Summary of the content on the page No. 1
CHAPTER18
Configuring SGM Security
This chapter provides the following information about configuring SGM security
and limiting access to SGM:
• Configuring SGM User-Based Access, page 18-1
Implementing SSL Support in SGM, page 18-26
Limiting SGM Client Access to the SGM Server (Solaris Only), page 18-40
Configuring SGM User-Based Access
SGM enables you to control who is allowed to do what in SGM, beyond simply
specifying root and non-root users. SGM calls this ability User-Based Access.
Summary of the content on the page No. 2
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Manually Disabling Users and Passwords (Solaris Only), page 18-14 (Optional) Enabling and Changing Users and Passwords (Solaris Only), page 18-16 (Optional) Displaying a Message of the Day, page 18-18 (Optional) Manually Synchronizing Local SGM Passwords, page 18-21 (Optional) Listing All Currently Defined Users, page 18-21 (Optional) Displaying the Contents of the System Security Log, page 18-22 (Optional
Summary of the content on the page No. 3
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Step 3 If you have already configured the type of SGM security authentication you want to use, skip to Step 4. Otherwise, configure the type of SGM security authentication you want to use: Local authentication allows you to create user accounts and passwords local to the SGM system. When using this method, you can use SGM User-Based Access commands manage user names, passwords, and access levels. To enable local au
Summary of the content on the page No. 4
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access To enable Solaris authentication, enter the following command: # ./sgm authtype solaris See the “SGM Command Reference” section on page C-1 for more information on the use of each of the above SGM commands. Step 4 To add a user to your SGM User-Based Access authentication list, use the following command: # ./sgm sgm adduser username where username is the name of the user. Note If sgm authtype is set to solaris, you mu
Summary of the content on the page No. 5
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Note If sgm authtype is set to solaris, users cannot change their passwords using the SGM client. Instead, they must manage their passwords on the external authentication servers, using Solaris commands, such as passwd. All new passwords take effect the next time SGM automatically synchronizes local SGM passwords with Solaris, or you can manually synchronize passwords at any time using the sgm syncusers command. S
Summary of the content on the page No. 6
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access The password cannot be a common word. SGM uses the dictionary located at /usr/lib/share/dict/words to determine whether a word is common. To override the SGM dictionary, change the DICT_FILE entry in the System.properties file: – To disable the SGM dictionary and allow common words, change the DICT_FILE entry to: DICT_FILE=/dev/null – To use a custom dictionary, change the DICT_FILE entry to: DICT_FILE=/new-dictio
Summary of the content on the page No. 7
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Note Access to SGM information and downloads on Cisco.com is already protected by Cisco.com, and is not protected by SGM. To configure the authentication level for a user, use the sgm adduser command, as described in the “Implementing SGM User-Based Access (Solaris Only)” section on page 18-2, or the sgm updateuser or sgm newlevel command, as described in the “Enabling and Changing Users and Passwords (Solaris Only)
Summary of the content on the page No. 8
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access System Data Files – Notes – Views – Preferences Viewing SGM documentation Downloading client software Power User (Level 2) Access Power Users have access to all Basic User functions. Power Users can change some aspects of the way SGM works. Power Users have access to the following SGM functions: Editing network objects, events, and views Unignoring network objects and views Saving preferences files, event fi
Summary of the content on the page No. 9
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Telnetting to the ITP Viewing route table files and GTT files, but not editing them Network Operators have access to the following SGM Web displays: Point Code Inventories System Data Files – Route table files – Global Title Translation (GTT) table files – System ITP IOS README Network Administrator (Level 4) Access Network Administrators have access to all Basic User, Power User, and Network Operator functions
Summary of the content on the page No. 10
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access System Administrators have access to the following SGM Web displays: System Messages and Logs System Status, including User Accounts and System Troubleshooting Trap Host Configuration, including SNMP configuration information System Information – System Command Log – System Console Log – System Event Automation Log – System Install Log – System Process Services – System Properties – System Report Parameters and
Summary of the content on the page No. 11
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Step 2 Enter the following command: # cd /opt/CSCOsgm/bin Step 3 (Optional) You can configure SGM to generate an alarm after a specified number of unsuccessful login attempts by a user. To do so, enter the following command: # ./sgm badloginalarm number-of-attempts where number-of-attempts is the number of unsuccessful login attempts allowed before SGM generates an alarm. The valid range is 1 unsuccessful attempt to a
Summary of the content on the page No. 12
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Step 5 (Optional) SGM keeps track of the date and time each user last logged in. You can configure SGM to disable a user’s security authentication automatically after a specified number of days of inactivity. To do so, enter the following command: # ./sgm inactiveuserdays number-of-days where number-of-days is the number of days a user can be inactive before SGM disables the user’s authentication. SGM does not delete
Summary of the content on the page No. 13
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access If you have enabled this function and you want to disable it (that is, prevent SGM from forcing users to change passwords), enter the following command: # ./sgm passwordage clear Note If sgm authtype is set to solaris, you cannot use the sgm passwordage command. Instead, you must manage passwords on the external authentication servers. Step 7 (Optional) You can configure SGM to disconnect an SGM or GTT client automa
Summary of the content on the page No. 14
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Manually Disabling Users and Passwords (Solaris Only) As described in the “Automatically Disabling Users and Passwords (Solaris Only)” section on page 18-10, you can customize SGM to automatically disable users and passwords when certain conditions are met. However, you can also manually disable SGM User-Based Access users and passwords when the need arises. To do so, use the following procedures: Step 1 Log in as t
Summary of the content on the page No. 15
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access You can also re-enable the user’s authentication with the same password, or with a new password: To re-enable the user’s authentication with the same password as before, use the sgm enableuser command. To re-enable the user’s authentication with a new password, use the sgm userpass command. Step 5 (Optional) To disable a user’s authentication, but not the user’s password, use the following command: # ./sgm disab
Summary of the content on the page No. 16
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Enabling and Changing Users and Passwords (Solaris Only) Of course, SGM also enables you to re-enable users and passwords, and change user accounts. To enable and change users and passwords, use the following procedures: Step 1 Log in as the root user, as described in the “Becoming the Root User (Solaris Only)” section on page 2-3, or as a super user, as described in the “Specifying a Super User (Solaris Only)” sect
Summary of the content on the page No. 17
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Note If sgm authtype is set to solaris, you cannot use the sgm userpass command. Instead, you must manage passwords on the external authentication servers. Step 5 (Optional) To change a user’s authentication level and password, enter the following command: # ./sgm updateuser username where username is the name of the user. Note If sgm authtype is set to solaris, you must be logged in as the root user, not as a super
Summary of the content on the page No. 18
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Step 6 (Optional) To change a user’s authentication level, but not the user’s password, enter the following command: #./sgm newlevel username where username is the name of the user. SGM prompts you for the new authentication level. Valid levels are: 1—Basic User 2—Power User 3—Network Operator 4—Network Administrator 5—System Administrator For more information about authentication levels, see the “Configuring
Summary of the content on the page No. 19
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access SGM displays the Message of the Day dialog (Figure 18-1). Figure 18-1 Message of the Day Dialog The Message of the Day dialog contains the following fields and buttons: Field or Button Description Message of the Day Date and time the message of the day was last updated. If there is no message Last Updated of the day, SGM displays Unknown. Message Field Text of the message of the day. If there is no message of the day
Summary of the content on the page No. 20
Chapter 18 Configuring SGM Security Configuring SGM User-Based Access Field or Button Description Decline Closes the Message of the Day dialog and exits the client. This button is available when there is a message of the day and you launch the SGM client or GTT client. OK Closes the Message of the Day dialog without exiting the client. This button is available if you displayed the Message of the Day dialog by selecting View > Message of the Day from the SGM Main Menu. If you want to con