Operations and Maintenance Guide
Chapter 2 Managing BTS Users and Commands using EMS
Download this chapter
Chapter 2 Managing BTS Users and Commands using EMSChapter 2 Managing BTS Users and Commands using EMS
Download the complete book
Operations and Maintenance GuideOperations and Maintenance Guide (PDF - 2 MB)
give_us_feedback

Table Of Contents

Managing BTS Users and Commands using EMS

Introduction

Accessing the EMS

Logging into the EMS Using CLI

Managing Users

Managing Commands

Restricting Command Access Using Workgroups


Managing BTS Users and Commands using EMS

Revised: September 25, 2009, OL-12797-09

Introduction

This chapter describes operator interfaces to the BTS and how to manage access and users. The Element Management System (EMS) database holds up to 256 logins and up to 50 active user sessions.

Accessing the EMS

Using CLI you can locally connect to the EMS in an interactive session.

Figure 2-1 EMS Operator Interfaces

The EMS system administrator can:

Add a new user.

Assign a user's privilege level—10 is for the system administrator. BTS has predefined user accounts:

btsadmin—Username=btsadmin and password=btsadmin—like secadmin, MAINT shell user (MAINT shell is an enhanced CLI interface and does not log off an idle user)

secadmin—Username=secadmin and password=secadmin—like btsadmin, MAINT shell user (MAINT shell is an enhanced CLI interface and does not log off an idle user)

btsuser—Username=btsuser and password=btsuser—lower access permissions than btsadmin and secadmin, good for generic provisioning access

Reset a user's password.

Enter a description for each security class and privilege level.

Manage security log reporting.

Logging into the EMS Using CLI

SSH is a way to access the BTS CLI or maintenance (MAINT) modes. SSH provides encrypted communication between a remote machine and the EMS/CA for executing CLI or MAINT commands. The SSH server runs on EMSs and CAs. To connect the client and server sides run the secure shell daemon (SSHD). With SSH, new users must enter a new password and reenter that password during the first login. In future logins they are prompted once for a password only.

When logging in for the first time, system administrators log in as btsadmin (the default password is btsadmin). Change the password.

Step 1 To log in from the client side for the first time: ssh btsadmin@<ipaddress>.


Note If you are logged in to the system as root, enter: btsadmin@0

On the first SSH login from the client side, expect a message like this: 

The authenticity of host [hostname] can't be established. 
Key fingerprint is 1024 5f:a0:0b:65:d3:82:df:ab:42:62:6d:98:9c:fe:e9:52. 
Are you sure you want to continue connecting (yes/no)?

Step 2 Enter yes.

The password prompt appears, now all communications are encrypted.

Step 3 Enter your password.

The system responds with a CLI> prompt. You can now send commands to the EMS.

Step 4 Enter provisioning commands.

Step 5 To log off, enter exit .

Managing Users

You must have a user privilege level of 9 or higher to add, show, change, or delete a user.

Caution Do not add, change, or delete username root, this prevents proper EMS access.

Table 2-1 Managing Users 

Task
Sample Command

Adding a user

1. add user name=UserABC; command-level=9; warn=10; days-valid=30; work-groups=somegroup; password=secret01;

Note The name, command-level, and password tokens are mandatory tokens for the command `add user'.

2. Supply a default password:
reset password name=<user name>; new-password=<user password>;

Viewing a user

show user name=UserABC;

Viewing user activity

show ems;

Changing a user

change user name=UserABC; command-level=1; work-groups=somegroup;

Deleting a user

delete user name=UserABC;

You cannot delete optiuser.

Changing a user's password 

reset password name=username; days-valid=<number of days the 
new password will be valid>; warn=<number of days before 
password expiration to warn user>;


reset password name=username; days-valid=30; warn=4;

A password must:

Have 6-8 characters

Have at least two alphabetic characters

Have at least one numeric or special character

Differ from the user's login name and any combination of the login name

Differ from the old password by at least three characters

Change the password for user optiuser on each BTS.

Adding a new work-group 

change command-table noun=mgw; verb=add; work-groups=latex;

Adding a user to a work-group 

change user name=trs80nut; work-groups=+rubber;

Removing a user from a work-group 

change user name=trs80nut; work-groups=-latex;

Viewing all currently active users 

show session

Viewing an active user 

show session terminal

Blocking an active user

1. Select operation mode:

MAINTENANCE—(default) for regular maintenance

UPGRADE—for upgrades

2. block session terminal=USR16;

Note You cannot block the session of a user with higher privileges than yours.

Prevent BTS provisioning during an upgrade or maintenance window from the following interfaces:

CLI

FTP

CORBA

SNMP

Note The software will support blocking HTTP interfaces in a future release.

If you block provisioning before performing an SMG restart or EMS reboot, blocking is still enforced when these applications return to in-service state.

There are two levels of blocking:

PROVISION—Prevents all provisioning commands from executing

COMPLETE—Prevents all commands from executing

Only terminal type MNT users can use these blocking and unblocking commands. MNT users are never blocked. MNT users issue these commands from either active or standby EMS.

A blocking command applies to all non-MNT users on terminals on either active or standby EMS. Commands do not execute for:

Logged-in users

Users who login after the block command

Commands are not queued for execution after unblock. The CLI user prompt changes when blocked, notifying the user their commands will not execute.

Unblocking a user 

unblock session terminal=USR16;

Note You cannot unblock the session of a user with higher privileges.

Resetting a user's idle time

Idle time is how many minutes (1-30) a user can be idle before being logged off the BTS. 

change session idle-time=30;

Stopping a user's session 

stop session terminal=USR16;

Note All commands should be assigned to a work-group. If a command is not assigned to a work-group, a user will able to execute that command, which is not recommended. You can also assign users and the commands to multiple work-groups.

Managing Commands

Each command (verb-noun combination) has a security class of 1-10; 1 is lowest, 10 is highest. Each time a user enters a command, the system compares the user's privilege level to the command's security class. EMS denies the command if the user level is less than the command level.

The Command Level (command-level) table shows the 10 command security classes. BTS has the following presets:

1 (lowest level)

5 (mid-level)

10 (highest level)—These commands require a system administrator with a security level of 10 to execute.

Table 2-2 Managing Commands 

Task
Sample Command

Viewing a command's security class

show command-level id=10;

Adding a description to a command's security class

change command-level id=10; description=This is the highest level administration access;

Changing a command's privilege level

change command-table noun=mgw; verb=add; sec-level=9;

Resetting a command's privilege level

reset command-table noun=mgw; verb=add;

Viewing all executed commands 

show history;

Sending all executed commands to a report file

report history;

Viewing the report of all executed commands

1. In a web browser enter http://server name.

2. Click Reports.

3. Click history.html.

Viewing a security summary 

report security-summary start-time=2002-09-26 
00:00:00; end-time=2002-09-27 00:00:00; source=all;

Viewing security summary reports

In a web browser enter https:// <ems ip addr>.


Restricting Command Access Using Workgroups

This section discusses about how to restrict access and secure commands by defining workgroups. As discussed earlier, a user privilege level (UPL) is assigned by the system administrator for a user's login. Each command has a preset command level (CL) for each noun-verb combination. A user could successfully execute a command if the privilege level assigned to the user is higher than or equal to the command level which is being executed.

The concept of allowing access by setting user privilege level higher than command privilege level allows any user with higher user privilege level to execute some critical commands, which we do not want. For example, special handling is provided for CALEA to prevent any user from accessing the wiretap and ESS tables. As a result, if a user has higher privilege level than the command level used in CALEA, the user can execute the commands and fetch critical data.

To restrict a user to only a certain set of commands, assign the user and the relevant commands to a workgroup `X'. As a result, the user belonging to workgroup `X' can only execute the commands which are having SEC_LEVEL <= User COMMAND_LEVEL and which are assigned to workgroup `X'. For more details, see Table 2-3.

To restrict a user for example "USER0" to only a certain set of commands :

Step 1 Assign `USER0'to work_group `X'.

Step 2 Assign all the commands to a workgroup `cliall_workgroup'. No commands must be left out without workgroup assignment.

Note If any command is left without workgroup assignment, the USER0 would be able to execute the command which we do not want.

Step 3 Assign the specific commands for which you want to allow access to USER0 to the workgroup `X'.

Tip For example, to allow access for the command `change subscriber', assign the command `change subscriber' to the workgroup `X'. Earlier `change subscriber' was not assigned to any workgroup. This way `change subscriber'command was executable by any user, having User COMMAND_LEVEL >= SEC_LEVEL of command. Now after `change subscriber' is assigned to workgroup `X', not "every" user can now execute the `change subscriber command even if that user's, User COMMAND_LEVEL >= SEC_LEVEL of the command.

Table 2-3 Restricting Command Access Through Workgroups

Task
Sample Command

Add and assign a user to a workgroup. The workgroup is also created using the same command.

add user name=USER0; command-level=9; password=secret01; work-groups=X;

Assign all the commands to a workgroup. No commands should be left without workgroup assignments.

change command-table noun=mgw; verb=add; sec-level=8; work-groups=cliall_workgroup;

Assign only the specific commands to the workgroup for which you want to restrict access for other users. Only the users assigned to the workgroup can access these commands.

change command-table noun=subscriber; verb=change; sec-level=8; work-groups=X;