Guest

Cisco SCE 1000 Series Service Control Engine

Field Notice: FN - 62614 - SCE SCAS BB - SCA-BB Console 3.0.5 Requires Root Level SCE Authentication


November 29, 2006

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

Products Affected

Comments

SCE SCAS BB - 3.0.5

Service Control Engine Service Control Application System

Problem Description

The SCA-BB Console application and the SCA-BB servconf utility require user authentication in order to perform various management operations on SCE boxes, such as applying a Service Configuration.

In release 3.0.5 the required user authentication is SCE Root (level 15). This is a change compared to previous releases where the minimal required authentication was Admin (level 10).

The problem also applies to any application using the SCA-BB Java API. The SCE Connect API in 3.0.5 requires Root authentication while previous releases authenticated with Admin level.

Background

The SCE's various authentication levels can be used to maintain an operational security scheme. In previous SCA-BB releases, the service configuration operations required Admin level authentication. This enables separation between the management operation and the technician level SCE management activity at Root level.

In release 3.0.5 this scheme was changed, forcing service configuration activity to require Root level authentication. This is not compatible with previous SCA-BB releases and requires disclosure of the SCE Root level password to users of the SCA-BB Console application and servconf utility.

Release 3.0.5 includes enhancements to the SCE security. Authentication was added to SCE API to better secure the management operations performed through this API. The above problem is a side effect of this enhancement.

Problem Symptoms

The SCA-BB Console and servconf utility fail to authenticate to the SCE when provided with Admin level authentication information if the Admin authentication details are different than the Root authentication.

Workaround/Solution

Solution:

Another SCA-BB release with a fix will be released in December 2006.

Workaround:

The following workarounds are available:

  1. Provide SCA-BB Console and servconf utility with the SCE Root level authentication details.

  2. Configure the SCE boxes to turn off the RPC Protocol (PRPC) authentication. When this is done, the SCA-BB Console and servconf utility authentication to the SCE will be bypassed and it will manage to connect with any password. This will avoid the need for SCE Root password disclosure.

    It should be noted that this workaround may compromise SCE security and should be used with care.

    This SCE configuration is done using the following CLI commands. See the SCE CLI Command Reference Guide for further details.

    SCE>enable 10 
    Password: 
    SCE#configure 
    SCE(config)#ip rpc-adaptor security-level none 
    SCE>
    

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCsg86093 (registered customers only)

The SCA-BB 3.0.5 Console and servconf utility require SCE Root (level 15) password authentication. In previous releases this authentication was done using Admin (level 10) password.

Revision History

Revision

Date

Comment

1.0

29-Nov-2006

Initial Public Release

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.