No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

MM910 Management Module V100R001 User Guide 24

This document provides the product description, installation and configuration methods, and common operations of the E9000 server chassis management module MM910.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Security Policies

Configuring Security Policies

Scenarios

Configure the security policies of the MM910. The security policies include the following:

  • Web session timeout period
  • Port 80
  • SNMPv3 and SNMPv3 trap authentication and encryption
  • User login rules
  • KVM/VMM encryption
  • Password complexity check

Prerequisites

Conditions

Before configuring KVM and VMM encryption, check the BMC version is compatible with the MM910 and supports KVM and VMM encryption.

Data

NA

Procedure

  1. Log in to the WebUI of the active MM910.

    For details, see Logging In to the MM910 WebUI.

  2. Choose System Management > System Settings > Security.

    A page similar to Figure 4-18 is displayed.

    Figure 4-18 Security page

  3. Click Edit.
  4. Set the parameters.

    Table 4-12 Parameter description

    Parameter

    Description

    Timeout period (min):

    Maximum idle period (in minutes) after which the user will be logged out of the HMM WebUI.

    Value range: 5 to 120

    Default value: 5

    Port 80 (HTTP)

    Port for automatically switching HTTP to HTTPS.

    • On: enables automatic switching of HTTP to HTTPS. This setting may pose security risks.
    • Off: disables automatic switch of HTTP to HTTPs. This setting helps improve system security.

    Default value: Off

    Login Security Banner Settings

    Setting of the login security banner.

    • On: enables the login security banner. The security banner will be displayed don the login page.
    • Off: disables the login security banner.

    Default value: On

    Security banner text

    Security banner text to be displayed on the login page.

    Value: a string of up to 1600 characters, which can contain letters, digits, spaces, carriage returns, and the following special characters: !@#$%:;~,.-+=_/|()[]{}

    TLS Versions

    Versions of the Transport Layer Security (TLS).

    TLS ensures data confidentiality and integrity between two communicating applications. Different TLS versions can be enabled based on requirements. By default, TLS 1.1 and TLS 1.2 are selected.

    NOTE:

    TLS 1.0 poses security risks. Select TLS 1.1 and TLS 1.2 for security purposes.

    Enhanced SSL security

    Setting of the enhanced SSL security.

    • On: disables the Rivest-Shamir-Adleman (RSA) algorithm, which poses security risks.
    • Off: enables the RSA algorithm.

    Default value: Off

    Authentication protocol

    Authentication protocol to be used.

    Value:

    • MD5
    • SHA

    Default value: SHA

    NOTE:

    Using MD5 may pose security risks. You are advised to use SHA.

    Privacy protocol

    Privacy protocol to be used.

    Value:

    • DES
    • AES

    Default value: AES

    NOTE:

    Using DES may pose security risks. You are advised to use AES.

    SSH password authentication

    • On: allows the user to log in to the MM910 over SSH, using the user name and password.
    • Off: allows the user to log in to the MM910 over SSH, using the public key.

    Default value: On

    Public key authentication

    • On: allows the user to log in to the MM910 over SSH, using the public key.
    • Off: disables the use of the public key for login to the MM910 over SSH.

    Default value: On

    Password validity (days)

    Validity period (in days) of the password.

    Value range: 0 to 365. The value 0 indicates that the password never expires.

    Default value: 180

    NOTE:

    When a user password is about to expire in 9 days or less, the system automatically reminds the user to change the password.

    Login policy upon password expiry

    Login policy for users with expired passwords. The values are as follows:

    • Login not allowed: If a user with an expired password attempts to log in, the message "Login failed because the password has expired" is displayed.
    • Password change required: If a user with an expired password attempts to log in, the password change page is displayed. The user can log in after changing the password.

    Default value: Login not allowed

    Previous passwords disallowed

    Number of previous passwords that cannot be used.

    Value range: 0 to 5. If this parameter is set to 0, there is no restriction on the use of previously used passwords.

    Default value: 5

    User lockout policy

    Maximum number of unsuccessful login attempts (1 to 5. Default: 5) after which the user account is locked and the account lockout period (1 to 10 minutes. Default: 10).

    If a user account is locked, the user cannot log in to the system within the lockout period.

    NOTE:
    • If the SNMP account is locked, users can still log in to the system over SSH, WebUI, or a serial port. If the SSH, WebUI, or serial port account is locked, users can still log in to the system over SNMP.
    • You can run the smmset -d unlockuser -v username command to unlock the account in an emergency.

    Emergency login user

    A user who can log in to the HMM WebUI irrespective of the password validity period or login rules.

    The user can log in to the MM910 WebUI in case of emergency.

    Default value: root

    NOTE:

    An emergency login user must be an administrator.

    VMM port

    Port from which the remote VMM data is transferred.

    Default value: 8501

    NOTE:

    After the port number is changed, the established VMM connections will be disconnected.

    KVM service ports

    • KVM control port: port used to transfer the KVM control messages, such as the messages for obtaining compute node status, exiting the KVM, and switching to split-screen mode. The default port number is 2198.
    • KVM data port: port used to transfer the data input and output by the KVM keyboard and mouse, and to transfer image data. The default port number is 2200.
    NOTE:

    After a KVM port number is changed, the established KVM connections will be disconnected.

    Import Rule

    This button allows you to import user login rules. New login rules will replace existing rules in the OS.

    Export Rule

    This button allows you to export the MM910 login rules (.cfg) to a local directory.

    • If Compatible with the export mode of an earlier version is not selected, the exported login rule files can be imported for MM910 later than (U54) 6.00 only.
    • If Compatible with the export mode of an earlier version is selected, the exported login rule files are compatible with MM910 earlier than (U54) 6.00.

    Login rules

    Rules for user login.

    NOTE:
    • A maximum of 30 login rules are supported.
    • Users who meet one of the selected rules can log in to the MM910 WebUI or CLI.

    Time Range

    Time period during which users can log in to the MM910.

    Set the time range based on actual requirements:

    • To specify the login period, set the time range in the YYYY-MM-DD HH format. For example, set the start time to 2014-08-30 08:30 and end time to 2014-12-30 20:30.
    • To specify the start and end dates for login, set the time range in the YYYY-MM-DD format. For example, set the start date to 2014-08-30 and end date to 2014-12-30.
    • To specify the login period in a day, set the time range in the HH:MM format. For example, set the start time to 08:30 and end time to 20:30.
    NOTE:

    The start and end time formats for a rule must be the same.

    IP Range

    IP address or IP address segment that is allowed to access the MM910.

    The following formats are supported:

    • xxx.xxx.xxx.xxx: IP address allowed to access the MM910.
    • xxx.xxx.xxx.xxx/mask: IP address segment allowed to access the MM910.
    NOTE:

    The value range for mask is 1 to 32.

    MAC Range

    MAC address or MAC address header that is allowed to access the MM910.

    The following formats are supported:

    • xx:xx:xx: MAC address header allowed to access the MM910.
    • xx:xx:xx:xx:xx:xx: MAC address allowed to access the MM910.

    Password Complexity Check

    SMM: setting of the password complexity check for the MM910.

    Value:

    • On: enables the password complexity check.

      The MM910 user password is case-sensitive and must meet the following requirements:

      • Contain 8 to 32 characters.
      • Contain a space or one of the following special characters:

        `~!@#$%^&*()-_=+\|[{}];:'",<.>/?

      • Contain at least two types of the following characters:
      • Uppercase letters A to Z
      • Lowercase letters a to z
      • Digits 0 to 9
      • Cannot be the same as the user name or the user name in reverse order.
    • Off: disables the password complexity check.

      The password must contain 8 to 32 characters.

    For security purposes, set this parameter to On.

    Slotx: setting of the password complexity check for a compute node in slotx.

    Value:

    • On: enables the password complexity check.

      The BMC user password must meet the following requirements:

      • Contain 8 to 20 characters.
      • Contain a space or one of the following special characters:

        `~!@#$%^&*()-_=+\|[{}];:'",<.>/?

      • Contain at least two types of the following characters:
      • Uppercase letters A to Z
      • Lowercase letters a to z
      • Digits 0 to 9
      • Cannot be the same as the user name or the user name in reverse order.
    • Off: disables the password complexity check.

      The password must contain 8 to 20 characters.

    KVM Encryption

    Function for encrypting sensitive KVM data before transmission between the client and the server. Sensitive data includes image data, keyboard data, power-on and power-off data, and private-mode data.

    • On: The KVM data is encrypted by using the AES128 algorithm before being transmitted between the server and the client.
    • Off: The KVM data is not encrypted before transmission. For security purposes, set this parameter to On.

    Default value: Off

    NOTE:
    • If VMM encryption is enabled, you must enable KVM encryption. If KVM encryption is enabled, you can determine whether to enable VMM encryption as required.
    • If KVM encryption and VMM encryption are unavailable for a compute node, the compute node does not support encryption. If you need to use the functions, contact technical support.
    • Ensure that no terminal is connected to any KVM before setting KVM encryption and VMM encryption; otherwise, the setting fails.
    • Keyboard data is always encrypted even if the KVM encryption is not enabled.

    VMM Encryption

    Function for encrypting data before the data is transmitted through a virtual medium, such as a virtual DVD-ROM drive, FDD, and folder.

    • On: The data is encrypted by using the AES128 algorithm before being transmitted between the server and the client.
    • Off: The data is not encrypted before transmission. For security purposes, set this parameter to On.

    Default value: Off

    NOTE:
    • If VMM encryption is enabled, you must enable KVM encryption. If KVM encryption is enabled, you can determine whether to enable VMM encryption as required.
    • If KVM encryption and VMM encryption are unavailable for a compute node, the compute node does not support encryption. If you need to use the functions, contact technical support.
    • Ensure that no terminal is connected to any KVM before setting KVM encryption and VMM encryption; otherwise, the setting fails.
    • Keyboard data is always encrypted even if the KVM encryption is not enabled.

  5. Click Save.
Translation
Download
Updated: 2019-04-10

Document ID: EDOC1000015900

Views: 79338

Downloads: 5195

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next