No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionServer Pro E9000 Server iBMC (V250 to V259) User Guide 20

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security

Security

Function Description

The Security page allows you to view and configure user security hardening rules for iBMC.

GUI

Choose Configuration from the main menu, and select Security from the navigation tree.

The Security page is displayed.

Figure 3-23 Security page

Parameter Description

Table 3-45 Password parameters

Parameter

Description

Password Complexity Check

Password complexity check verifies whether the passwords meet complexity requirements. It is enabled by default.

Password complexity check applies to local user passwords, trap community names, SNMPv1/v2c community names, SNMPv3 encryption passwords, and VNC passwords. The password requirements include the following:

NOTICE:

For security purposes, enable password complexity check.

SSH Password Authentication

SSH password authentication allows users to log in to the iBMC over SSH by using the password or public key.

Value:

  • Disable: allows users to log in over SSH by using only public keys.
  • Enable: allows users to log in over SSH by using passwords or public keys.

It is enabled by default.

Password Validity (Days)

Validity period (in days) of a user password.

Value range: 0 to 365

The value 0 indicates that the password never expires.

Default value: 0

NOTE:

For security purposes, set a proper password validity period and change the password periodically.

Minimum Password Age (Days)

Minimum time (in days) for which the password must be used. The password cannot be changed during this period.

Value range: 0 to 365

The value 0 indicates that the passwords do not have a minimum password age.

Default value: 0

NOTE:

The minimum password age must be at least ten days earlier than the password expiration day.

  • If Password Expiration (Days) is 10 or less, Minimum Password Age (Days) can only be 0.
  • If Minimum Password Age (Days) is 354 or more, Password Expiration (Days) can only be 0.

Emergency Login User

User name for logging in to the iBMC in emergencies.

This user is not restricted by any login rules or login interfaces, and the password of this user will never expire.

NOTE:

Only an administrator can be set as the emergency login user.

Previous Passwords Disallowed

Number of previous passwords that cannot be reused as a new password.

Value range: 0 to 5

The value 0 indicates that all previous passwords are allowed.

Default value: 0

User Lockout Policy

Maximum number of consecutive invalid login attempts allowed and the account locking duration.

  • The maximum number of consecutive invalid login attempts allowed is an integer ranging from 1 to 5 or Unlimited (account locking disabled), and the default value is 5.

  • The account locking duration (in minutes) is an integer ranging from 1 to 5, and the default value is 5.

After a user account is locked, the user can attempt to log in only after the account locking duration expires.

NOTE:
  • For security purposes, enable the account lock function.
  • To unlock a user account in emergencies, run the unlock command on the CLI. For details, see the iBMC User Guide of the server.
Table 3-46 Parameters in the Login Rules area

Parameter

Description

Time

NOTICE:
  • The start and end years cannot be later than 2050.
  • The start and end time for a login rule must be in the same format.

Time period in which users are allowed to log in. The value can be in one of the following formats:

  • YYYY-MM-DD:

    Example value: 2013-08-30 to 2013-12-30

  • HH:MM:

    Example value: 08:30 to 20:30

  • YYYY-MM-DD HH:MM:

    Example value: 2013-08-30 08:30 to 2013-12-30 20:30

IP

IP address or IP address range allowed for login. The value can be in one of the following formats:

  • IPv4 (xxx.xxx.xxx.xxx) address: indicates an IP address.
  • IPv4/subnet mask (xxx.xxx.xxx.xxx/mask): indicates an IP address segment.

MAC

MAC address or MAC address range allowed for login. The value can be in one of the following formats:

  • xx:xx:xx:xx:xx:xx: indicates a MAC address.
  • xx:xx:xx: indicates a MAC address segment.
Table 3-47 Parameters in the login security banner settings area

Parameter

Description

Login Security Banner

Login security banner, which can be enabled or disabled.

  • : enables the login security banner. The security banner will be displayed on the login page.
  • : disables the login security banner.

Security Banner

Security banner text to be displayed on the login page.

Value: a string of up to 1600 characters.

Procedure

Configuring Password Rules

  1. On the menu bar, choose Configuration.
  2. In the navigation tree, choose Security.

    The Security page is displayed.

  3. Set parameters as required. For details about the parameters, see Table 3-45.
  4. Click Save.

    A confirmation dialog box is displayed.

  5. Click Yes.

Configuring Login Rules

The iBMC supports up to three login rules. Users who comply with any one of the three rules can log in to the iBMC.

A login rule is effective for local users, LDAP groups, SNMPv3 services or interfaces of CLP (ssh), KVM_VMM, RMCP, and Redfish interfaces only when it meets the following two conditions:

  • The login rule is configured and enabled in the Login Rules area.
  • The login rule is selected in the configuration area.

Each login rule contains three conditions: login duration, source IP address segment, and source MAC address segment. When setting a login rule, you do not need to specify all of the three conditions.

  1. In the Login Rules area, set login rules.

    For details about the parameters, see Table 3-46.

  2. Set the login rules to .
  3. Click Save.

    A confirmation dialog box is displayed.

  4. Click Yes.

Setting the Login Security Banner

  1. In the Login Security Banner area, set Security Banner to .
  2. Enter a message in the Security Banner Text box.
  3. Click Save.

    A confirmation dialog box is displayed.

  4. Click Yes.

Restoring the Default Login Security Message

  1. In the Login Security Banner area, set Security Banner to .
  2. Click Restore Defaults.
  3. Click Save.

    A confirmation dialog box is displayed.

  4. Click Yes.
Translation
Download
Updated: 2019-11-19

Document ID: EDOC1000157052

Views: 143202

Downloads: 267

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next