On UNIX and Linux, the current user is root and the Sybase database must

be started.

On Windows, the current user must have the administrator authority of the

operating system. The MS SQL database server must also be started.

P-39



This method is usually used to upgrade the U2000 and to back up and restore the

basic configuration data for a single NE. This method also restores the user-

defined data. The new U2000 version is compatible with the scripts of the old

version.

Procedure:

Choose Administration > Back Up/ Restore NMS Data > Import/Export

Script File from the Main Menu

Select a file format. Then select a script file type from the Script File Type

field

Select the NE for which you want to export script files from the Export NE

List

Click Create File Directory to create a directory where the exported script

files are to be saved

Enter the directory name and click OK

Select a directory and click Apply

In the Confirm dialog box, click OK. A progress bar appears showing the

status of the export

NOTES:

The script file is saved on the U2000 server. For V1R8, on Windows, the

backup directory is \oss\server\script, On Solaris and SUSE Linux, the

backup directory is /opt/oss/server/script. For V1R6, on Windows, the

backup directory is \U2000\server\script; on Solaris/Linux, the backup

directory is /opt/U2000/server/script. You can create a new directory under

it.

P-40



Procedure:

Choose Administration > Back Up/ Restore NMS Data > Import/Export

Script File from the Main Menu.

Click the Import option button.

Select the file format and select the script file type from the Script File

Type field.

In the Operation Directory List, select the directory where the script file is

to be imported is located.

Select the script file to import from the Import File List.

Click Apply. The system prompts you twice that the import of the

configuration script will result in data inconsistency between the U2000

and the NE.

Click OK. A progress bar appears showing the status of the import.

NOTES:

Before importing the script file, it is better to back up the U2000 database.

P-41



Procedure:

Choose Administration > Task Schedule > Task Management from the

main menu.

In the Task Management window, select Database Capacity Management,

Manual Dump or Overflow Dump in the navigation tree.

Double-click the task in the task list. You can configure the dump

parameters as the presentation. The file type support CSV and XML.

overflow dump :It is performed when the logs in the databases reach the

maximum storage capacity. You can specify the number of logs to dump.

Maximum Capacity : The maximum piece of data that can be saved when

the U2000 server works normally. If exceeded, the overflow occurs

scheduled dump : It is the alternative method of overflow dump, is optional. You

can set whether to create a scheduled task, and if you create a scheduled task

you can specify the schedule time and duration.

Overflow dump and periodic dump can work together. In this case, the U2000

dumps the data or log according to the settings of overflow dump and periodic

dump.

During the routine maintenance of the U2000, you can clear the unwanted log

data to save spaces for the computer.

Notes: Clearing the U2000 log data will directly delete the log data from

the database. This affects the fault location in future. You are

recommended to clear the database space by dumping.

P-42



Q1: Please refer to page 27 to page 31.

Q2: Please refer to page 36 to page 39.

Q3: Scheduled dump, Manual Dump, Overflow dump.

P-43



P-44



Documents

(10) IManager U2000 Security and Data Management