Cisco Media Gateway Controller Software Installation and Configuration Guide (Releases 9.1 through 9.6)
Cisco PGW 2200 Security Enhancements
Download this chapter
Cisco PGW 2200 Security EnhancementsCisco PGW 2200 Security Enhancements
Download the complete book
Cisco Media Gateway Controller Software Installation and Configuration Guide (Releases 9.1 through 9.6)Cisco Media Gateway Controller Software Installation and Configuration Guide (Releases 9.1 through 9.6) (PDF - 5 MB)
 Feedback

Table Of Contents

Cisco PGW 2200 Security Enhancements

Supported Platforms

Feature Overview

Client/Server and Secure Connectivity Relationships

Secure Connectivity Among Cisco PGW 2200 Applications

Secure Connectivity Between Cisco MGC Application Platforms

Secure Connectivity Between BAMS Application Platforms

Secure Connectivity Between BAMS and Cisco MGC Application Platforms

Installation Overview

Conditions for Installation

CSCOk9000 and CSCOh013 Security Packages

Installation Sequence

Server and Client Platforms Application Example

Export Control Splash Screens

CSCOk9000 Security Package Functions

Connecting to the Cisco PGW 2200, BAMS, and HSI

Telnet and FTP Toggle Options

Installing the CSCOk9000 Security Package

Installing CSCOk9000 on the Cisco PGW 2200 Host

Installing the CSCOk9000 on BAMS

Installing CSCOk9000 on HSI

Securing the Networks

Securing the Cisco PGW 2200

Securing BAMS

Uninstalling the CSCOk9000 Security Package

Fallback Procedures

Procedures for Cisco PGW 2200

Procedures for BAMS

Alarms and Messages


Cisco PGW 2200 Security Enhancements

This document describes the Cisco PGW 2200 Security Enhancements feature. It provides procedures for installing secure communication interfaces on the Cisco MGC, BAMS and HSI application platforms in a network.

Table 4-1 Guide to Document Contents 

Section and Page

Supported Platforms

Feature Overview

Client/Server and Secure Connectivity Relationships

Secure Connectivity Among Cisco PGW 2200 Applications

Secure Connectivity Between Cisco MGC Application Platforms

Secure Connectivity Between BAMS Application Platforms

Secure Connectivity Between BAMS and Cisco MGC Application Platforms

Installation Overview

Conditions for Installation

Installation Sequence

Export Control Splash Screens

CSCOk9000 Security Package Functions

Connecting to the Cisco PGW 2200, BAMS, and HSI

Telnet and FTP Toggle Options

Installing the CSCOk9000 Security Package

Installing CSCOk9000 on the Cisco PGW 2200 Host

Installing the CSCOk9000 on BAMS

Installing CSCOk9000 on HSI

Securing the Networks

Securing the Cisco PGW 2200

Securing the Cisco PGW 2200

Fallback Procedures

Procedures for Cisco PGW 2200

Procedures for BAMS

Alarms and Messages


Supported Platforms

The hardware platforms supported for the Cisco MGC, BAMS, and HSI software are described in the Cisco MGC Software Release 9 Installation and Configuration Guide.

Note Cisco PGW 2200 consists of platforms that run the Cisco Media Gateway Controller (MGC) software, Billing and Measurements Server (BAMS), and H.323 Signaling Interface (HSI).

Feature Overview

The Cisco PGW 2200 Security Enhancements feature is used to install secure communication interfaces on the Cisco MGC, BAMS and HSI application platforms in a network. The secure interfaces consists of multiple programs found in the openSSH software. These programs include the following:

ssh—secure shell, which replaces Telnet (for secure Telnet sessions, such as running MML)

sftp—secure FTP, which replaces FTP (for secure file transfers)

scp—secure copy, which replaces rcp

various other programs

Documentation for the various programs can be found at the openSSH web site (http://www.openssh.org).

Note The use of "SSH" (all upper case) refers to the collection of programs mentioned above, while the use of "ssh" (all lower case) refers specifically to the secure shell program.

A confirmation is required when you attempt to run ssh for the first time on each new machine. For scripts to run without human intervention, you will be required to manually run ssh at least once prior to invoking automatic scripts.

Note The SSH password is your regular login password.

A script is provided to restore the non-secure Telnet daemon if it has been disabled (toggle_telnet.sh). A similar script (toggle_ftp.sh) is provided to restore the non-secure version of FTP.

Note If you prefer not to use the SSH secure interfaces, you have the option to not disable Telnet and FTP.

The SSH daemon supports two versions of the SSH protocol. By default, the sshd program is configured to recognize clients using either connection protocol, and to respond appropriately.

Note Cisco recommends that client programs use SSH protocol Version 2 (shipped with the CSCOk9000 security package).

Client/Server and Secure Connectivity Relationships

The following figures show the client/server and secure connectivity relationships used among the different applications of the Cisco MGC, BAMS, and HSI.

In a network containing Cisco MGC platforms and BAMS platforms, the Cisco MGC platform is considered to be a server system to BAMS. The BAMS platform is a client of the Cisco MGC platform. This means that in the current, non-secure interface environment, to transfer files from the Cisco MGC to BAMS, the BAMS system invokes the FTP program which talks to an FTP daemon process on the Cisco MGC platform.

The following table explains the letters and acronyms used in these figures:

Table 2

Acronym/
Abbreviation
Description

C

Client

S

Server

SCP

Secure Copy

SFTP

Secure File Transfer

SSH

Secure Shell


Secure Connectivity Among Cisco PGW 2200 Applications

The following figure illustrates the client/server relationship and the secure connectivity used among the different application types of the Cisco PGW 2200 and its network management elements. Note that Cisco MNM-PT has SSH and SFTP interfaces to HSI.

Note For simplicity, redundant platforms are not shown in this figure. The secure connectivity among the different application types and the redundant platforms is the same.

Note Install SSH on the Cisco MGC Node Manager 2.4(1) and Cisco MNM-PT 2.4(1) to enable the use of secure communications for managing and provisioning the Cisco PGW 2200 and supported network elements. With SSH installed on the Cisco MGC Node Manager, it can monitor the Cisco PGW node during SSH installation. Refer to the document Implementing Security Enhancements for Cisco MNM-PT and Cisco MGC Node Manager.

Secure Connectivity Between Cisco MGC Application Platforms

The following figure illustrates the client/server relationship and the secure connectivity used between two Cisco MGC application platforms operating as a redundant pair.

Secure Connectivity Between BAMS Application Platforms

The following figure illustrates the client/server relationship and the secure connectivity used between two BAMS application platforms operating as a redundant pair.

Secure Connectivity Between BAMS and Cisco MGC Application Platforms

The following figure illustrates the client/server relationship and the secure connectivity used when one redundant BAMS pair controls multiple Cisco MGC application platforms.

Note For simplicity, the redundant Cisco MGC application platforms are not shown. The secure connectivity between the redundant BAMS pair and the redundant Cisco MGC application platforms is the same.

Installation Overview

The following sections describe details and the conditions necessary for installing the CSCOk9000 security package.

Conditions for Installation

You must have permission from the US government to download this software from CCO. Contact your Cisco marketing representative to apply for eligibility.

Note For remote access, you must have SSH client software (ssh and sftp) installed.

The following table lists the prerequisites for installing the CSCOk9000 security package:

Table 4-3 Requirements for Installing the CSCOk9000 Security Package

Requirement
Description

Sun Solaris 8 operating system

Versions of the Cisco PGW 2200 prior to Solaris 8 Operating System will not install the SSH programs.

SSH installed on Cisco Node Manager and other element managers.

SSH must first be installed on Cisco Node Manager before installing the CSCOk9000 security package on PGW, HSI, or BAMS.

Refer to the section "Getting Started with SSH-Enabled Cisco Node Manager" in the document Implementing Security Enhancements for Cisco MNM-PT and Cisco MGC Node Manager.

One of the following software versions must be installed:

Cisco MGC software release 9.4(1) or higher

BAMS release 3.13 or higher

HSI release 4.1 or higher.

The CSCOk9000 security package is not supported on the following:

Cisco MGC software releases prior to release 9.4(1)

BAMS software releases prior to release 3.13

HSI software releases prior to release 4.1.

CSCOk9000 script must be installed after the Cisco MGC software, BAMS or HSI are installed.

This allows the CSCOk9000 script to verify the version of the application that was installed.

Install the CSCOh013 security package first before installing CSCOk9000.

Caution CSCOh013 cannot be installed after CSCOk9000 is installed.

Make sure to follow this sequence of installation for the security packages to work properly.


CSCOk9000 and CSCOh013 Security Packages

The secure interfaces can be logically considered as an extension to the 'box hardening' procedures already implemented in the Cisco Security Package CSCOh013. 'Box hardening' refers to the practice of removing unused or unnecessary users, services, and access points from the system to increase security and reduce the possibility of unauthorized access to a machine.

The CSCOh013 security package is distributed as part of the Solaris Environment Patches (refer to CCO for the latest version of these patches).

In most cases, Cisco recommends that both CSCOh013 and CSCOk9000 security packages be installed to get the most secure environment Cisco can provide. However, it is possible to install only CSCOh013. In this case, although the resulting system will have some, but not all security features installed, the Cisco PGW 2200 node will operate correctly.

The SSH secure interface software is bundled in a separate package (CSCOk9000) because of U.S. government restrictions on the export of encryption technology. The Cisco Secure Interface package CSCOk9000 is distributed as part of the Cisco PGW 2200 Restricted Software (refer to CCO for the latest version). The Cisco PGW 2200 Restricted Software can only be obtained through controlled means—you are required to apply for permission to download this software and install it after your Cisco MGC, BAMS, or HSI applications are installed.

Note There are U.S. Government restrictions on exporting cryptographic technology. The Secure Shell (SSH) program falls under the umbrella of those restrictions. The security package (CSCOk9000) is registered and located in a restricted area from which only authorized customers can download.

If you have Cisco PGW 2200s that span various geographic locations, you must apply and be approved for each site.

Installation Sequence

Because of the way the various Cisco PGW 2200 application programs (such as Cisco MGC, BAMS, and HSI) operate, Cisco specifies the order in which systems must be upgraded to minimize down time or time when systems are unable to communicate with one another.

Note Secure versions of Cisco MNM-PT and Cisco MGC Node Manager are required in this secure environment. SSH must first be installed on Cisco Node Manager before installing the CSCOk9000 security package on PGW, HSI, or BAMS.

Cisco MNM and MNM-PT can be installed to support SSH. Installation procedures for Cisco MNM is located at the following url: http://www.cisco.com/en/US/products/sw/netmgtsw/ps1912/products_installation_guide_chapter09186a008019f524.html#1226353

Installation procedures for Cisco MNM-PT is located at the following url: http://www.cisco.com/en/US/products/sw/netmgtsw/ps1912/products_installation_guide_chapter09186a008019f526.html#35443

If you are using Cisco MNM-PT to perform system backups, refer also to documentation located at the following url: http://www.cisco.com/en/US/products/sw/netmgtsw/ps1912/products_installation_guide_chapter09186a008019f526.html#95252.

In the secure interface environment, the FTP daemon on the Cisco MGC is replaced by the ssh daemon process (the ssh daemon controls sftp). The FTP client on BAMS is replaced by sftp. A special script which invokes the use of sftp instead of FTP must be run on the BAMS platform. This means that the order in which systems are upgraded is important.

A platform operating as a secure interface server must have SSH (the secure interface software) installed and ready before the associated platform operating as the secure interface client can start to use the secure interface. To clarify the suggested order of installation, refer to the table below to determine which Cisco PGW 2200 application acts as a server to another.

Table 4

Server (Location of SSH and SFTP)
Client Programs Invoking SSH or SFTP

Cisco MGC

Cisco Billing and Measurements Server (BAMS)

Cisco MGC

Cisco Voice Services Provisioning Tool (Cisco MNM-PT)

BAMS

Cisco MNM-PT

BAMS

BAMS (Both BAMS act as client and server to each other)

HSI

Cisco MGC Node Manager

Cisco MGC

Cisco MGC Node Manager

BAMS

Cisco MGC Node Manager


Note Any customer application that uses FTP, Telnet, and RCP to access any of the Cisco PGW 2200 applications must first install the SSH client.

Note If you are accessing the Cisco PGW 2200, BAMS, or HSI from a remote machine, you must first install SSH client on your machine before disabling the non-secure interfaces on the Cisco PGW 2200, BAMS, or HSI. This client is not provided by the CSCOk9000 security package.

Server and Client Platforms Application Example

The following example uses the Cisco MGC and BAMS as the server and client platforms (respectively). However, a case may occur where a customer-specific application is used to transfer billing files from the Cisco MGC platform, or another customer application is used to transfer measurement data from the BAMS platform. When these cases occur, it is important to know which platform is acting as server and which is acting as the client.

1. Install the secure interface software package on Cisco MGC platforms controlled by a particular BAMS. At this point both the secure and non-secure interface software exist and are enabled on the Cisco MGC platform. This allows the BAMS machines to continue to communicate with the Cisco MGC platforms using the non-secure interfaces.

2. Once the Cisco MGC platforms controlled by the BAMS platform have the secure interface software installed, install the secure interface package on the BAMS platform. As the BAMS machine is re-configured (with the secure interface setup script) and rebooted, it will begin to communicate with the Cisco MGC platforms using the secure interfaces.

3. After the BAMS platform is updated and is using the secure interfaces, the non-secure interfaces on the Cisco MGC and BAMS platforms can be disabled. This is done on the Cisco MGC and BAMS platforms, using the scripts provided (toggle_ftp.sh and toggle_ftp.sh).

Note From the server/client table, note that the HSI platform does not act as a secure interface client, and serves as the secure interface server only to the Cisco MGC Node Manager application. When installing the secure interface software, the sequence of installation on the HSI is independent of the installation on Cisco MGC or BAMS platforms.

Export Control Splash Screens

A warning message screen announcing that the product contains export controlled encryption code with U.S. government export restrictions is displayed at the following times:

During the installation of the encryption software (CSCOk9000).

As part of the startup script for the Cisco MGC, BAMS and HSI.

Note This warning is displayed if the SSH software is installed on the machine, regardless of whether the Cisco PGW 2200, BAMS, and HSI are actually using the secure interfaces. You have the option to enable Telnet and FTP and use the nonsecure interfaces, even if SSH is available.

CSCOk9000 Security Package Functions

A system can have different components such as the Cisco PGW 2200, BAMS, and HSI, that need the CSCOk9000 package,

When the CSCOk9000 security package is installed, it will do its work without user intervention until the end of the installation process.

When the CSCOk9000 security package is installed, it loads the SSH daemon onto the disk and configures it to start up the next time the system is rebooted.

Note The SSH code is installed in a directory under /opt/SSH.

Connecting to the Cisco PGW 2200, BAMS, and HSI

For secure Telnet sessions, you can connect to the Cisco PGW 2200, BAMS, and HSI by using SSH (for example, to run MML).

For file transfers or using scp, you can connect to the Cisco PGW 2200, BAMS, and HSI by using sftp (for example, to run MGC_setup).

Telnet and FTP Toggle Options

After the CSCOk9000 package is installed, you have the option to toggle the operation of the Telnet and FTP programs using two scripts—toggle_telnet.sh and toggle_ftp.sh. These scripts are located in the /opt/sun_install directory.

To turn the FTP service on, run the toggle_ftp.sh script by typing the following command and pressing Enter: 

/opt/sun_install/toggle_ftp.sh enable <filename>

To turn the FTP service off, run the toggle_ftp.sh script by typing the following command and pressing Enter: 

/opt/sun_install/toggle_ftp.sh disable <filename>

Installing the CSCOk9000 Security Package

Following are detailed procedures for installing the CSCOk9000 security package. It is important to install the CSCOk9000 security package according to the following sequence:

1. Installing CSCOk9000 on the Cisco PGW 2200 Host

2. Installing the CSCOk9000 on BAMS

3. Installing CSCOk9000 on HSI

4. Securing the Networks

Installing CSCOk9000 on the Cisco PGW 2200 Host

Note Always begin the installation on the standby host (Host B).

To install the CSCOk9000 security package on the Cisco PGW 2200 host:

Step 1 On Host B, log in as root.

Step 2 Shut down the Cisco MGC. Enter the following command: 

/etc/init.d/CiscoMGC stop

Step 3 If CSCOh013 is already installed on your Cisco PGW 2200 host, skip this step and go to Step 4.

If the CSCOh013 is not yet installed on your Cisco PGW 2200 host, you must first install it before installing the CSCOk9000 security package. Follow the CSCOh013 installation procedures in the "Installing the Cisco Security Package (CSCOh013)" section on page 3-16 in Chapter 3, "Cisco MGC Software Release 9 Installation."

When the CSCOh013 security package installation is complete, text similar to the following is displayed: 

**************************************************

**************************************************

**                                              **

** NOTE!! The machine must be REBOOTED in order **

**        for these changes to take effect      **

**                                              **

**************************************************

**************************************************

Note If you are planning to install CSCOk9000, do not reboot after installing the CSCOh013 security package. You will be prompted to reboot after the installation of CSCOk9000.

Step 4 Install the CSCOk9000 security package on the standby Cisco PGW 2200 first (Host B). Enter the following command: 

pkgadd -d CSCOk9000.pkg

Text similar to the following is displayed: 


The following packages are available:

  1  CSCOk9000     Security package (ssh, sftp) for Solaris 8

                   (sparc) 1.0(0.4)


Select package(s) you wish to process (or 'all' to process

all packages). (default: all) [?,??,q]:

Step 5 Type all and press Enter to process all packages.

Step 6 Enter the following command to change the current directory: 

cd /opt/sun_install

Step 7 Type the following command to run the SSH script on Host B: 

./CiscoSSH.sh install /tmp/SSH.log

Text similar to the following is displayed: 

*** NOTE ***

Your ftp and telnet (ie. non-secure) interfaces

have NOT been disabled! When you are ready to fully

secure your system, you should disable these interfaces

with the commands 'toggle_ftp.sh disable' and

'toggle_telnet.sh disable'

*** END NOTE ***



End of SSH installation...



**************************************************

**************************************************

**                                              **

** NOTE!! The machine must be REBOOTED in order **

**        for these changes to take effect      **

**                                              **

**************************************************

**************************************************

Note If you do not get the above message about rebooting, the installation might have failed — call Cisco TAC for assistance.

Step 8 Reboot the standby host (Host B). Enter the following command: 

reboot

Rebooting may take about five minutes.

Note If you have installed the Solaris DiskSuite package (CSCOh016) on your system, the messages below are displayed during system boot-up. They are normal Solaris DiskSuite start-up messages and do not indicate any problem with your system.

WARNING force load of misc /md-trans failed
WARNING force load of misc /md-raid failed
WARNING force load of misc /md-hotspares failed
WARNING force load of misc /md-sp failed

Step 9 Disable FTP access to your system. Enter the following command: 

/opt/sun_install/toggle_ftp.sh disable /tmp/toggle_ftp.log

Step 10 Disable Telnet access to your system. Enter the following command: 

/opt/sun_install/toggle_telnet.sh disable /tmp/toggle_telnet.log

Note If you run the above command, the access to the Solaris box is disabled.

Step 11 Start Cisco MGC on Host B. Enter the following command: 

/etc/init.d/CiscoMGC start

Note After rebooting Host B, you may find that the Cisco MGC application may be already running. This is because the Cisco MGC start script is located in one of the /etc/rcX.d directories. This causes the application to start and stop automatically when Unix is started or stopped.

Step 12 Fail over to the standby host (Host B). Log in as mgcusr on Host A (Active now), enter mml to get in MML mode, and enter the following MML command: 

sw-over::confirm

Step 13 Install the CSCOh013 security package first if it is not yet installed on Host A. If CSCOh013 is already installed, go to Step 14.

Follow the CSCOh013 installation procedures in the section "Installing the Cisco Security Package (CSCOh013)" section on page 3-16 in Chapter 3, "Cisco MGC Software Release 9 Installation," of the Cisco Media Gateway Controller Software Release 9 Installation and Configuration Guide.

When the CSCOh013 security package installation is complete, text similar to the following is displayed: 

**************************************************

**************************************************

**                                              **

** NOTE!! The machine must be REBOOTED in order **

**        for these changes to take effect      **

**                                              **

**************************************************

**************************************************

Note If you will be installing CSCOk9000, do not reboot after installing the CSCOh013 security package. You will be prompted to reboot after the installation of CSCOk9000.

Step 14 Install the CSCOk9000 security package on Host A. Log in Host A again as root. Enter the following command: 

pkgadd -d CSCOk9000.pkg

Text similar to the following is displayed: 


The following packages are available:

  1  CSCOk9000     Security package (ssh, sftp) for Solaris 8

                   (sparc) 1.0(0.4)


Select package(s) you wish to process (or 'all' to process

all packages). (default: all) [?,??,q]:

Step 15 Type all and press Enter to process all packages.

Text similar to the following is displayed: 

cd ../sun_install/

pwd

/opt/sun_install

./CiscoSSH.sh install /tmp/SSH.log

Output will be logged in  /tmp/SSH.log


You are running as root - Good...

Step 16 Enter the following command to change the current directory: 

cd /opt/sun_install

Step 17 Type the following command to run the SSH script on Host A: 

./CiscoSSH.sh install /tmp/SSH.log

Text similar to the following is displayed: 


*** NOTE ***

Your ftp and telnet (ie. non-secure) interfaces

have NOT been disabled! When you are ready to fully

secure your system, you should disable these interfaces

with the commands 'toggle_ftp.sh disable' and

'toggle_telnet.sh disable'

*** END NOTE ***



End of SSH installation...



**************************************************

**************************************************

**                                              **

** NOTE!! The machine must be REBOOTED in order **

**        for these changes to take effect      **

**                                              **

**************************************************

**************************************************

Step 18 Reboot Host A. Log in as root and enter the following command: 

reboot

Rebooting may take about five minutes.

Step 19 Disable FTP access to your system. Enter the following command: 

/opt/sun_install/toggle_ftp.sh disable /tmp/toggle_ftp.log

Step 20 Disable Telnet access to your system. Enter the following cmmand: 

/opt/sun_install/toggle_telnet.sh disable /tmp/toggle_telnet.log

Note If you run the above command, the access to the Solaris box is disabled.

Step 21 Fail-over again to the standby host (Host A). Log in as mgcusr on Host B and enter the following MML command: 

sw-over::confirm

The CSCOk9000 security package installation on Cisco PGW 2200 is now complete.

To install SSH on BAMS, continue to the "Installing the CSCOk9000 on BAMS" section.

To install SSH on HSI, continue to the "Installing CSCOk9000 on HSI" section.

Installing the CSCOk9000 on BAMS

After the CSCOk9000 security package is installed on the Cisco PGW 2200 platform, it can be installed on BAMS. BAMS will use SFTP to transfer files after the ./setupSSH.sh script is done installing the software. Install the CSCOk9000 security package on BAMS to install the secure shell on the system.

Caution For BAMS to properly create CDR records and measurements, all components in the network must have both CSCOk900 and CSCOh013 either installed or not installed.

The BAMS startup script includes a splash screen warning that the system is running with export controlled encryption software installed.

Note Run the /opt/install/enableFTPClient.sh script each time SSH is re-installed on Cisco PGW 2200 or BAMS. If only SSH on the Cisco PGW 2200 host is changed, then you only need to enter the Cisco PGW 2200 host names when running this script. If the SSH on BAMS is changed, you must enter all Cisco PGW 2200 and BAMS host names.

To install the CSCOk9000 package on BAMS:

Step 1 Log in as bams on BAMS 1.

Step 2 Shut down BAMS 1. Enter the following command: 

stop_system

Text similar to the following is displayed: 

Terminating BAMS


waiting for MGR to shut down...

$

Step 3 Log in as root.

Step 4 Install the CSCOh013 security package on BAMS 1 and run the CiscoSec.sh install /tmp/security.log script.

Follow the CSCOh013 installation procedures in the section "Installing the Cisco Security Package (CSCOh013)" in Chapter 3, "Cisco MGC Software Releases 9.2(x) and 9.3(x)", of the Cisco Media Gateway Controller Software Release 9 Installation and Configuration Guide.

When the CSCOh013 security package installation is complete, text similar to the following is displayed: 

**************************************************

**************************************************

**                                              **

** NOTE!! The machine must be REBOOTED in order **

**        for these changes to take effect      **

**                                              **

**************************************************

**************************************************

Note If you will be installing CSCOk9000, do not reboot after installing the CSCOh013 security package. You will prompted to reboot after the installation of CSCOk9000.

Step 5 Install the CSCOk9000 security package on BAMS 1. Enter the following command: 

pkgadd -d CSCOk9000.pkg

Text similar to the following is displayed: 

The following packages are available:

  1  CSCOk9000     Security package (ssh, sftp) for Solaris 8

                   (sparc) 1.0(0.4)


Select package(s) you wish to process (or 'all' to process

all packages). (default: all) [?,??,q]:

Step 6 Type all and press Enter to process all packages.

Step 7 Enter the following command 

cd /opt/sun_install

Step 8 Enter the following command to run the SSH script: 

./CiscoSSH.sh install /tmp/ssh.log

Text similar to the following is displayed: 

Output will be logged in  /tmp/SSH.log


You are running as root - Good...


*** NOTE ***

Your ftp and telnet (ie. non-secure) interfaces

have NOT been disabled! When you are ready to fully

secure your system, you should disable these interfaces

with the commands 'toggle_ftp.sh disable' and

'toggle_telnet.sh disable'

*** END NOTE ***



End of SSH installation...



**************************************************

**************************************************

**                                              **

** NOTE!! The machine must be REBOOTED in order **

**        for these changes to take effect      **

**                                              **

**************************************************

**************************************************

Step 9 Reboot BAMS 1. Enter the following command: 

reboot

Note If you have installed the Solaris DiskSuite package (CSCOh016) on your system, the messages below are displayed during system boot-up. They are normal Solaris DiskSuite start-up messages and do not indicate any problem with your system.

WARNING force load of misc /md-trans failed
WARNING force load of misc /md-raid failed
WARNING force load of misc /md-hotspares failed
WARNING force load of misc /md-sp failed

Step 10 To configure SSH on BAMS 2, log in as bams on BAMS 2.

Step 11 Shut down BAMS 2. Enter the following command: 

stop_system

Text similar to the following is displayed: 

Terminating BAMS


waiting for MGR to shut down...

$

Step 12 Log in as root.

Step 13 Install the CSCOh013 security package on BAMS 2 and run the CiscoSec.sh install /tmp/security.log script.

Follow the CSCOh013 installation procedures in the section "Installing the Cisco Security Package (CSCOh013)" in Chapter 3, "Cisco MGC Software Releases 9.2(x) and 9.3(x)", of the Cisco Media Gateway Controller Software Release 9 Installation and Configuration Guide.

When the CSCOh013 security package installation is complete, text similar to the following is displayed: 

**************************************************

**************************************************

**                                              **

** NOTE!! The machine must be REBOOTED in order **

**        for these changes to take effect      **

**                                              **

**************************************************

**************************************************

Note If you will be installing CSCOk9000, do not reboot after installing the CSCOh013 security package. You will prompted to reboot after the installation of CSCOk9000.

Step 14 Install the CSCOk9000 security package on BAMS 2. Enter the following command: 

pkgadd -d CSCOk9000.pkg

Text similar to the following is displayed: 

The following packages are available:

  1  CSCOk9000     Security package (ssh, sftp) for Solaris 8

                   (sparc) 1.0(0.4)


Select package(s) you wish to process (or 'all' to process

all packages). (default: all) [?,??,q]:

Step 15 Type all and press Enter to process all packages.

Step 16 Enter the following command 

cd /opt/sun_install

Step 17 Enter the following command to run the SSH script: 

./CiscoSSH.sh install /tmp/ssh.log

Text similar to the following is displayed: 

Output will be logged in  /tmp/SSH.log


You are running as root - Good...


*** NOTE ***

Your ftp and telnet (ie. non-secure) interfaces

have NOT been disabled! When you are ready to fully

secure your system, you should disable these interfaces

with the commands 'toggle_ftp.sh disable' and

'toggle_telnet.sh disable'

*** END NOTE ***



End of SSH installation...



**************************************************

**************************************************

**                                              **

** NOTE!! The machine must be REBOOTED in order **

**        for these changes to take effect      **

**                                              **

**************************************************

**************************************************

Step 18 Reboot BAMS 2. Enter the following command: 

reboot

Note If you have installed the Solaris DiskSuite package (CSCOh016) on your system, the messages below are displayed during system boot-up. They are normal Solaris DiskSuite start-up messages and do not indicate any problem with your system.

WARNING force load of misc /md-trans failed
WARNING force load of misc /md-raid failed
WARNING force load of misc /md-hotspares failed
WARNING force load of misc /md-sp failed

The installation of the CSCOk9000 security package on BAMS is now complete. To install the CSCOk9000 security package on HSI, continue to the "Installing CSCOk9000 on HSI" section.

Continue to the "Securing the Networks" section to secure your networks.

Installing CSCOk9000 on HSI

You can install the CSCOhk9000 security package on any HSI machine on the system. The procedure for installing SSH on HSI is the same as the procedure for installing the CSCOk9000 security package on the Cisco PGW 2200 (see the "Installing CSCOk9000 on the Cisco PGW 2200 Host" section).

Securing the Networks

You must have completed the installation of the CSCOhk9000 security package on your network (which can consist of Cisco PGW 2200, BAMS, and HSI) before securing your network.

Securing the Cisco PGW 2200

To secure the Cisco PGW 2200:

Step 1 Before you begin, verify that the last CDR has been pulled into BAMS.

You must be logged in as root. To verify that the last CDR has been pulled into BAMS, type the following command and press Enter to go to the directory: 

/opt/CiscoMGC/var/spool

Step 2 Type the following command and press Enter to verify the CDR: 

ls -l cdr_<yyyymmdd>

Where <yyyymmdd> represents the current date, entered in the following format:

yyyy = year

mm = month

dd = day

A list of files is displayed when you enter this command.

Step 3 Check the list of files that is displayed for the last finished filename preceded by a period (.) and write down the file name—you will need this information later.

Step 4 On the Cisco PGW 2200 Host B (the standby host), as root, type the following command and press Enter to change directory: 

cd /opt/sun_install

Step 5 Type the following command and press Enter to toggle FTP off: 

toggle_ftp.sh disable <filename>

Note <filename> is a name that you selected.

Text similar to the following is displayed: 

You are running as root - Good...

Operating System: SunOS 5.8

Disable ftp in inetd.conf file

Step 6 Type the following command and press Enter to toggle Telnet off: 

toggle_telnet.sh disable <filename>

Note <filename> is a name that you select.

Text similar to the following is displayed: 

You are running as root - Good...

Operating System: SunOS 5.8

Disable ftp in inetd.conf file

Step 7 On Host A (the active host), while logged in as root, type the following command and press Enter to change directory: 

cd /opt/sun_install

Step 8 Type the following command and press Enter to toggle FTP off: 

toggle_ftp.sh disable <filename>

Note <filename> is a name that you selected.

Text similar to the following is displayed: 

You are running as root - Good...

Operating System: SunOS 5.8

Disable ftp in inetd.conf file

Step 9 Type the following command and press Enter to toggle Telnet off: 

toggle_telnet.sh disable <filename>

Note <filename> is a name that you selected.

Text similar to the following is displayed: 

You are running as root - Good...

Operating System: SunOS 5.8

Disable ftp in inetd.conf file

Step 10 Verify that Telnet and FTP are off. Telnet or FTP to you Cisco PGW 2200 platform. If Telnet and FTP are turned off, you will get the following error message: 

Connection refused.

This completes the procedures for securing your Cisco PGW 2200. If you have BAMS on your network, continue to the "Securing the Cisco PGW 2200" section.

Securing BAMS

To secure BAMS on your network:

Step 1 Log in to the standby BAMS by typing the following and pressing Enter: 

bams

Step 2 The following steps require you to use MML commands. To use MML commands, type the following and press Enter: 

mml

Step 3 Enter the node of the Cisco PGW 2200 that is being changed. At the MML command line type the following and press Enter: 

set-mode:<x>:

Where <x> is a number between 1 through 8.

Note In this example, the node number is 2.

Step 4 Check for alarms. Type the following command and press Enter: 

rtrv-alms

Text similar to the following is displayed: 

Billing and Measurements Server - BAMS-00 2003-02-12 15:12:05

B  RTRV

02/12/03 14:58:14 *C POL402: Cannot connect to unit va-hoover

02/12/03 15:00:15 *C POL401: Max FTP failures for one file reached

02/12/03 15:00:25 *C POL402: Cannot connect to unit va-hoover_b

02/12/03 15:02:36 *C POL402: Cannot connect to unit va-fish

02/12/03 15:04:46 *C POL402: Cannot connect to unit va-fish_b

   ;

B  COMPLD

   ;

Note Look for the line containing POL402. POL402 indicates the presence of an alarm. Proceed to Step 5.
In this text display, "va-hoover" and "va-fish" are Cisco PGW 2200 and BAMS host name examples.

Step 5 Log in as root.

Step 6 Type the following command and press Enter to change directory: 

cd /opt/sun_install

Step 7 Type the following command to toggle FTP off: 

toggle_ftp.sh disable <filename>

Note <filename> is a name that you selected.

Text similar to the following is displayed: 

You are running as root - Good...

Operating System: SunOS 5.8

Disable ftp in inetd.conf file


Done!

Step 8 Type the following command and press Enter to toggle Telnet off: 

toggle_telnet.sh disable <filename>

Note <filename> is a name that you selected.

Text similar to the following is displayed: 

You are running as root - Good...

Operating System: SunOS 5.8

Disable ftp in inetd.conf file


Done!

Step 9 On the active host (BAMS 1), log in as bams.

Step 10 Repeat Step 2 through Step 8.

Step 11 On the standby BAMS, while logged in as root, type the following command and press Enter to change the directory: 

cd /opt/install

Step 12 As root, enter the following command to set up the SSH process: 

setupSSH.sh

Text similar to the following is displayed: 

BAMS is installed, proceeding with SSH configuration

Warning:

Before running this script, SSH must be installed on all PGW and BAMS hosts


This script will disable the standard FTP client on BAMS and set up

 SSH connections from BAMS to PGW and from BAMS to BAMS.


If you want to use the standard FTP client, it is still available

in the file /usr/bin/ftp.orig


Do you want to continue [y/n]:

Step 13 Type y (yes) to continue and press Enter.

Text similar to the following is displayed: 

Sun Microsystems Inc.   SunOS 5.6       Generic August 1997

Warning:

Before running this script, SSH must be installed on all PGW and BAMS hosts.


This script will reset the existing known hostkeys

and user keys for bams user for each host entered during this session.

You need to run this script every time the PGW or BAMS is re-installed.

You also need to run this script if SSH is re-installed on PGW or BAMS.


Do you want to continue [y/n]:

Step 14 Type y (yes) to continue and press Enter.

Text similar to the following is displayed: 

Generating security keys, this will take a couple of minutes...

Generating public/private rsa key pair.

Your identification has been saved in /opt/CiscoBAMS/local/.ssh/id_rsa.

Your public key has been saved in /opt/CiscoBAMS/local/.ssh/id_rsa.pub.

The key fingerprint is:

32:8e:10:10:98:2a:35:8a:18:bb:e6:3e:a1:54:d9:27 bams@va-pine

Generating public/private dsa key pair.

Your identification has been saved in /opt/CiscoBAMS/local/.ssh/id_dsa.

Your public key has been saved in /opt/CiscoBAMS/local/.ssh/id_dsa.pub.

The key fingerprint is:

32:dd:2d:51:e3:b4:9b:41:29:49:1a:f2:49:6f:e4:29 bams@va-pine


You will be prompted for the user name and password for each PGW

or BAMS host.

Please remember to enter both PGW host names for a failover pair.

You also need to enter the other BAMS host if this is a redundant setup.


Please enter a PGW or BAMS host name, or q to quit

Enter a host name now:

Step 15 Type host name PGW1 and press Enter.

Text similar to the following is displayed: 

Please enter a PGW or BAMS host name, or q to quit

Enter a host name now:

Step 16 Type the host name mgcusr (the login name of PGW1) and press Enter.

Text similar to the following is displayed: 

Are you sure you want to continue connecting (yes/no)? yes

Step 17 Type y (yes) and press Enter.

Text similar to the following is displayed: 

mgcusr@<hostname>'s password: 

id_dsa.pub           100% |*****************************|   602       00:00

Step 18 Type the password and press Enter.

Text similar to the following is displayed: 

mgcusr@<BAMS 1>'s password:

Step 19 Type y (yes) again and press Enter.

Text similar to the following is displayed: 

mgcusr on <BAMS> successfully configured


Do you want to configure second interface for <BAMS>? n

Step 20 You can answer either y (yes) or n (no):

a. Yes (configuring a second interface) is optional. If you answer y, repeat Step 1 through Step 19.

b. If you answer no, proceed to Step 21.

Step 21 Repeat Step 15 through Step 19 for additional Cisco PGW 2200 nodes.

Text similar to the following is displayed: 

mgcusr on <BAMS1> successfully configured


Do you want to configure second interface for <BAMS1>? n

Step 22 Type n (no) and press Enter.

Text similar to the following is displayed: 

Please enter a PGW or BAMS host name, or q to quit

Enter a host name now:

Step 23 While still on the standby BAMS, type the active BAMS unit information (BAMS name, BAMS login password).

Step 24 When all the BAMS interfaces have been configured, type q to quit and press Enter.

Text similar to the following is displayed: 

Done

Note Look out for the following error message. If some hosts were not configured, follow the recommendation in this message.

Failed to configure some hosts. Please check for SSH installation on these hosts and/or the user name and password for these hosts.

Step 25 Log in to the active BAMS as root.

Step 26 Change the directory. Type the following command and press Enter: 

cd /opt/install

Step 27 Type the following command and press Enter: 

setupSSH.sh

Text similar to the following is displayed: 

BAMS is installed, proceeding with SSH configuration

Warning:

Before running this script, SSH must be installed on all PGW and BAMS hosts


This script will disable the standard FTP client on BAMS and set up

 SSH connections from BAMS to PGW and from BAMS to BAMS.


If you want to use the standard FTP client, it is still available

in the file /usr/bin/ftp.orig


Do you want to continue [y/n]:

Step 28 Type y to continue and press Enter.

Text similar to the following is displayed: 

Sun Microsystems Inc.   SunOS 5.6       Generic August 1997

Warning:

Before running this script, SSH must be installed on all PGW and BAMS hosts.


This script will reset the existing known hostkeys

and user keys for bams user for each host entered during this session.

You need to run this script every time the PGW or BAMS is re-installed.

You also need to run this script if SSH is re-installed on PGW or BAMS.


Do you want to continue [y/n]:

Step 29 Type y (yes) to continue and press Enter.

Text similar to the following is displayed: 

Generating security keys, this will take a couple of minutes...

Generating public/private rsa key pair.

Your identification has been saved in /opt/CiscoBAMS/local/.ssh/id_rsa.

Your public key has been saved in /opt/CiscoBAMS/local/.ssh/id_rsa.pub.

The key fingerprint is:

32:8e:10:10:98:2a:35:8a:18:bb:e6:3e:a1:54:d9:27 bams@va-pine

Generating public/private dsa key pair.

Your identification has been saved in /opt/CiscoBAMS/local/.ssh/id_dsa.

Your public key has been saved in /opt/CiscoBAMS/local/.ssh/id_dsa.pub.

The key fingerprint is:

32:dd:2d:51:e3:b4:9b:41:29:49:1a:f2:49:6f:e4:29 bams@va-pine


You will be prompted for the user name and password for each PGW

or BAMS host.

Please remember to enter both PGW host names for a failover pair.

You also need to enter the other BAMS host if this is a redundant setup.


Please enter a PGW or BAMS host name, or q to quit

Enter a host name now:

Step 30 Type host name PGW1 and press Enter.

Text similar to the following is displayed: 

Please enter a PGW or BAMS host name, or q to quit

Enter a host name now:

Step 31 Type the host name mgcusr (the login name of PGW1) and press Enter.

Text similar to the following is displayed: 

Are you sure you want to continue connecting (yes/no)? yes

Step 32 Type y (yes) and press Enter.

Text similar to the following is displayed: 

mgcusr@<hostname>'s password: 

id_dsa.pub           100% |*****************************|   602       00:00

Type the password and press Enter.

Text similar to the following is displayed: 

mgcusr@<BAMS 1>'s password:

Step 33 Type y (yes) again and press Enter.

Text similar to the following is displayed: 

mgcusr on <BAMS> successfully configured


Do you want to configure second interface for <BAMS>? n

Step 34 You can answer either y (yes) or n (no):

a. Yes (configuring a second interface) is optional. If you answer y, repeat Step 1 through Step 19.

b. If you answer no, proceed to Step 21.

Step 35 Repeat Step 15 through Step 19 for additional Cisco PGW 2200 nodes.

Text similar to the following is displayed: 

mgcusr on <BAMS1> successfully configured


Do you want to configure second interface for <BAMS1>? n

Step 36 Type n (no) and press Enter.

Text similar to the following is displayed: 

Please enter a PGW or BAMS host name, or q to quit

Enter a host name now:

Step 37 While still on the active BAMS, type the standby BAMS unit information (BAMS name, BAMS login password).

Step 38 When all the BAMS interfaces have been configured, type q to quit and press Enter.

Text similar to the following is displayed: 

Done

Step 39 Go to the active Cisco PGW 2200 (Host A) in the "Securing the Cisco PGW 2200" section and repeat Step 1 and Step 2.

Text similar to the following is displayed: 

-rw-rw-r--   1 mgcusr   mgcgrp       182 Feb 12 14:29 cdr_20030212142403_037281.finished

-rw-rw-r--   1 mgcusr   mgcgrp       182 Feb 12 14:34 cdr_20030212142903_037282.finished

-rw-rw-r--   1 mgcusr   mgcgrp       182 Feb 12 14:39 cdr_20030212143403_037283.finished

-rw-rw-r--   1 mgcusr   mgcgrp       182 Feb 12 14:44 cdr_20030212143903_037284.finished

-rw-rw-r--   1 mgcusr   mgcgrp       182 Feb 12 14:49 cdr_20030212144403_037285.finished

-rw-rw-r--   1 mgcusr   mgcgrp       182 Feb 12 14:54 cdr_20030212144903_037286.finished

-rw-rw-r--   1 mgcusr   mgcgrp       182 Feb 12 14:59 cdr_20030212145403_037287.finished

-rw-rw-r--   1 mgcusr   mgcgrp       182 Feb 12 15:04 cdr_20030212145903_037288.finished

-rw-rw-r--   1 mgcusr   mgcgrp       182 Feb 12 15:09 cdr_20030212150403_037289.finished

-rw-rw-r--   1 mgcusr   mgcgrp       182 Feb 12 15:14 cdr_20030212150903_037290.finished

-rw-rw-r--   1 mgcusr   mgcgrp       182 Feb 12 15:19 cdr_20030212151403_037291.bin

-rw-rw-r--   1 mgcusr   mgcgrp       182 Feb 12 15:24 cdr_20030212151904_037292.bin

-rw-rw-r--   1 mgcusr   mgcgrp       182 Feb 12 15:30 cdr_20030212152434_037293.bin

-rw-rw-r--   1 mgcusr   mgcgrp       182 Feb 12 15:35 cdr_20030212153004_037294.bin

-rw-rw-r--   1 mgcusr   mgcgrp       182 Feb 12 15:40 cdr_20030212153504_037295.bin

-rw-rw-r--   1 mgcusr   mgcgrp       182 Feb 12 15:45 cdr_20030212154004_037296.bin

-rw-rw-r--   1 mgcusr   mgcgrp       182 Feb 12 15:50 cdr_20030212154504_037297.bin

-rw-rw-r--   1 mgcusr   mgcgrp       182 Feb 12 15:55 cdr_20030212155004_037298.bin

Step 40 Make sure that the CDR file number you noted down in Step 3 has changed from .bin to .finished.

Step 41 Check for alarms on BAMS. Type the following command and press Enter: 

<bams hostname> rtrv-alms

Text similar to the following is displayed: 

Billing and Measurements Server - BAMS-00 2003-02-12 16:02:08

B  RTRV

02/12/03 15:02:36 *C POL402: Cannot connect to unit <bams1 hostname>

02/12/03 15:04:46 *C POL402: Cannot connect to unit <bams2 hostname>

   ;

B  COMPLD

Note The CDR file POL402 (which indicates the presence of an alarm, shown in Step 4) for the active Cisco PGW 2200 and standby BAMS should be gone.

Step 42 Verify that both BAMS 1 and BAMS 2 are communicating with each other.

CDR file POL329 indicates that the active BAMS (BAMS 1) is sending information to the standby BAMS (BAMS 2).

Note Since BAMS polls the Cisco PGW 2200 at regular intervals, you may still see an alarm for a while. When you do, wait a few minutes and check the logs (see Step 43).

Step 43 To check the logs for alarms (the log name within this directory is syslog), change directory to the following: 

cd /opt/CiscoBAMS/files/s0x

Note x in s0x is the node you are in.

The process for securing your network is now complete.

Uninstalling the CSCOk9000 Security Package

If you want to uninstall the CSCOk9000 security package on the PGW, follow the following detailed procedures.

Step 1 Remove the CSCOk9000 security package. Enter the following command and press Enter. 

pkgrm CSCOk9000

Text similar to the following is displayed: 

The following package is currently installed:

	CSCOk9000 			Security package (ssh, sftp) for Solaris 8

			 	(sparc) 1.0(2)PGWR


Do you want to remove this package?

Step 2 Enter y and press Enter to confirm the removal.

Text similar to the following is displayed: 

Removing installed package instance <CSCOk9000>


This package contains scripts which will be executed with super-user permission during the 
process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q]

Step 3 Enter y and press Enter to continue with the removal of this package.

Text similar to the following is displayed: 

Verifying package dependencies.

Processing package information.

Executing preremove script.

Logfile is /var/adm/CSCOh090.uninstall.log

*** Removal of SSH update package started...Fri Oct 12 03:02:00 EDT 2007 *** You are not 
allowed to remove this package until you run the uninstall security script To do this:

cd /opt/sun_install

./CiscoSSH.sh uninstall /tmp/uninstall_SSH.log


Once that script completes correctly, you may remove this package from the machine


Removal of <CSCOk9000> was terminated due to user request.

Step 4 Enter the following command to change the current directory and press Enter. 

cd /opt/sun_install

Step 5 Enter the following command to run the uninstall security script and press Enter. 

./CiscoSSH.sh uninstall /tmp/uninstall_SSH.log

Text similar to the following is displayed: 

Output will be logged in  /tmp/uninstall_SSH.log


You are running as root - Good...


Operating System: SunOS 5.8


**************************************************************

**************************************************************

**************************************************************

***                                                        ***

***   WARNING       WARNING       WARNING       WARNING    ***

***                                                        ***

*** This product contains cryptographic features and is    ***

*** subject to United States and local country laws        ***

*** governing import, export, transfer and use             ***

*** Delivery of Cisco cryptographic products does not      ***

*** imply third-party authority to import, export,         ***

*** distribute or use encryption.                          ***

*** Importers, exporters, distributors and users are       ***

*** responsible for compliance with U.S. and local         ***

*** country laws.                                          ***

***                                                        ***

*** By using this product you agree to comply with         ***

*** applicable laws and regulations. If you are unable     ***

*** to comply with U.S. and local laws, return this        ***

*** product immediately.                                   ***

***                                                        ***

*** A summary of U.S. laws governing Cisco cryptographic   ***

*** products may be found at:                              ***

***                                                        ***

*** http://www.cisco.com/wwl/export/crypto/tool/stqrg.html ***

***                                                        ***

*** If you require further assistance please contact us    ***

*** us by sending email to export@cisco.com                ***

***                                                        ***

***   WARNING       WARNING       WARNING       WARNING    ***

***                                                        ***

**************************************************************

**************************************************************

**************************************************************

Do you want to continue? [n]:

Step 6 Enter y to continue and press Enter.

Text similar to the following is displayed: 

Restoring system to original configuration...


The following package is currently installed:

   ANDIrand        random-0.7

                   (sparc) 0.7


Do you want to remove this package?

Step 7 Enter y to confirm the removal and press Enter.

Text similar to the following is displayed: 

Removing installed package instance <ANDIrand>


This package contains scripts which will be executed with super-user permission during the 
process of removing this package.


Do you want to continue with the removal of this package [y,n,?,q]

Step 8 Enter y to continue the removal of the package and press Enter. 

Verifying package dependencies.

Processing package information.

Executing preremove script.

Removing pathnames in class <km64>

/usr/kernel/drv/sparcv9/random

/usr/kernel/drv/sparcv9 <shared pathname not removed> 

Removing pathnames in class <sed> 

Modifying /etc/devlink.tab 

Removing pathnames in class <none> /usr/kernel/drv/random.conf /usr/kernel/drv/random 
/usr/kernel/drv <shared pathname not removed> /usr/kernel <shared pathname not removed> 
/usr <shared pathname not removed> /etc/rc2.d/S60random /etc/rc2.d <shared pathname not 
removed> /etc/rc0.d/K50random /etc/rc0.d <shared pathname not removed> /etc/init.d/random 
/etc/init.d <shared pathname not removed> /etc <shared pathname not removed> 

Executing postremove script.

Updating system information.


Removal of <ANDIrand> was successful.


Backup directory is being removed


**************************************************

**************************************************

**                                              **

** NOTE!! The machine must be REBOOTED in order **

**        for these changes to take effect      **

**                                              **

**************************************************

**************************************************


Done!

Step 9 Reboot the system. Enter the following command and press Enter. 

reboot



The uninstallation of CSCOk9000 security package is now complete.

Fallback Procedures

Perform fallback procedures if you have problems with the installation of the CSCOk9000 security package on the Cisco PGW 2200 or BAMS.

If you have BAMS installed in your system, make sure you perform the fallback procedures on the Cisco PGW 2200 first, then do the procedures on BAMS.

Procedures for Cisco PGW 2200

Do the following procedures if you encounter problems with CSCOk9000 security package installation on Cisco PGW 2200:

Step 1 Log in to the standby Cisco MGC as root and stop the system by entering the following command: 

/etc/init.d/CiscoMGC stop

Step 2 From the /opt/sun/install directory, enable FTP and Telnet by entering the following commands: 

toggle_ftp.sh enable /tmp/enable.log 

toggle_telnet.sh enable /tmp/enable.log

Step 3 Run the uninstall security script: 

cd /opt/sun_install

./CiscoSSH.sh uninstall /tmp/uninstall_SSH.log

Step 4 Uninstall CSCOk9000. Enter the following command: 

pkgrm CSCOk9000

Step 5 In /opt/sun_install directory, enter the following command: 

CiscoSec.sh uninstall /tmp/security.log

Step 6 Uninstall CSCOh013. Enter the following command: 

pkgrm CSCOh013

Step 7 Reboot the standby Cisco MGC. Enter the following command: 

reboot

Note If you have installed the Solaris DiskSuite package (CSCOh016) on your system, the messages below are displayed during system boot-up. They are normal Solaris DiskSuite start-up messages and do not indicate any problem with your system.

WARNING force load of misc /md-trans failed
WARNING force load of misc /md-raid failed
WARNING force load of misc /md-hotspares failed
WARNING force load of misc /md-sp failed

Step 8 Repeat Step 1 through Step 9 on the active Cisco MGC.

The fallback procedures for Cisco PGW 2200 is now complete. Proceed to the "Procedures for BAMS" section if you have BAMS.

Procedures for BAMS

Do the following procedures if you encounter problems with the installation of the CSCOk9000 security package on BAMS:

Step 1 Log in to the standby BAMS unit as bams and stop the system by entering the following command: 

stop_system

Text similar to the following is displayed: 

Terminating BAMS


waiting for MGR to shut down...

$

Step 2 On the standby BAMS, log in as root.

Step 3 From the /opt/sun/install directory, enable FTP and Telnet by entering the following commands: 

toggle_ftp.sh enable /tmp/enable.log 

toggle_telnet.sh enable /tmp/enable.log

Step 4 Run the following script: 

/opt/install/enableFTPClient.sh

Text similar to the following is displayed: 

# /opt/install/enableFTPClient.sh

FTP Client restored

Step 5 Run the uninstall security script: 

cd /opt/sun_install

./CiscoSSH.sh uninstall /tmp/uninstall_SSH.log

Step 6 Uninstall CSCOk9000. Enter the following command: 

pkgrm CSCOk9000

Note If you wish to uninstall CSCOh013, then proceed to Step 7 through Step 8. If not, then skip to Step 9 to reboot the BAMS unit.


Step 7 In /opt/sun_install directory, enter the following command: 

CiscoSec.sh uninstall /tmp/security.log

Step 8 Uninstall CSCOh013. Enter the following command: 

pkgrm CSCOh013

Step 9 Reboot the BAMS unit. Enter the following command: 

reboot

Note If you have installed the Solaris DiskSuite package (CSCOh016) on your system, the messages below are displayed during system boot-up. They are normal Solaris DiskSuite start-up messages and do not indicate any problem with your system.

WARNING force load of misc /md-trans failed
WARNING force load of misc /md-raid failed
WARNING force load of misc /md-hotspares failed
WARNING force load of misc /md-sp failed

Step 10 Repeat Step 1 through Step 9 on the active BAMS unit.

The fallback procedures for BAMS is now complete.

Alarms and Messages

When you attempt to run SSH, the program requires a confirmation to continue. If you fail to log in successfully (for example, you typed the wrong password), this information will be logged. The CIAgent raises an SNMP alarm based on the failed login attempt.

Note These traps apply to the Cisco MGC platform as well as to BAMS and HSI.

When a login failure is detected, an SNMP trap is generated. For example: 

snmpTrapOID.0 = siLogMatchTrap

siLogName.1 = /var/log/authlog

siLogTrapTextLine.1 = Oct  9 13:42:51 va-baltimore sshd[5698]: [ID 800047

auth.info] Failed password for mgcusr from 161.44.86.29 port 40781 ssh2

Where:

siLogName object identifies the log file where the login failures are logged.

siLogTrapTextLine object is the exact line from the log file that reports the login failure.

A UNIX syslog file, /var/log/authlog, is used to log all access to the system by SSH. Both successful and failed login attempts are logged in this file. An SNMP trap will be generated for failed login attempts.

Note New log files are started on Sundays.

There are five files related to the authlog file in the /var/log directory:

authlog - the most recent logs since last Sunday.

authlog.0 - logs from two Sundays ago to last Sunday.

authlog.1 - logs from three Sundays ago to two Sundays ago.

authlog.2 - logs from four Sundays ago to three Sundays ago.

authlog.3 - logs from five Sundays ago to four Sundays ago.

Log files which generated more than five Sundays ago are automatically deleted.