No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Enterprise
Worldwide
Huawei Global - English
Search
Support Documentation
eSight V300R010C00SPC200, 300, and 500 Single-Node System Software Installation Guide (Windows) 18
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Performing Security Settings

Performing Security Settings

Security settings must be performed, such as changing the user password, replacing the security certificate, and setting the user security policy.

Task

Description

Operation Reference

Changing the user password

The system provides default accounts and initial passwords as well as grants different operation rights to the default accounts. To ensure system and user security, regularly change passwords in accordance with password complexity requirements.

"Security Maintenance > Password Change" in the eSight Maintenance Guide

Replacing the security certificate

During the eSight installation, a temporary security certificate is generated to ensure the normal running of eSight. After the eSight installation is complete, replace the temporary security certificate.

"Security Maintenance > Security Certificates" in the eSight Maintenance Guide

Setting the user security policy

Configure user rights, password, account, and access control policies to facilitate network management and fortify eSight security.

"Authentication > Overview" in the eSight Operation Guide

Configuring Tomcat web HTTPS connection timeout duration

The Apache Tomcat server is prone to denial of service (DoS) attacks (or called Slow HTTP Denial of Service Attacks). To reduce the risks of system attacks, users set connection timeout duration in Tomcat.

Timeout duration refers to the waiting time (milliseconds) of connection requests. After a connection request is accepted, the uniform resource identifier (URI) request will be submitted.

Generally, setting the connection timeout duration cannot eliminate DoS attacks but can remarkably reduce the possibility of DoS attacks. The major disadvantage is that when the network speed is very slow, data requests cannot be processed in the specified period of time. As a result, Tomcat disables the connection, and a connection timeout may occur when users use the web browser to access the system. For this reason, the connection timeout duration must be increased in Tomcat to resolve connection timeouts on a low-speed network.

NOTE:

However, the possibility of DoS attacks increases as the connection timeout duration increases. Users must ensure that their networks are immune to such attacks.

In Windows, log in to the server as an administrator. In Linux, log in to the server as the root user.

  1. If the eSight server is running, stop it.
  2. Open the eSight installation directory\AppBase\UniBI_Server\tomcat\conf directory.
  3. Use the text editor to open the server.xml file.
  4. Change the value of connectionTimeout to the required connection timeout duration (unit: millisecond).
    NOTE:

    If the connectionTimeout value is set to –1, connection timeout is disabled. You are not advised to set the connectionTimeout value to –1.

  5. Save the changes and close the file.
  6. Start eSight.

Configuring the listening service

The listening service listens to messages sent during SimpleOS startup and operating system installation. You can change the network port for which the listening service needs to be enabled to ensure system security.

On the Windows operating system, log in to the server as the Administrator user. On the Linux operating system, log in to the server as the root user.

NOTE:

If eSight is used for server configuration deployment, firmware upgrades, and stateless computing, configuration must be implemented through a network. eSight will enable listening ports to listen to server configuration processes and results. By default, these ports listen to all network ports on the server where eSight resides. If only one network port needs to be listened to, specify the network port IP address in the serverPortBinding.conf file.

If the listening service is enabled for only one network port, the following functions of eSight may be unavailable:

  • Firmware upgrade component
  • Stateless computing component
  • In-band configuration function of the configuration deployment component

    Exercise caution when performing this operation.

  1. Open the configuration file serverPortBinding.conf in eSight installation directory/AppBase/lib/resources/network/.
  2. Set portBindIp to the IP address of the network port for which the listening service needs to be enabled.

    Configuration example:

    portBindIp=192.168.1.9
    NOTE:

    portBindIp is left blank by default, which indicates that the listening service is enabled for all network ports.

    If the current server belongs to multiple subnet devices, portBindIp must be set to the IP address of the eSight server, and the IP address must be able to communicate with BMC.

    For a two-node cluster, you need to manually modify the serverPortBinding.conf file.

  3. Save and close the configuration file.
  4. Restart eSight.
Translation
简体中文
Download
Updated: 2022-02-11

Document ID: EDOC1100044388

Views: 328201

Downloads: 1181

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :