No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R009C00 Single-Node System Software Installation Guide (SUSE Linux) 09

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Performing Security Settings

Performing Security Settings

Security settings must be performed, such as changing the user password, replacing the security certificate, and setting the user security policy.

Task

Description

Operation Reference

Changing the user password

The system provides default accounts and passwords and assign different rights to the accounts. For the sake of the system and user security, change the default passwords as required in time.

Security Maintenance > Password Change in the eSight Maintenance Guide

Replacing the security certificate

During the eSight installation, a temporary security certificate is generated to ensure the normal running of eSight. After the eSight installation is complete, replace the temporary security certificate.

Security Maintenance > Security Certificates in the eSight Maintenance Guide

Setting the user security policy

Configure user right, password, account, and access control policies to facilitate network management and fortify eSight security.

Authentication > Overview in the eSight Operation Guide

Configuring tomcat web HTTPS connection timeout duration

The Apache Tomcat server is prone to denial of service (DoS) attacks (or called Slow HTTP Denial of Service Attacks). To reduce the risks of system attacks, users set connection timeout duration in Tomcat.

Timeout duration refers to the waiting time (milliseconds) of connection requests. After a connection request is accepted, the uniform resource identifier (URI) request will be submitted.

Generally, connection timeout duration cannot eliminate DoS attacks but can remarkably reduce the possibility of DoS attacks. The major disadvantage is that when the network speed is very slow, data requests cannot be processed in the specified period of time. As a result, Tomcat disables the connection, and a connection timeout may occur when users use the web browser to access the system. For this reason, the connection timeout duration must be increased in Tomcat to resolve connection timeouts on a low-speed network.

NOTE:

However, the possibility of DoS attacks increases with the connection timeout duration. Users must ensure that their networks are immune to such attacks.

In Windows, log in to the server as an administrator. In Linux, log in to the server as user root.

  1. Stop eSight service.
  2. Open directory eSight installation directory\AppBase\UniBI_Server\tomcat\conf.
  3. Use the text editor to open the server.xml file.
  4. Change the connectionTimeout value to a desired one.
    NOTE:

    If the connectionTimeout value is set to –1, connection timeout is disabled. You are advised not to set the connectionTimeout value to –1.

  5. Save the changes and close the file.
  6. Start eSight service.

Configuring the Listening Service

The listening service listens to messages sent during SimpleOS startup and operating system (OS) installation. You can change the network port for which the listening service needs to be enabled to ensure system security.

In Windows, log in to the server as an administrator. In Linux, log in to the server as user root.

NOTE:

If eSight is used for server configuration deployment, firmware upgrades, and stateless computing, configuration must be implemented through a network. eSight will enable listening ports to listen to server configuration processes and results. By default, these ports listen to all network ports on the server where eSight resides. If only one network port needs to be listened to, specify the network port IP address in the serverPortBinding.conf file.

If the listening service is enabled for only one network port, the following functions of eSight may be unavailable:

  • Firmware upgrade component
  • Stateless computing component
  • In-band configuration function of the configuration deployment component

Exercise caution when performing this operation.

  1. Open the configuration file serverPortBinding.conf in eSight installation directory/AppBase/lib/resources/network/.
  2. Set portBindIp to the IP address of the network port for which the listening service needs to be enabled.

    Configuration example:

    portBindIp=192.168.1.9
    NOTE:

    portBindIp is left blank by default, which indicates that the listening service is enabled for all network ports.

    If the current server belongs to multiple subnet devices, portBindIp must be set to the IP address of the eSight server, and the IP address must be able to communicate with BMC.

    If the server runs on a two-node cluster, modify the serverPortBinding.conf file accordingly as well.

  3. Save and close the configuration file.
  4. Restart eSight.
Download
Updated: 2019-05-17

Document ID: EDOC1100011860

Views: 92167

Downloads: 138

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next