Cisco 10200 User Manual
Cisco BTS 10200 Softswitch Operations
and Maintenance Guide
Release 6.0.1
February 18, 2010
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-16000-07
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at
www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1005R)
Cisco BTS 10200 Softswitch Operations and Maintenance Guide
Copyright © 2010, Cisco Systems, Inc.
All rights reserved.
Preface ix
Introduction iii-ix
CONTENTS
CHAPTER
CHAPTER
1 Starting and Shutting Down the BTS 1-1
Introduction 1-1
Meeting Power Requirements 1-1
Starting BTS Hardware 1-1
Shutting Down BTS Hardware 1-2
Starting BTS Software 1-2
2 Managing BTS Users and Commands Using EMS 2-1
Introduction 2-1
Logging into the EMS Using CLI 2-1
Managing Users 2-2
Managing Commands 2-5
Adapter and User Security 2-6
Solaris OS Security and BTShard Package 2-7
Operator Interface 2-10
Vulnerabilities in H.323 Message Processing 2-11
Authentication, Authorization and Accounting Support 2-11
Pluggable Authentication Module Support 2-12
User Security Account Management 2-12
OL-16000-06
Sun Microsystems Configurations 2-12
Solaris OS Patches 2-14
Trace Normal Forms (TNF) Support 2-14
XML Libraries 2-15
Device GLM Patch 2-15
Security CE Patch 2-15
Security Bad_Trap Patch 2-15
Java SDK Patches 2-15
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
iii
Contents
CHAPTER
3 Monitoring and Backing Up the BTS 3-1
Introduction 3-1
Detecting and Preventing BTS Congestion 3-1
Monitoring BTS Hardware 3-1
Checking BTS System Health 3-2
Using BTS System-Health Reports 3-3
Checking BTS System Time 3-4
Checking the OS Log of Each Host Machine 3-4
Checking Disk Mirroring on Each Host Machine 3-5
CA/FS Side A 3-5
CA/FS Side B 3-5
EMS Side A 3-6
EMS Side B 3-6
Auditing Databases and Tables 3-7
Exporting Provisioned Data 3-8
Limitations 3-10
Creating Numbering Resource Utilization/Forecast (NRUF) Reports 3-10
Creating Reports for Nonrural Primary and Intermediate Carriers 3-11
Creating Reports for Rural Primary and Intermediate Carriers 3-12
Backing Up the Software Image 3-15
Full Database Auditing 3-16
Checking Shared Memory 3-16
From CA/FS Side A 3-16
From CA/FS Side B 3-17
Backing Up the Full BTS 3-18
Backing Up the CA/FS 3-18
Backing up the EMS/BDMS 3-19
Backing up the EMS Database 3-20
Using FTP to Setup File Transfer 3-21
Using SFTP to Setup File Transfer 3-22
iv
Archiving Your Database 3-24
Examining Heap Usage 3-25
Checking the DNS Server 3-25
Log Archive Facility (LAF) 3-26
Secure Transfer of Files 3-26
Other Capabilities 3-27
Provisioning LAF 3-27
Enabling LAF Process 3-27
Setup Non-Interactive SSH Login to External Archive Server 3-28
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
OL-16000-06
LAF Alarm Information 3-29
Moving Core Files 3-29
Contents
CHAPTER
CHAPTER
4 Operating the BTS 4-1
Introduction 4-1
Managing Subscribers 4-2
Viewing Calls 4-6
Using Status and Control Commands 4-7
Using Show and Change Commmands 4-9
Using ERAC Commands 4-9
Managing Transactions 4-12
Scheduling Commands 4-13
Limitations 4-13
5 Managing External Resources 5-1
Introduction 5-1
Viewing BTS System-Wide Status 5-1
Managing Trunk Groups and Trunks 5-3
Managing Subscriber Terminations 5-12
Managing Gateways 5-16
CHAPTER
Managing Other External Resources 5-18
Learning External Resource Dependencies 5-20
GigE Support 5-28
Prerequisites 5-28
Provisioning the GigE Interface 5-28
6 Using BTS Measurements 6-1
Introduction 6-1
Using Measurements 6-1
Learning the Measurement Types 6-2
ISDN Measurements 6-2
Call Processing Measurements 6-5
MGCP Adapter Measurements 6-12
DQoS Measurements 6-13
SIP Measurements 6-13
Service Interaction Manager Measurements 6-16
POTS Local FS Measurements 6-16
OL-16000-06
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
v
Contents
POTS Application Server Measurements 6-22
POTS Miscellaneous FS Measurements 6-22
POTS Class of Service FS Measurements 6-24
POTS Screen List Editing FS Measurements 6-25
POTS Customer Originated Trace FS Measurements 6-25
POTS Automatic Callback, Recall, and Call Return Measurements 6-26
POTS Limited Call Duration (Prepaid/Postpaid) with RADIUS Interface to AAA Measurements 6-28
POTS Call Forwarding Combination Measurements 6-28
AIN Services FS Measurements 6-29
SCCP Protocol Measurements 6-31
TCAP Protocol Measurements 6-33
SUA Measurements 6-37
M3UA Protocol Measurements 6-39
SCTP Measurements 6-41
IUA Measurements 6-44
ISUP MeasurementsI 6-46
ISUP (ANSI) Measurements 6-52
ISUP (France) Measurements 6-55
ISUP (Poland) Measurements 6-55
ISUP (ITU-China) Measurements 6-55
ISUP (ITU-Mexico) Measurements 6-58
ISUP (ITU-HongKong) Measurements 6-60
Audit Measurements 6-62
SIP Interface Adapter Measurements 6-62
Call Detail Block Measurements 6-64
Event Messaging Measurements 6-66
Dynamic QoS Measurements 6-66
PCMM Measurements 6-67
SNMP Protocol Measurements 6-67
Trunk Group Usage Measurements 6-68
Announcement Measurements 6-71
H.323 Protocol Measurements 6-71
Call Tools Measurements 6-75
AIN Tools Measurements 6-75
PCT Tools Measurements 6-75
CPU Usage Measurements 6-76
Memory Usage Measurements 6-76
Network I/O Usage Measurements 6-76
Disk Usage Measurements 6-76
System Load Usage Measurements 6-78
vi
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
OL-16000-06
Disk I/O Usage Measurements 6-78
ENUM Measurements 6-78
Diameter Message Counters 6-79
Single Number Reach Counters 6-80
Contents
CHAPTER
APPENDIX
APPENDIX
7 Using the BTS SNMP Agent 7-1
Introduction 7-1
Managing User Access to the SNMP Agent 7-1
Viewing SNMP Trap Reports 7-2
Viewing and Managing BTS Components 7-4
Querying the SNMP Agent 7-6
Enabling NMS to Query/Poll Solaris SNMP Agent 7-6
A Feature Tones A-1
Introduction A-1
Tones per Feature A-1
Tone Frequencies and Cadences A-6
B FIM/XML B-1
Understanding the Configurable FIM/XML Feature B-1
Advantages of the FIM/XML Tool B-2
Tool Requirements B-2
OL-16000-06
Writing an External FIM/XML File B-3
Defining Features B-3
Elements in the External FIM/XML File B-3
Define Element B-4
Precedence-Exception Element B-4
Inhibit Others Element B-5
Inhibit Me Element B-5
Response Profile Element B-5
Installing the FIM/XML File Using the Offline FIM/XML Tool B-7
FIM/XML File and Shared iFC File B-9
Features Defined in FIM/XML and Shared iFC B-9
Provisioning iFC B-10
Defining a New feature as the Originating Feature B-10
Defining a VSC B-10
Defining the SIP Trigger Profile B-10
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
vii
Contents
Feature Configuration B-10
Subscriber-Sip-Trigger-Profile B-11
Service-Id B-11
Subscriber-Service-Profile B-11
Feature Restrictions and Limitations B-11
viii
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
OL-16000-06
Introduction
Preface
Revised: February 18, 2010, OL-16000-07
This document is the Operations and Maintenance Guide for the Cisco BTS 10200 Softswitch, Release
6.0.1.
Organization
This guide has the following chapters:
• Chapter 1, “Starting and Shutting Down the BTS”—Tells you how to start up and shut down the BTS
• Chapter 2, “Managing BTS Users and Commands Using EMS”—Describes operator interfaces to
• Chapter 3, “Monitoring and Backing Up the BTS”—Includes overall BTS maintenance strategies
• Chapter 4, “Operating the BTS”—Tells you how to operate the BTS
• Chapter 5, “Managing External Resources”—Tells you how to manage external resources
• Chapter 6, “Using BTS Measurements”—Describes BTS traffic measurements and tells you how to
• Chapter 7, “Using the BTS SNMP Agent”—Explains how to use the Simple Network Management
• Appendix A, “Feature Tones”—Explains special tones the BTS supports for subscriber and operator
• Appendix B, “FIM/XML”—Explains the Feature Interaction Module/Extensible Markup Language
the BTS and how to manage access and users
provisioned on the BTS using administrative (ADM) commands
use them
Protocol (SNMP) agent
features
(FIM/XML) feature.
OL-16000-07
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
ix
Introduction
Document Change History
This table provides the revision history for the Cisco BTS 10200 Softswitch Operations and Maintenance
Guide, Release 6.0.x.
Table 1 Revision History
Version Number Issue Date Status Reason for Change
OL-16000-01 31 Mar 2008 Initial Initial document for Release 6.0
OL-16000-02 31 July 2008 Updated Added Change Number instructions for
OL-16000-03 18 Nov 2008 Revised Added keepalive note to Chapter 5 and
OL-16000-04 11 Dec 2008 Revised Updated the “Managing Trunk Groups and
OL-16000-05 21 July 2009 Revised Added the “Enabling NMS to Query/Poll
OL-16000-06 25 Sep 2009 Revised
Preface
subscribers.
updated the change announcement and
change subscriber directory number
information in Chapter 4.
Trunks” section on page 5-3.
Solaris SNMP Agent” section on page 7-6.
• Added the “Log Archive Facility (LAF)”
section on page 3-26.
• Added a note in Chapter 2.
• Changed all the references of workgroup
to work-group in all CLI examples.
• Updated the “Returnable Operational
States” Table in “Managing External
Resources” chapter.
OL-16000-07 18 Feb 2010 Revised
• Added the “Log Archive Facility (LAF)”
section on page 3-26.
• Added following commands in the
chapter “Managing External
Resources”:
–
report aggr
–
report mgw
• Added the following command in the
chapter “Operating the BTS”
–
report subscriber
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
x
OL-16000-07
Preface
Introduction
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS version 2.0.
OL-16000-07
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
xi
Introduction
Preface
xii
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
OL-16000-07
Starting and Shutting Down the BTS
Revised: February 18, 2010, OL-16000-07
Introduction
This chapter tells you how to start up and shut down the BTS.
Meeting Power Requirements
To meet high availability requirements:
• Do not have common parts in the power feeds to the redundant hardware that could be a common
single point of failure.
• Use uninterruptible power supply (UPS) for both AC and DC systems. It must be designed to support
system operation through any possible power interruption. Power must have battery backup to
maintain service in the event of commercial power failure (both power supplies of the redundant pair
must be able to do this).
CHAP T ER
1
• For AC-powered installations have two separate (redundant) circuits. Source AC circuits from
separate transformer phases on separate breakers so a single breaker trip does not disable both.
• For DC-powered installations have power from two separate dedicated DC branches (redundant A
and B feeds) for each DC-powered BTS.
Starting BTS Hardware
The time it takes to complete this procedure varies with system type and database size. System types
include:
• EMS—Element Management System
• BDMS—Bulk Data Management System
• CA—Call Agent
• FS—Feature Server
Step 1 Ensure all power cables connect to the correct ports.
OL-16000-07
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
1-1
Shutting Down BTS Hardware
Step 2 Plug in Catalyst switch routers.
Step 3 Power on EMS/BDMS hosts A and B.
Step 4 Power on CA/FS hosts A and B.
Shutting Down BTS Hardware
Step 1 Ensure CA side A and EMS side A are active.
Step 2 Ensure CA side B and EMS side B EMS are standby.
Step 3 Log into CA side A and B and EMS side A and B using Secure Shell (SSH).
Step 4 Shut down the system in order:
1. EMS side B
2. CA side B
3. CA side A
4. EMS side A
Step 5 To begin platform shutdown:
>platform stop all
Chapter 1 Starting and Shutting Down the BTS
Step 6 When #> returns, enter nodestat to ensure the operating system is ready for shutdown.
Step 7 To shut down the servers, enter one of the following commands for each node (Sun Microsystems
recommends both as graceful shutdowns).
>shutdown -i5 -g0 -y
Or:
>sync;sync; init5
Step 8 To power off primary and secondary CAs and FSs find the switch to the left of the LEDs and flip it to
OFF.
Step 9 When the fans stop, release the switch to neutral.
Step 10 To power off primary and secondary EMSs find the switch to the left of the LEDs and flip it to OFF.
Step 11 When the fans stop, release the switch to neutral.
Step 12 To power off the side, unplug them.
Starting BTS Software
BTS automatically starts when you power on the server. Repeat this procedure for each server.
1-2
Step 1 Enter nodestat.
Step 2 Log in as root.
Step 3 Enter platform start.
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
OL-16000-07
Chapter 1 Starting and Shutting Down the BTS
Step 4 Once all components start, enter nodestat to ensure proper startup.
Starting BTS Software
OL-16000-07
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
1-3
Starting BTS Software
Chapter 1 Starting and Shutting Down the BTS
1-4
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
OL-16000-07
Introduction
CHAP T ER
2
Managing BTS Users and Commands Using EMS
Revised: February 18, 2010, OL-16000-07
This chapter describes operator interfaces to the BTS and how to manage access and users.
The Element Management System (EMS) database holds up to 256 logins and up to 50 active user
sessions.Using the command line interface (CLI) you can locally connect to the EMS in an interactive
session.The EMS system administrator can:
• Add a new user.
• Assign a user’s privilege level—10 is for the system administrator. BTS has predefined user
accounts:
Username Permission
btsadmin btsadmin like MAINT shell user—MAINT shell is an enhanced CLI
interface and does not log off an idle user)
secadmin secadmin like MAINT shell user
btsuser btsuser lower access permissions than btsadmin and secadmin, good for
generic provisioning access
• Reset a user’s password.
• Enter a description for each security class and privilege level.
• Manage security log reporting.
Logging into the EMS Using CLI
SSH is a way to access the BTS CLI or maintenance (MAINT) modes. SSH provides encrypted
communication between a remote machine and the EMS/CA for executing CLI or MAINT commands.
The SSH server runs on EMSs and CAs. To connect the client and server sides run the secure shell
daemon (SSHD). With SSH, new users must enter a new password and reenter that password during the
first login. In future logins they are prompted once for a password only.
OL-16000-07
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
2-1
Managing Users
Chapter 2 Managing BTS Users and Commands Using EMS
The “ciscouser” login is a high-level security login for TAC and other BTS support personnel that
restricts access to certain commands. Anyone else trying to execute such commands receives an error
message.
After installation, on the EMS, the system prompts you to change the passwords of root, btsadmin,
btsuser and calea if they have default passwords. On the CA, the system prompts you to change the
passwords of root if it has default password. There are no default passwords for Operations,
Administration and Maintenance applications.
When logging in for the first time system administrators log in as
btsadmin). Change the password.
Step 1 To log in from the client side for the first time: ssh btsadmin@<ipaddress>.
Note If you are logged in to the system as root, enter: btsadmin@0
btsadmin (the default password is
On the first SSH login from the client side, expect a message like this:
The authenticity of host [hostname] can't be established.
Key fingerprint is 1024 5f:a0:0b:65:d3:82:df:ab:42:62:6d:98:9c:fe:e9:52.
Are you sure you want to continue connecting (yes/no)?
Step 2 Enter yes.
The password prompt appears, now all communications are encrypted.
Step 3 Enter your password.
The system responds with a CLI> prompt. You can now send commands to the EMS.
Step 4 Enter provisioning commands.
Step 5 To log off, enter exit .
Managing Users
You must have a user privilege level of 9 or higher to add, show, change, or delete a user.
Caution Do not add, change, or delete username root, this prevents proper EMS access.
Table 2-1 Managing Users
Task Sample Command
Adding a user
Viewing a user show user name=UserABC;
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
2-2
1. add user name=UserABC; command-level=9; warn=10;
days-valid=30; work-groups=somegroup;
2. Supply a default password:
reset password name=<user name>; new-password=<user
password>;
OL-16000-07
Chapter 2 Managing BTS Users and Commands Using EMS
Table 2-1 Managing Users (continued)
Task Sample Command
Viewing user activity show ems;
Changing a user change user name=UserABC; command-level=1;
Deleting a user delete user name=UserABC;
Changing a user’s password
Managing Users
work-groups=somegroup;
You cannot delete optiuser.
reset password name=username; days-valid=<number of days the
new password will be valid>; warn=<number of days before
password expiration to warn user>;
reset password name=username; days-valid=30; warn=4;
A password must:
• Have 6-8 characters
• Have at least two alphabetic characters
• Have at least one numeric or special character
• Differ from the user's login name and any combination of the
login name
• Differ from the old password by at least three characters
Adding a new work-group
Adding a user to a work-group
Removing a user from a
work-group
Viewing all currently active
users
Viewing an active user
Change the password for user
change command-table noun=mgw; verb=add; work-groups=latex;
change user name=trs80nut; work-groups=+rubber;
change user name=trs80nut; work-groups=-latex;
show session
show session terminal
optiuser on each BTS.
OL-16000-07
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
2-3
Managing Users
Chapter 2 Managing BTS Users and Commands Using EMS
Table 2-1 Managing Users (continued)
Task Sample Command
Blocking an active user 1. Select operation mode:
• MAINTENANCE—(default) for regular maintenance
• UPGRADE—for upgrades
2. block session terminal=USR16;
Note You cannot block the session of a user with higher privileges
than yours.
Prevent BTS provisioning during an upgrade or maintenance window
from the following interfaces:
• CLI
• FTP
• CORBA
• SNMP
Note The software will support blocking HTTP interfaces in a
future release.
If you block provisioning before performing an SMG restart or EMS
reboot, blocking is still enforced when these applications return to
in-service state.
There are two levels of blocking:
• PROVISION—Prevents all provisioning commands from
executing
• COMPLETE—Prevents all commands from executing
Only terminal type MNT users can use these blocking and unblocking
commands. MNT users are never blocked. MNT users issue these
commands from either active or standby EMS.
A blocking command applies to all non-MNT users on terminals on
either active or standby EMS. Commands do not execute for:
• Logged-in users
• Users who login after the block command
Commands are not queued for execution after unblock. The CLI user
prompt changes when blocked, notifying the user their commands will
not execute.
Unblocking a user
unblock session terminal=USR16;
Note You cannot unblock the session of a user with higher
privileges.
Resetting a user’s idle time Idle time is how many minutes (1-30) a user can be idle before being
logged off the BTS.
change session idle-time=30;
Stopping a user’s session
stop session terminal=USR16;
2-4
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
OL-16000-07
Chapter 2 Managing BTS Users and Commands Using EMS
Note All commands should be assigned to a work-group. If a command is not assigned to a work-group, a user
will able to execute that command, which is not recommended. You can also assign users and the
commands to multiple work-groups.
Managing Commands
Each command (verb-noun combination) has a security class of 1-10; 1 is lowest, 10 is highest. Each
time a user enters a command, the system compares the user’s privilege level to the command’s security
class. EMS denies the command if the user level is less than the command level.
The Command Level (command-level) table shows the 10 command security classes. BTS has the
following presets:
• 1 (lowest level)
• 5 (mid-level)
• 10 (highest level)—These commands require a system administrator with a security level of 10 to
execute.
Managing Commands
Table 2-2 Managing Commands
Task Sample Command
Viewing a command’s security class
Adding a description to a command’s
security class
show command-level id=10;
change command-level id=10; description=This is
the highest level administration access;
Changing a command’s privilege level change command-table noun=mgw; verb=add;
sec-level=9;
Resetting a command’s privilege level reset command-table noun=mgw; verb=add;
Viewing all executed commands
Sending all executed commands to a
report file
Viewing the report of all executed
commands
Viewing a security summary
show history;
report history;
Note Results may take a few minutes to display.
1. In a web browser enter http://server name.
2. Click Reports.
3. Click history.html.
report security-summary start-time=2002-09-26
00:00:00; end-time=2002-09-27 00:00:00; source=all;
Note Results may take a few minutes to display.
Viewing security summary reports In a web browser enter https:// <ems ip addr>.
OL-16000-07
This chapter details the behaviors and attributes of the various security packages in the BTS 10200. The
sources for the items are derived from many dynamic sources. Included in these sources are security
bulletins from third-party vendors to the BTS 10200 as well as security agencies and open source
organizations.
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
2-5
Adapter and User Security
104705
Cisco BTS 10200
Kernel parameter tuning
User password control and
command authorization
UNIX services
(for example
Apache and SSH)
User authentication and authorization
BTS applications and third-party software
Solaris kernel and IP stack
OSS Network
NMS/NOC User Access for OAM&P
VoIP Network
Gateway Access for IAD or PSTN
Security is an important part of the BTS 10200. The BTS 10200 has interfaces to customer premise
equipment (CPE) as well as northbound Operations Support System (OSS) interfaces. All of these
interfaces are subject to attacks. In addition, users who are allowed onto the BTS 10200 can also find
ways to exploit applications that can lead to service-affecting situations. Therefore, many precautions
are taken to ensure the solidity of the BTS 10200 defenses while avoiding a system that is difficult to
manage.
Figure 2-1 BTS 10200 Access and Related Security
Chapter 2 Managing BTS Users and Commands Using EMS
Adapter and User Security
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
2-6
This section describes requirements that generally involve adapter and user level of security. In the BTS
10200, adapters are any external, northbound interfaces of the BTS 10200. However, some extrapolated
requirements involve adapter technology based on the current deployment:
• Support termination of a session once a provisionable inactivity timeout has occurred. An event
report is issued upon each timeout expiry. The inactivity time ranges from 10 to 30 minutes.
• Restrict access as “root” to the BTS 10200 in all cases except Cisco TAC and customer
“administrator”. This is a broad statement that includes the addition of command-line interface
(CLI) commands to help manage the system. In addition, UNIX services are restricted to harden the
operating system (OS). The service restriction is listed in the Solaris OS Security and BTShard
Package section. The process of restricting root access is an ongoing process.
• Use of “sudo" is acceptable and the formal Sun-built and packaged version is located in
/opt/sfw/bin/.
OL-16000-07
Chapter 2 Managing BTS Users and Commands Using EMS
Solaris OS Security and BTShard Package
This section details the security packages for the BTS 10200 OS. These packages are automatically
installed at installation. These packages are derived from both Sun Microsystems security bulletins and
Cisco internal policies for safety of the OS and its applications. All services can be reactivated for the
lifetime of the current kernel instance. All settings are reset on reboot of the kernel. These settings are
contained in the BTShard Solaris package delivered with the BTS 10200.
• Remove unnecessary UNIX systems services. These services are listed below. Management of these
facilities must allow for each service to be enabled or disabled on an individual basis. This service
management must also be accomplished through the BTS 10200 adapter interface.
–
FTP—FTP server is disabled and SFTP (Secure FTP) should be used. This impacts the Bulk
Data Provisioning interface. It does not impact the Billing Bulk Data transfer. The FTP client
code will still be available on the EMS node.
–
Telnet—This terminal protocol is disabled and SSH (Secure Shell) should be used. The telnet
server and client code are still available on the EMS node.
–
Echo—This service is to be disabled. This capability has been replaced with Internet Control
Message Protocol (ICMP) “ping” facilities.
–
Discard—This service is to be disabled.
Solaris OS Security and BTShard Package
–
Printer—This service is to be disabled. No printer services are supplied in the BTS 10200
product description.
–
Daytime—This service is to be disabled.
–
Chargen—This service is to be disabled.
–
SMTP—This service is to be disabled.
–
Time—This service is to be disabled.
–
Finger—This service is to be disabled. No network user facilities are required. The BTS 10200
tracks users internally and on a single BTS basis.
–
Sun RPC—This service is to be disabled. This may be enabled in a lab environment for Tooltalk
usage in debugging application programs.
–
Exec—This service is to be disabled.
–
Login—This service is to be disabled.
–
Shell—This service is to be disabled. This may be required for some lab activity; however, there
is no field usage for rlogin, rcp, and rsh facilities.
–
UUCP—This service is to be disabled.
–
NFS—This service is to be disabled.
–
Lockd—This service is to be disabled.
–
X11—This service is available for the near term only.
–
DTSCP—This service is to be disabled.
–
Font-services—This service is to be disabled.
–
HTTP—This service is to be enabled. This is used by the BTS 10200 to offer results of report
generation. This will migrate to HTTPS.
OL-16000-07
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
2-7
Solaris OS Security and BTShard Package
• The following UNIX accounts are to be LOCKED but not removed from the system: lp, uucp, nuucp,
nobody, listen, and any other Cisco support accounts not used in the normal course of field
operation. Services managed by root are the only accounts allowed to utilize one of these identities.
This is the default behavior.
• Modifications to the Solaris kernel parameters were made to close potential breeches in the OS.
These types of security precautions are most often geared toward “denial of service” attacks. These
types of attacks create situations that degrade the performance of a system and as a result, prohibit
the critical applications from delivering the service they are designed to provide.
• The TCP protocol uses random initial sequence numbers.
• All failed login attempts are logged.
• The following users are not allowed direct FTP access to the machine: root, daemon, bin, sys, adm,
nobody, and noaccess.
• A root user cannot telnet directly to the machine. Direct root user access is granted to the console
only. A user who wants to access the root account must use the su command from a nonprivileged
account.
• The break key (<STOP> <A>) on the keyboard is disabled.
• IP_FORWARD_DIRECTED_BROADCASTS—This option determines whether to forward
broadcast packets directed to a specific net or subnet, if that net or subnet is directly connected to
the machine. If the system is acting as a router, this option can be exploited to generate a great deal
of broadcast network traffic. Turning this option off helps prevent broadcast traffic attacks. The
Solaris default value is 1 (True). For example:
ip_forward_directed_broadcasts=0
Chapter 2 Managing BTS Users and Commands Using EMS
• IP_FORWARD_SRC_ROUTED—This option determines whether to forward packets that are
source routed. These packets define the path the packet should take instead of allowing network
routers to define the path. The Solaris default value is 1 (True). For example:
ip_forward_src_routed=0
• IP_IGNORE_REDIRECT—This option determines whether to ignore the ICMP packets that define
new routes. If the system is acting as a router, an attacker may send redirect messages to alter routing
tables as part of sophisticated attack (man-in-the-middle attack) or a simple denial of service. The
Solaris default value is 0 (False). For example:
ip_ignore_redirect=1
• IP_IRE_FLUSH_INTERVAL—This option determines the period of time at which a specific route
will be kept, even if currently in use. Address Resolution Protocol (ARP) attacks may be effective
with the default interval. Shortening the time interval may reduce the effectiveness of attacks. The
default interval is 1200000 milliseconds (20 minutes). For example:
ip_ire_flush_interval=60000
• IP_RESPOND_TO_ADDRESS_MASK_BROADCAST—This option determines whether to
respond to ICMP netmask requests, typically sent by diskless clients when booting. An attacker may
use the netmask information for determining network topology or the broadcast address for the
subnet. The default value is 0 (False). For example:
ip_respond_to_address_mask_broadcast=0
2-8
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
OL-16000-07
Chapter 2 Managing BTS Users and Commands Using EMS
• IP_RESPOND_TO_ECHO_BROADCAST—This option determines whether to respond to ICMP
broadcast echo requests (ping). An attacker may try to create a denial of service attack on subnets
by sending many broadcast echo requests to which all systems will respond. This also provides
information on systems that are available on the network. The Solaris default value is 1 (True). For
example:
ip_respond_to_echo_broadcast=1
• IP_RESPOND_TO_TIMESTAMP—This option determines whether to respond to ICMP timestamp
requests, that some systems use to discover the time on a remote system. An attacker may use the
time information to schedule an attack at a period of time when the system may run a cron job (or
other time-based event) or otherwise be busy. It may also be possible predict ID or sequence
numbers that are based on the time of day for spoofing services. The Solaris default value is 1 (True).
For example:
ip_respond_to_timestamp=0
• IP_RESPOND_TO_TIMESTAMP_BROADCAST—This option determines whether to respond to
ICMP broadcast timestamp requests, that are used to discover the time on all systems in the
broadcast range. This option is dangerous for the same reasons as responding to a single timestamp
request. Additionally, an attacker may try to create a denial of service attack by generating many
broadcast timestamp requests. The default value is 1 (True). For example:
ip_respond_to_timestamp_broadcast=0
Solaris OS Security and BTShard Package
• IP_SEND_REDIRECTS—This option determines whether to send ICMP redirect messages, that
can introduce changes into the routing table of the remote system. It should only be used on systems
that act as routers. The Solaris default value is 1 (True). For example:
ip_send_redirects=0
• IP_STRICT_DST_MULTIHOMING—This option determines whether to enable strict destination
multihoming. If this is set to 1 and ip_forwarding is set to 0, then a packet sent to an interface from
which it did not arrive will be dropped. This setting prevents an attacker from passing packets across
a machine with multiple interfaces that is not acting a router. The default value is 0 (False). For
example:
ip_strict_dst_multihoming=1
• TCP_CONN_REQ_MAX_Q0—This option determines the size of the queue containing half-open
connections. This setting provides protection from SYN flood attacks. Solaris 2.6 and 7 (and 2.5.1
with patch 103582-12 and higher) include protection from these attacks. The queue size default is
adequate for most systems but should be increased for busy web servers. The default value is 1024.
For example:
tcp_conn_req_max_q0=4096
• The following startup files are removed from the level “3” runtime environment of the BTS 10200.
These services can still be started manually if required in laboratory circumstances. They are not
required for field operations.
–
S71rpc
–
S73cachefs.daemon
–
S73nfs.client
OL-16000-07
–
S74autofs
–
S80lp
–
S80spc
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
2-9
Chapter 2 Managing BTS Users and Commands Using EMS
Solaris OS Security and BTShard Package
–
S88sendmail
–
S93cacheos.finish
–
S99dtlogin
Operator Interface
Additional commands have been added to manage the UNIX services in the BTS 10200. These
commands are available from the CLI/MAINT interface. In addition, these same commands are also
available from the CORBA and bulk-provisioning interface. There are no schemas and tables associated
with these commands. They directly control the UNIX services. These services are only enabled for the
lifetime of the current kernel instance. They are reset to the installed defaults when a kernel reboot is
performed.
Table 2-3 describes the system services available using the node command.
Table 2-3 Node Command for UNIX Services
Noun Verb Options Description
Node Change SERVICE [Required]
Defines the service to change.
Must be one of the
following: FTP,
TELNET, ECHO,
DISCARD, PRINTER,
DAYTIME, CHARGEN,
SMTP, TIME, FINGER,
SUNRPC, EXEC,
LOGIN, SHELL, UUCP,
NFS, LOCKD, X11,
DTSCP,
FONT-SERVICES,
HTTP.
Node Change ENABLE [Required] A Boolean flag [Y/N] that indicates whether to turn
this service on or off.
Node Change NODE [Required] The node name in the BTS 10200 where the service
is managed.
2-10
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
OL-16000-07
Chapter 2 Managing BTS Users and Commands Using EMS
Solaris OS Security and BTShard Package
Table 2-3 Node Command for UNIX Services (continued)
Noun Verb Options Description
Node Show SERVICE [Required]
Must be one of the
following: FTP,
TELNET, ECHO,
DISCARD, PRINTER,
DAYTIME, CHARGEN,
SMTP, TIME, FINGER,
SUNRPC, EXEC,
LOGIN, SHELL, UUCP,
NFS, LOCKD, X11,
DTSCP,
FONT-SERVICES,
HTTP.
Node Show Node [Required] Defines the node to display for the state of the
Defines the service to display.
service.
Vulnerabilities in H.323 Message Processing
During 2002 the University of Oulu Security Programming Group (OUSPG) discovered a number of
implementation-specific vulnerabilities in the Simple Network Management Protocol (SNMP).
Subsequent to this discovery, the National Infrastructure Security Coordination Centre (NISCC)
performed and commissioned further work on identifying implementation specific vulnerabilities in
related protocols that are critical to the United Kingdom Critical National Infrastructure. One of these
protocols is H.225, that is part of the H.323 family and is commonly implemented as a component of
multimedia applications such as Voice over IP (VoIP).
OUSPG produced a test suite for H.225 and employed it to validate their findings against a number of
products from different vendors. The test results have been confirmed by testing performed by NISCC
and the affected vendors contacted with the test results. These vendors' product lines cover a great deal
of the existing critical information infrastructure worldwide and have therefore been addressed as a
priority. However, the NISCC has subsequently contacted other vendors whose products employ H.323
and provided them with tools with which to test these implementations.
Authentication, Authorization and Accounting Support
These extensions represent modifications to the current scheme of user account management on the
system. It includes support for the following two protocols; these protocols are not required to be
mutually inclusive.
• Radius Protocol
• Lightweight Directory Access Protocol (LDAP)
OL-16000-07
Prior to Release 4.4, user account management for the BTS 10200 used the standard Solaris password
management facilities without the use of the Authentication Dial-In User Service Network Information
Service (NIS). All accounts are stored locally and referenced locally. This security feature begins
support for a complete AAA model for user account management. This model impacts several internal
subsystems of the BTS 10200 Element Management System (EMS) application. It also impacts the core
login support on the other nodes of the BTS 10200.
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
2-11
Sun Microsystems Configurations
Pluggable Authentication Module Support
The BTS 10200 deploys a Secure Shell (SSH) package with Pluggable Authentication Module (PAM)
support. The package includes the PAM support required to utilize the Radius and LDAP servers.
The supporting configuration allows local accounts to fall through if the Radius and LDAP servers are
not available. These default local accounts for the BTS 10200 are the btsuser, btsadmin and secadmin
accounts. These are the standard default accounts provided in the base product and use the native
password management.
A UNIX-based user provides access to the operating system on all nodes. The oamp user is defined for
package management purposes. The account is locked and no password is available. However, to grant
UNIX access to all nodes of the BTS 10200, a default password is provided.
When PAM support is used, SSH transfers the control of authentication to the PAM library, that then
loads the modules specified in the PAM configuration file. Finally, the PAM library tells SSH whether
the authentication was successful. SSH is not aware of the details of the actual authentication method
employed by PAM. Only the final result is of interest.
User Security Account Management
Chapter 2 Managing BTS Users and Commands Using EMS
The BTS 10200 EMS contains an application program known as User Security Management (USM).
This program determines if an account is local or off-board. Password management facilities are disabled
for all accounts on the BTS 10200 when an AAA deployment is configured. The AAA deployment
transfers the responsibility for these existing facilities to the end-user AAA servers. These facilities
include the following attributes:
• Password aging, warning, and expiration
• Password reset and automatic account locking
• Local account management (password and shadow files) for new accounts
Sun Microsystems Configurations
Table 2-4 lists the Solaris 10 architecture-specific or hardware specific packages for certain Sun
Microsystems configurations.
Table 2-4 Solaris Architectural- or Hardware-Specific Optional Package List
Package Description Type Status
SMEvplr SME platform links SYSTEM —
SMEvplu SME usr/platform links SYSTEM —
SUNWaudd Audio drivers SYSTEM —
SUNWauddx Audio drivers (64-bit) SYSTEM —
SUNWced Sun GigaSwift Ethernet Adapter (32-bit driver) SYSTEM —
SUNWcedx Sun GigaSwift Ethernet Adapter (64-bit driver) SYSTEM —
SUNWcg6 GX (cg6) device driver SYSTEM —
SUNWcg6x GX (cg6) device driver (64-bit) SYSTEM —
SUNWcsd Core Solaris devices SYSTEM —
2-12
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
OL-16000-07
Chapter 2 Managing BTS Users and Commands Using EMS
Table 2-4 Solaris Architectural- or Hardware-Specific Optional Package List (continued)
Package Description Type Status
SUNWdfb Dumb Frame Buffer device drivers SYSTEM —
SUNWensqr Ensoniq ES1370/1371/1373 Audio device driver
(32-bit) (Root)
SUNWensqx Ensoniq ES1370/1371/1373 Audio device driver
(64-bit) (Root)
SUNWeridx Sun RIO 10/100 Mb Ethernet drivers (64-bit) SYSTEM —
SUNWfcip Sun FCIP IP/ARP over FibreChannel device
driver
SUNWfcipx Sun FCIP IP/ARP over FibreChannel device
driver (64-bit)
SUNWfcp Sun FCP SCSI device driver SYSTEM —
SUNWfcpx Sun FCP SCSI device driver (64-bit) SYSTEM —
SUNWfctl Sun Fibre Channel Transport layer SYSTEM —
SUNWfctlx Sun Fibre Channel Transport layer (64-bit) SYSTEM —
SUNWfruid FRU ID prtfru Command and libfru library SYSTEM —
SUNWfruip FRU ID Platform Data module and Access
libraries
SUNWfruix FRU ID library (64-bit) SYSTEM —
SUNWged Sun Gigabit Ethernet Adapter driver SYSTEM —
SUNWglmr rasctrl environment monitoring driver for i2c
(Root) (32-bit)
SUNWglmx rasctrl environment monitoring driver for i2c
(Root) (64-bit)
SUNWi2cr device drivers for I2C devices (Root, 32-bit) SYSTEM —
SUNWi2cx device drivers for I2C devices (Root, 64-bit) SYSTEM —
SUNWidecr IDE device drivers SYSTEM —
SUNWidecx IDE device drivers (Root) (64bit) SYSTEM —
SUNWider IDE device driver (Root) SYSTEM —
SUNWkmp2r PS/2 Keyboard and Mouse device drivers (Root(
(32-bit)
SUNWkmp2x PS/2 Keyboard and Mouse device drivers (Root)
(64-bit)
SUNWmdr Solstice DiskSuite drivers SYSTEM Required by the
SUNWmdx Solstice DiskSuite drivers(64-bit) SYSTEM Required by the
SUNWmdi Sun Multipath I/O drivers SYSTEM —
SUNWmdix Sun Multipath I/O drivers (64-bit) SYSTEM —
SUNWpd PCI drivers SYSTEM —
Sun Microsystems Configurations
SYSTEM —
SYSTEM —
SYSTEM —
SYSTEM —
SYSTEM —
SYSTEM —
SYSTEM —
SYSTEM —
SYSTEM —
BTS 10200
BTS 10200
OL-16000-07
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
2-13
Solaris OS Patches
Chapter 2 Managing BTS Users and Commands Using EMS
Table 2-4 Solaris Architectural- or Hardware-Specific Optional Package List (continued)
Package Description Type Status
SUNWpdx PCI drivers (64-bit) SYSTEM —
SUNWpiclh PICL Header files SYSTEM —
SUNWpiclr PICL Framework (Root) SYSTEM —
SUNWpiclu PICL libraries and Plugin modules (Usr) SYSTEM —
SUNWpiclx PICL libraries (64-bit) SYSTEM —
SUNWqfed Sun Quad FastEthernet Adapter driver SYSTEM —
SUNWqfedx Sun Quad FastEthernet Adapter driver (64-bit) SYSTEM —
SUNWqlc Qlogic ISP 2200/2202 Fiber Channel device
driver
SUNWqlcx Qlogic ISP 2200/2202 Fiber Channel device
driver (64-bit)
SUNWses SCSI Enclosure Services device driver SYSTEM —
SUNWsesx SCSI Enclosure Services device driver (64-bit) SYSTEM —
SUNWsior SuperIO 307 (plug-n-play) device drivers (Root) SYSTEM —
SUNWsiox SuperIO 307 (plug-n-play) device drivers (Root)
(64-bit)
SUNWssad SPARCstorage Array drivers SYSTEM —
SUNWssadx SPARCstorage Array drivers (64-bit) SYSTEM —
SUNWssaop Administration Utilities and Firmware for
SPARCStorage Array
SUNWuaud USB Audio drivers SYSTEM —
SUNWuaudx USB Audio drivers (64-bit) SYSTEM —
SUNWusb USB device drivers SYSTEM —
SUNWusbx USB device drivers (64-bit) SYSTEM —
SUNWxwdv X Windows System Window drivers SYSTEM —
SUNWxwdvx X Windows System Window drivers (64-bit) SYSTEM —
SYSTEM —
SYSTEM —
SYSTEM —
SYSTEM —
Solaris OS Patches
This chapter describes the BTS 10200 Solaris OS patches.
Trace Normal Forms (TNF) Support
The TNF package provides the Solaris tool suite with enhanced debugging capabilities of applications
as they execute in the target environment. TNF supports program execution traces at both the user and
kernel level The package includes the following:
• SUNWtnfc—Utilities needed to enable probe points, in the kernel and in applications, that can
generate TNF records in a trace file.
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
2-14
OL-16000-07
Loading...