Security Management for ECLI and NETCONF

Contents

1Introduction

2
Functions and Concepts
2.1ECLI and NETCONF Server IP Address
2.2Session Parameters
2.3SSH Authentication
2.4TLS Authentication
2.5SSH and TLS Transport Protocol Security
2.6Types of Operations

3
Managed Object Model

4
Configuration Management

1   Introduction

This document provides an overview of the management model and concepts associated with the System Management and Security Management managed areas for Ericsson Command-Line Interface (ECLI) and NETCONF.

A managed area is represented by a group of Managed Object Classes (MOCs) within the Managed Object Model (MOM).

2   Functions and Concepts

An overview of Security Management is shown in Figure 1.

Figure 1   Security Management Overview

2.1   ECLI and NETCONF Server IP Address

The IP address used for Operation and Maintenance (OAM) connections is defined at site deployment.

The ECLI and NETCONF listen on all network addresses that are configured on the OAM processor.

The default port numbers for the OAM protocols are described in Table 1.

Table 1    Port Numbers of OAM Protocols

Service Name

SSH Port

TLS Port

ECLI

22

6522

NETCONF

830

6513

Note:  
Port numbers are not configurable in the MOM.

2.2   Session Parameters

Idle OAM sessions are timed out. The default time-out values are described in Table 2.

Table 2    Time-Out Value for Idle Sessions

Service Name

Time-out (Seconds)

ECLI

120

NETCONF(1)

300

(1)  The timer is disabled for NETCONF notification sessions.


Note:  
The timer values are not configurable in the MOM.

2.3   SSH Authentication

The SSH host key of the ECLI and NETCONF server is generated after installation.

The public key of the SSH key can be fetched from the filesystem by executing a serial console connection. The MOM does not support presenting the host key of the SSH server.

An ECLI or NETCONF SSH connection can be initiated and the presented fingerprint can be compared to the fingerprint of the public key copied from the node.

SSH requires the user to provide credentials at logon for user authentication. A valid account must exist and be accessible by the User Management function to authenticate the user identity successfully. The user credential can be either a password or a public key. For more information, refer to User Management.

2.4   TLS Authentication

A Transport Layer Security (TLS) connection requires the proper configuration of certificates by Certificate Management.

The server certificate for ECLI or NETCONF access is enrolled by using Certificate Management; refer to Install Node Credential Online, Install or Renew Node Credential by CSR, and Install or Renew Node Credential by PKCS 12. If the certificate is enrolled, the CliTls or NetconfTls MO in SysM must be configured to use this credential.

For the authentication of client certificates, the ECLI or NETCONF server needs at least one trusted certificate deployed by Certificate Management, and a configured trust category. If the trust category is prepared, the CliTls or NetconfTls MO in SysM must be configured to use this trust category.

In TLS case, the client certificate must contain an identity in the Subject Alternative Name (SAN) field of the client certificate for authorization. The value of the SAN should be one of the following:

If the SAN field is not present, the TLS connection closes.

A valid account must be present and accessible by the User Management function to authorize the user identity successfully. Refer to User Management for more information.

2.5   SSH and TLS Transport Protocol Security

Transport security level is defined by the actual security algorithms used for key exchange, message authentication, and encryption. The ME has a default algorithm set, which can be changed as described in SSH and TLS Protocol Management.

2.6   Types of Operations

System and security management of ECLI and NETCONF supports the following operations for an administrator with the System Administrator role.

Certificate Management

Certificate management must be used to set up TLS for ECLI and NETCONF to deploy node credentials and trusted certificate categories.

Administrative State

The administrative state of the ECLI and NETCONF transport protocols can be changed to lock unnecessary protocols and interfaces and to unlock the needed ones. SSH-based protocols are unlocked by default, TLS-based protocols can be unlocked after deploying certificates.

3   Managed Object Model

The System Management managed area is represented in the Managed Object Model (MOM) as follows:

ManagedElement
   +-SystemFunctions
      +-SysM
         +-CliSsh
         +-NetconfSsh
         +-CliTls
         +-NetconfTls

For general information about the MOM, MOCs, MOs, cardinality, and related concepts, refer to Managed Object Model User Guide.

The System Management MOCs are described in Table 3.

Table 3    System Management Managed Object Class Descriptions

Managed Object Class

Description

SysM

The root of the System Management model

CliSsh

The CLI configuration management service over SSH

NetconfSsh

The NETCONF configuration management service over SSH

CliTls

The ECLI configuration management service over TLS

NetconfTls

The NETCONF configuration management service over TLS

4   Configuration Management

System and security management for ECLI and NETCONF is accessed using NETCONF or the ECLI to manipulate the MIB.

The following operations, described in Operating Instructions using the ECLI, can be performed by an administrator with the System Security Administrator role:

Certificate Management

System Management

Legal | © Ericsson AB 2017