HPE 5400R Switch Series Version 5.011 Common Criteria

Transcription

HPE 5400R Switch Series Version 5.011
Common Criteria Configuration Guide
February 17, 2016
Document Version 1.0
Document History and Versions
Version
Date
1.0
17-Feb-2016
Description of Changes
Initial Version
i
Contents
1
Introduction............................................................................................................................................ 1
Intended Audience ........................................................................................................................ 1
About Common Criteria................................................................................................................. 1
Related Documents ....................................................................................................................... 1
Evaluated Configuration ................................................................................................................ 1
Assumptions .................................................................................................................................. 2
1.5.1
2
Front Panel Security .............................................................................................................. 2
How to Access Your System ................................................................................................................. 3
Management Console ................................................................................................................... 3
3
2.1.1
USB Console Port Driver Download ..................................................................................... 3
2.1.2
Configuring the management console connection ................................................................ 4
2.1.3
Setting up a console connection ........................................................................................... 5
2.1.4
Console Cable Pinouts .......................................................................................................... 5
Setting Up the Common Criteria Configuration..................................................................................... 6
Prerequisites ................................................................................................................................. 6
3.1.1
Use of the CLI ....................................................................................................................... 6
3.1.2
Use of the Menu .................................................................................................................... 6
Updating Switch Software ............................................................................................................. 7
3.2.1
Updating Switch Software via USB ....................................................................................... 7
Software Signing and Verification ................................................................................................. 9
3.3.1
Flash Verification ................................................................................................................... 9
3.3.2
Running Version Verification ............................................................................................... 10
3.3.3
Signature Verification .......................................................................................................... 10
Enabling Enhanced secure mode ............................................................................................... 11
Network Configuration ................................................................................................................. 12
3.5.1
Configuring an IP Address and Subnet Mask ..................................................................... 12
3.5.2
Creating a Secure Management VLAN ............................................................................... 18
Date and Time Configuration ...................................................................................................... 19
3.6.1
Updating Date and Time via TimeP Server ........................................................................ 19
3.6.2
Updating Date and Time via SNTP Server ......................................................................... 23
3.6.3
Updating Date and Time Manually ...................................................................................... 28
3.6.4
Time Zone ........................................................................................................................... 28
Configuring Cryptographic Services............................................................................................ 29
3.7.1
SSH ..................................................................................................................................... 29
3.7.2
TLS ...................................................................................................................................... 30
User, Password, and Session Management ............................................................................... 35
ii
3.8.1
Configuring Login Banner ................................................................................................... 35
3.8.2
Configuring Session Timeouts ............................................................................................ 36
3.8.3
Configuring Role-Based Access Control ............................................................................. 37
Finalizing Configuration ............................................................................................................... 40
4
3.9.1
Disabling Services Not Under Evaluation ........................................................................... 40
3.9.2
Booting to Evaluated Configuration..................................................................................... 41
Role-Based Access Control ................................................................................................................ 42
Overview of RBAC ...................................................................................................................... 42
5
4.1.1
Privilege Levels ................................................................................................................... 42
4.1.2
Creating Authorization Groups ............................................................................................ 57
Audit Functionality ............................................................................................................................... 58
Accessing Audit Logs .................................................................................................................. 58
6
5.1.1
Audit log format ................................................................................................................... 60
5.1.2
List of Auditable Events (As Mandated by the NDPP) ........................................................ 61
Self-tests ............................................................................................................................................. 68
Front Panel LED Behavior .......................................................................................................... 69
7
Process List ......................................................................................................................................... 70
iii
1 Introduction
This guide provides the information an administrator would need to set up and administer the HPE 5400R
Switch Series Version 5.011 network appliances in compliance with the Common Criteria evaluated
configuration. Follow this guide in its entirety to ensure that the settings of each parameter match the
specific configuration that was evaluated and certified as secure by the Common Criteria certification.
Intended Audience
This information is intended for use by administrators who are responsible for investigating and managing
network security for their organization. To use this guide you must have knowledge of your organization’s
network infrastructure and networking technologies.
About Common Criteria
The Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) is an international
standard for certification of the security of computer systems, networks, and application software. The
certification ensures that the claims about the security attributes of the evaluated product were
independently verified in the evaluated configuration operated in the specific environment.
Related Documents
For more information about the HPE 5400R Switch Series, please refer to the following documents:
Identifier
Edition
Title
Security Target
V1.0
HPE 5400R zl2 Networking Switches Security Target
BOG
V3.0
HPE Switch Software Basic Operation Guide
MCG
V1.0
HPE Switch Software Management and Configuration Guide
KB.15.18
ASG
V1.0
HPE Switch Software Access Security Guide KB.15.18
Table 1-1. Guidance Documentation
Evaluated Configuration
The evaluated configuration consists of the following switch series:
 HPE 5406R zl2 Switch
 HPE 5412R zl2 Switch
 HPE 5406R-44G-PoE+/2SFP+ (No PSU) v2 zl2 Switch
 HPE 5406R-44G-PoE+/4SFP (No PSU) v2 zl2 Switch
 HPE 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
 HPE 5412R-92G-PoE+/2SFP+ (No PSU) v2 zl2 Switch
 HPE 5412R-92G-PoE+/4SFP (No PSU) v2 zl2 Switch
While the physical form factor of each appliance in the HPE Networking family may vary, the underlying
hardware and software share similar architecture. The software utilizes a common code base of a
modular nature with only the modules applicable for the specific hardware loaded.
1
Assumptions
There are specific conditions that are assumed to exist in the HPE Switches for Operational Environment.
The following table lists assumptions about the Operational Environment.
Assumptions for Operational Environment
It is assumed that general-purpose computing capabilities are not used
for any other purpose but as required for the operation, administration and
support of the device.
The physical security, commensurate with the value of the device and the
Physical Security
data it contains, is assumed to be provided by the operational
environment.
All administrators are trusted to follow and apply all guidance in a secure
Administration
and trusted manner.
Table 1-2. Assumptions Made on the Operational Environment
No General
Purpose
1.5.1
Front Panel Security
The front panel of the switch contains two buttons that can affect device operation: Reset and Clear.
1.5.1.1
System Reset Button
This button will reset the entire switch, including the second management module, when powered on.
This action clears any temporary error conditions that may have occurred, executes the switch self-test,
and resets all network activity counters to zero. The counters are displayed in the switch console
interface, the switch web browser interface, and through SNMP network management applications, such
as Intelligent Management Center.
1.5.1.2
Clear Button
This button is used for the following purposes:
 Deleting Passwords – When pressed for at least one second on either one of the Management
Modules, the Clear button deletes any switch console access passwords that you may have
configured.
 Restoring Factory Default Configuration – When pressed with the Reset button in a specific
pattern, the Clear button restores the factory default configuration to the switch. The specific
patterns to accomplish the Restore Factory Default Configuration are:
1. Press both the System Reset and Clear buttons simultaneously.
2. Release the System Reset button, but continue to hold the Clear button.
3. Release the Clear button immediately when you see the Test LED begins to flash on both
the Management Modules.
WARNING
The clear button is provided for user convenience. Do not use the clear button unless you wish to
return to the switch to its factory default configuration. Using the clear button will take the switch
out of evaluated configuration.
2
2 How to Access Your System
Management Console
The switch has a full-featured, easy to use console interface for performing switch management tasks
including:
 Monitor switch and port status and observe network activity statistics
 Modify the switch’s configuration to optimize switch performance, enhance network traffic control,
and improve network security
 Read the event log and access diagnostic tools to help in troubleshooting
 Download new software to the switch
 Add passwords to control access to the switch from the console and network management
stations (i.e., SSH).
To connect a console to the switch, use the RJ-45 console cable shipped with the switch. Alternatively,
you can use a USB cable (not supplied) for a console connection. (See “USB Console Port Notes”
below.) Connect a PC or VT-100 terminal to either of the Console ports. The connected PC or terminal
then functions as a management console connected directly to the switch.
The switch can simultaneously support one out-of-band console session, through one of the console
ports, and in-band Telnet console sessions. The console ports are used only for out-of-band
management, not for Telnet sessions.
2.1.1
USB Console Port Driver Download
When using the USB Console Port, the connected PC first requires “virtual COM port” USB drivers to be
installed.
USB drivers are available for Windows XP (SP3 or later), Windows Vista (SP2 or later), Windows 7 (SP1
or later), Windows 8, and Windows 10. The drivers can be found on the HPE Web site at
www.hpe.com/networking/support. On that web site, follow these steps:
1. Type your product model (for example, 5400R), or product number in the Auto Search text box.
2. Select one of the switches from the drop down list.
3. Click the “Show Selected Items” button.
4. From the options that appear, select Software downloads (on the right-hand side). Then,
download the “USB Console Port Drivers and Information”.
Your PC’s operating system may also automatically find the correct driver when it detects the switch USB
connection.
3
USB Console Port and RJ-45 Console Port Interaction. Note that you cannot use both the RJ-45 and
USB console ports at the same time. By default, the RJ-45 console port is active (to allow remote access
to the switch via a terminal server). But, when the USB console port is connected to the switch and then
to a live PC, it takes priority over the RJ-45 console port and becomes the active port. If the USB console
session is closed by the inactivity timer, though, the RJ-45 console port becomes active again.
To reactivate the USB console port, make sure that the USB console cable is connected to a live PC and
then simply unplug it from the switch and then reconnect it to the switch. If desired, you can configure the
inactivity timer to a longer time by following the steps in Section 3.8.2: Configuring Session Timeouts.
Figure 2-1. Connecting a console cable
2.1.2
Configuring the management console connection
To configure a console to manage the switch through the console port connection:
1. Configure the PC terminal emulator as a DEC VT-100 (ANSI) terminal, or use a VT-100 terminal.
2. Configure the terminal with the following settings:
a. A baud rate from 1200 to 115200 (the switch senses the speed)
b. 8 data bits, 1 stop bit, no parity, and flow control set to Xon/Xoff
c. For the Windows Terminal program, disable (uncheck) the “Use Function, Arrow, and Ctrl
Keys for Windows” option.
d. For the Hilgraeve HyperTerminal program, select the “Terminal keys” option for the
“Function, Arrow, and Ctrl Keys act as” parameter.
e. For Putty, set connection type to “Serial” and change “Serial Line” to the COM port
associated with the serial connection.
If you use a management console with different configuration settings, be sure to reconfigure the settings
on both the terminal and the switch in the following order so that both configurations are compatible:
1. Reconfigure the switch and save the new settings.
2. Reconfigure the terminal and save the new settings.
3. Reboot the switch and re-establish the console session
4
2.1.3
Setting up a console connection
To access the Switch through a Console port (out-of-band) connection, follow these steps:
1. Configure the management console as described above under Section: Configuring the
management console connection.
2. For a direct console connection, connect the PC or terminal to the Console serial port using one
of these console cables:
a. A DB9-to-RJ45 cable (shipped with the switch).
b. A micro-USB cable (not provided).
3. Power on the management console (terminal or PC). If you are using a PC, start the PC terminal
program.
4. For a direct console connection through the Console port:
a. Press Enter two or three times to display the copyright page and the message Press
any key to continue.
b. Press any key to display the switch console command (CLI) prompt; for example: HPE
Switch#
c. Continue the console session to configure the switch by following the procedure in
“Minimal Configuration through the Out-of-Band Console Connection”.
2.1.4
Console Cable Pinouts
The console cable has an RJ-45 plug on one end and a DB-9 female connector on the other end. Table
2-1 describes the mapping of the RJ-45 to DB-9 pins.
Figure 2-2. RJ-45 to DB-9 pinouts
RJ-45 (Signal reference
from Chassis)
Reserved
1
Reserved
2
TXD
3
Reserved
4
GND
5
RXD
6
Reserved
7
Reserved
8
DB-9 (Signal reference
from PC)
8
CTS
6
DSR
2
RXD
1
DCD
5
GND
3
TXD
4
DTR
7
RTS
9
RI
Table 2-1. Mapping of RJ-45 to DB-9
5
3 Setting Up the Common Criteria Configuration
In the factory default configuration, the switch has no IP (Internet Protocol) address and subnet mask,
and no passwords. This section will describe the steps required to configure the switch in accordance
with the security objectives in the Security Target, including:
 IP address configuration
 User and password management
 Date and time configuration
 Enhanced secure mode and cryptographic functionality
Prerequisites
Use of the CLI
3.1.1
When configuring the switch through the CLI, the operator must be working with Manager role privileges.
A CLI prompt with Manager role privileges will have a #at the end, as in the following example:
HPE Switch# _
Additionally, the operator must be in the Configuration context before issuing CLI configuration
commands. A CLI prompt with Manager role privileges in Configuration context will have a (config)#
at the end, as in the following example:
HPE Switch(config)# _
3.1.1.1
Entering Configuration Context
Before configuring the switch via the CLI, the operator must issue the following command to enter the
Configuration context:
Syntax
configure
Use of the Menu
3.1.2
The menu allows the configuration of some switch settings from a Graphical User Interface. The operator
must issue the following command to enter the menu:
Syntax
menu
If there are pending changes, the switch will prompt for confirmation to save the running configuration
before entering the menu:
Do you want to save the current configuration (y/n?)
6
Press [Y] to save the current configuration. The Main Menu is then displayed:
Figure 3-1. Main Menu
Updating Switch Software
Prior to beginning evaluation, the operator must download the validated firmware image from HPE and
load it onto the switch using the update method listed in the following section.
Please visit the CCEVS Product Compliant List (https://www.niap-ccevs.org/Product/) to ensure the
validated version of the product software is used.
3.2.1
Updating Switch Software via USB
The switch's USB port (labeled as Auxiliary Port) allows the use of a USB flash drive for copying files to
and from the switch, given the following rules and prerequisites:




Unformatted USB flash drives must first be formatted on a PC (Windows FAT format). For
devices with multiple partitions, only the first partition is supported. Devices with secure partitions
are not supported.
If they already exist on the device, subdirectories are supported. When specifying a
<filename>, you must enter either the individual file name (if at the root) or the full path name
(For example, /subdir/filename).
To view the contents of a USB flash drive, use the dir command. This lists all files and
directories at the root. To view the contents of a directory, you must specify the subdirectory
name (that is, dir <subdirectory>).
The USB port supports connection to a single USB device. USB hubs to add more ports are not
supported.
7
Some USB flash drives may not be supported on your switch. Consult the latest Release Notes for
information on supported devices.
3.2.1.1
Downloading Switch Software using USB (CLI Only)
This procedure assumes that:
 A software version for the switch has been stored on a USB flash drive. (The latest software file is
typically available from the HPE Switch Networking website at www.hp.com.)
 The USB device has been plugged into the switch's USB port.
Issue the following command to copy the switch image to secondary flash:
Syntax
copy usb flash <filename> secondary
Example
To copy a switch software file named KB_15_18_0008.swi from a USB device to secondary flash:
Execute the copy command:
HPE Switch# copy usb flash KB_15_18_0008.swi secondary
The Secondary OS Image will be deleted, continue [y/n]? y
When the switch finishes copying the software file from the USB device, it displays the progress
message:
Validating and Writing System Software to FLASH...
When the CLI prompt re-appears, the switch is ready to reboot to activate the downloaded software.
Remove the USB drive, as it is no longer needed.
3.2.1.2
Rebooting the Switch
The switch must boot from the secondary flash to run the installed software update. Issue the following
command to reboot the switch:
Syntax
boot system flash secondary
The switch will prompt for confirmation:
Figure 3-2. Reboot confirmation prompt
Press [Y] to reboot. Once the switch boots, login as directed in Section 2.1.3: Setting up a console
connection, step 4.
8
Software Signing and Verification
HPE Networking has implemented digital signature validation for software versions compatible with the
5400R switch series. Once a switch software image has been digitally signed on a specific software
version, all later software versions are also signed. Digitally signed software ensures that the software
originated from HPE and has not been altered.
The operator will execute the following steps to verify that the software under test has been correctly
installed on the switch.
Flash Verification
3.3.1
Issue the following command to verify the software version installed to secondary flash:
Syntax
show flash
Displays version information for software images installed to primary and secondary flash
The switch will display a listing of software images in primary and secondary flash, similar to the following:
Figure 3-3. Example output of the "show flash" command
Verify that the version number for the Secondary Image matches the version installed in Section 3.2.
The version displayed should be KB.15.18.0008 for file KB_15_18_0008.swi.
9
Running Version Verification
3.3.2
Issue the following command to verify the version of the software currently running on the switch:
Syntax
show version
Figure 3-4. Example output of the "show version" command
Confirm that the version displayed matches the version installed, as indicated by the show flash
command executed in Section 3.3.1. The version displayed should be KB.15.18.0008 for file
KB_15_18_0008_swi.
Signature Verification
3.3.3
Issue the following command to verify the digital signature of the software installed in Section 3.2:
Syntax
verify signature flash secondary
If the signature is valid, the switch will display the following method:
Signature is valid.
Because signature validation is processor intensive, the switch may appear to hang for up to 30 seconds
during the execution of this command
10
Enabling Enhanced secure mode
To satisfy the evaluated configuration, the switch must be placed into Enhanced secure mode.
NOTE
The switch must be in the Configuration context before completing this section. See Section 3.1.1: Use of
the CLI for information on entering the Configuration context.
Issue the following command to enable Enhanced secure mode:
Syntax
secure-mode enhanced
Prior to enabling Enhanced secure mode, the switch will issue a warning:
The system will
software images
minutes and the
cycle will then
be rebooted and all management module files except
will be erased and zeroized. This will take up to 60
switch will not be usable during that time. A powerbe required to complete the transition.
Continue (y/n)?
Press [Y] to enable Enhanced secure mode. The switch will erase and zeroize all stored passwords,
certificates, and keys. The switch configuration will be reset to the factory default.
Once zeroization is complete, the switch will reboot. Once the reboot is complete, proceed to the next
section.
11
Network Configuration
By default, the switch is configured to automatically receive IP addressing on the default VLAN from a
DHCP/BOOTP server that has been configured correctly with information to support the switch.
In the evaluated configuration, the switch should be restricted to communicating from a static IP address
on a known, isolated port. This section will walk through the following configurations:
 Creating a VLAN
 Assigning IP addresses
 Assigning a default gateway
 Disabling OOBM access and unused connections
 Establishing a Secure Management VLAN
Configuring an IP Address and Subnet Mask
3.5.1
3.5.1.1
Changing the IP Configuration via CLI
To comply with the evaluated configuration, the operator must assign the switch a static IP address on a
non-default VLAN.
NOTE
NOTE
The following command includes both the IP address and the subnet mask. You must either include the
ID of the VLAN for which you are configuring IP addressing or go to the context configuration level for that
VLAN.
Execute the following command to configure an IP address:
Syntax
vlan 200 ip address <ip-address/mask-length>
Or
vlan 200 ip address <ip-address> <mask-bits>
The IP address and subnet mask must be compatible with the test network.
Example
To assign an IP address of 192.168.1.2 issue the following command:
HPE Switch(config)# vlan 200 ip address 192.168.1.10 255.255.255.0
This example configures the same IP address as the preceding example, but specifies the subnet mask
by mask length:
HPE Switch(config)# vlan 200 ip address 192.186.1.10/24
12
Next, the default VLAN must be disabled to ensure it does not gain an IP address. Issue the following
command to disable the default VLAN:
Syntax
no vlan 1 ip address
Finally, the operator must assign a default gateway to allow the switch to communicate with servers on
the network. Issue the following command to establish a default gateway:
Syntax
ip default-gateway <ip-address>
Example
To assign a default gateway of 192.168.1.1, enter:
HPE Switch(config)# ip default-gateway 192.168.1.1
3.5.1.2
Changing the IP Configuration via Menu
NOTE
The switch must first be in the Main Menu before completing this section. See Section 3.1.2: Use of the
Menu for information on entering the Main Menu.
From the Main Menu, select 2. Switch Configuration... then 8. VLAN Menu... then 2. VLAN
Names.
Figure 3-5. VLAN Names menu
13
Press [A] to add a new VLAN. The VLAN name entry screen is displayed:
Figure 3-6. VLAN name entry screen
Enter a VLAN ID of 200. Press [Tab] to highlight the Name field and enter the name “Management”.
Press [Enter] to confirm and [S] to save. The switch will return to the VLAN Names menu:
Figure 3-7. VLAN names menu with configured VLAN
14
Press [B] to go back, then select 4. Return to Previous Menu…, then 5. IP Configuration.
The IP configuration menu is displayed.
Figure 3-8. IP Configuration menu
Press [E] to edit the configuration. The first field selected will be the Default Gateway field. Enter the
IP address of the default gateway on the test network. This example uses IP addresses in the
192.168.1.xxx range.
Figure 3-9. IP Configuration menu with Default Gateway set
15
Press [Tab] three times to highlight IP Config field (reading DHCP/Bootp) in the DEFAULT_VLAN row.
Press [Space] until the field displays Disabled.
Figure 3-10. IP Configuration menu with default VLAN disabled
Press [Tab] to highlight the IP Config field in the Management row. Press [Space] until the field
displays Manual.
Figure 3-11. IP Configuration menu with Manual configuration for Management VLAN
16
Press [Tab] to highlight the IP Address field. Enter an IP address compatible with the test network.
This example uses IP addresses in the 192.168.1.xxx range. When finished, press [Tab] to highlight the
Subnet Mask field. Enter the IP address’s accompanying subnet mask. CIDR notation is not
supported.
Figure 3-12. IP Configuration menu with configured IP
Press [Tab] to select the Management VLAN’s secondary IP Config field (reading DHCP/Bootp).
Press [Space] until the field displays Disabled.
Figure 3-13. Configured IP Configuration menu
17
When finished, press [Enter] to confirm, then [S] to save.
Finally, select 0. Return to Main Menu..., then 5. Command Line (CLI) to return to the CLI.
Creating a Secure Management VLAN
3.5.2
This feature creates an isolated network for managing the HPE switches that offer this feature. When a
secure management VLAN is enabled, switch access is restricted to ports configured as members of the
VLAN.
NOTE
Before creating the management VLAN, the Out-Of-Band Management (OOBM) port must first be
disabled. Issue the following command to disable the OOBM port:
Syntax
oobm disable
Next, issue the following command to create the management VLAN.
Syntax
management-vlan 200
Connect a network cable to port 1 on the switch. The operator must ensure that the switch does not have
any network connections other than port 1.
Issue the following commands to add port 1 to the management VLAN:
Syntax
vlan 200 untagged 1
The switch is now connected to the network.
18
Date and Time Configuration
In order to guarantee accurate timestamps in the audit log, the operator must update the date and time on
the switch using one of the following methods:
 Automatic synchronization via a TimeP server on the test network
 Automatic synchronization via a SNTP server on the test network
 Manual adjustment
Updating Date and Time via TimeP Server
3.6.1
3.6.1.1
Configuring TimeP via CLI
NOTE
Issue the following command to set TimeP as the time synchronization method:
Syntax
timesync timep
Next, issue the following command to connect the switch to the TimeP server on the test network:
Syntax
ip timep manual <ip-address>
The <ip-address> argument must be the IP address of the TimeP server on the test network. For
example, to connect to a TimeP server at IP address 192.168.1.10, issue the following command:
HPE Switch(config)# ip timep manual 192.168.1.10
The switch will poll the TimeP server every 720 minutes (12 hours) for time and date synchronization.
To ensure valid timestamps, the switch must be configured with the proper time zone. Proceed to
Section 3.6.4: Time Zone to configure the time zone.
3.6.1.2
Configuring TimeP via Menu
NOTE
19
From the Main Menu, select 2. Switch Configuration..., then 1. System Information.
Figure 3-14. System Information Screen (default values)
Press [E] (for Edit). The cursor moves to the System Name field. Press [Tab] until the cursor highlights
the Time Sync Method field. Press [Space] until the field reads TIMEP.
20
Figure 3-15. System Information Screen (TimeP selected)
Press [Tab] to select the TIMEP Mode field. Press [Space] until the field reads Manual.
Figure 3-16. System Information Screen (TimeP mode: manual)
Press [Tab] to select the Server Address field. Enter the IP address of the TimeP server on the test
network.
21
Figure 3-17. System Information Screen with TimeP server configured
Press [Tab] until the cursor highlights the Time Zone field.
Figure 3-18. System Information Screen with Time Zone configured
22
The configured time zone must match the time zone for the locality in which the switch resides. Enter the
number of minutes west (-) or east (+) of GMT. For example, for Eastern Standard Time (GMT-5:00),
enter -300. For India standard time (GMT+5:30), enter 330.
Press [Enter] to confirm and [S] to save.
Proceed to Section 3.7: Configuring Cryptographic Services.
Updating Date and Time via SNTP Server
3.6.2
3.6.2.1
Configuring SNTP via CLI
NOTE
Issue the following command to set SNTP as the time synchronization method:
Syntax
timesync sntp
Unicast SNTP is the only supported SNTP method under the evaluated configuration. Issue the following
command to configure SNTP for unicast operation:
Syntax
sntp unicast
Next, issue the following command to connect the switch to the SNTP server on the test network:
sntp server priority 1 <ip-address> <version>
The <ip-address> argument must be the IP address of the SNTP server on the test network. The
<version> argument must be the SNTP version running on the SNTP server. The switch supports
SNTP versions 1 through 7. The default version is 3.
For example, to connect to an SNTP server running SNTP version 1 at IP address 192.168.1.10, issue
the following command:
HPE Switch(config)# sntp server priority 1 192.168.1.10 1
The switch will poll the SNTP server every 720 seconds (12 minutes) for time and date synchronization.
To ensure valid timestamps, the switch must be configured with the proper time zone. Proceed to
Section 3.6.4: Time Zone to configure the time zone.
23
3.6.2.2
Configuring SNTP via menu
NOTE
From the Main Menu, select 2. Switch Configuration..., then 1. System Information.
Figure 3-19. System Information Screen (default values)
24
Press [E] (for Edit). The cursor moves to the System Name field. Press [Tab] until the cursor highlights
the Time Sync Method field. Press [Space] until the field reads SNTP.
Figure 3-20. System Information Screen (SNTP selected)
Press [Tab] to select the TIMEP Mode field. The field name changes to SNTP Mode. Press [Space]
until the field reads Unicast.
Figure 3-21. System Information Screen with SNTP in Unicast Mode
25
Press [Tab] to move the cursor to the Server Address field. Enter the IP address of the SNTP server
on the test network.
Figure 3-22. System Information Screen with SNTP server IP address configured
Press [Tab] until the cursor highlights the Server Version field. The default SNTP server version is 3.
Enter the version running on the SNTP server on the test network. Supported versions are 1 through 7.
Figure 3-23. System Information Screen with SNTP server version configured
26
Press [Tab] until the cursor highlights the Time Zone field.
Figure 3-24. System Information Screen with Time Zone configured
The configured time zone must match the time zone for the locality in which the switch resides. Enter the
number of minutes west (-) or east (+) of GMT. For example, for Eastern Standard Time (GMT-5:00),
enter -300. For India standard time (GMT+5:30), enter 330.
Press [Enter] to confirm and [S] to save.
Proceed to Section 3.7: Configuring Cryptographic Services.
27
Updating Date and Time Manually
3.6.3
NOTE
If needed, issue the following command to manually set the date and time on the switch:
Syntax
time hh:mm MM/DD/YYYY
hh
mm
MM
DD
YYYY
Hours
Minutes
Month (1 – 12)
Day (1 – 31)
Year (e.g., 2016)
NOTE
The CLI uses a 24-hour clock scheme; that is, hour (hh) values from 1 p.m. to midnight are input as 13 24, respectively.
For example, to set the switch to 9:45 a.m. on November 17, 2016:
HPE Switch(config)# time 9:45 11/17/2016
NOTE
Warm booting or power-cycling the switch will reset the date and time to their default values unless a time
synchronization service is configured.
Time Zone
3.6.4
To ensure valid timestamps, the switch must be configured with the proper time zone. Issue the following
command to configure the switch for the current time zone:
Syntax
time timezone <minutes>
Where <minutes> is the number of minutes +/- UTC. The programmed time zone must match the time
zone for the locality in which the switch resides during testing.
NOTE
For example, to configure the switch for Eastern Standard Time (UTC-5:00), issue the following
command:
HPE Switch(config)# time timezone -300
For India Standard Time (UTC+5:30), issue the following command:
HPE Switch(config)# time timezone 330
For Greenwich Mean Time (UTC+0:00), issue the following command:
HPE Switch(config)# time timezone 0
28
Configuring Cryptographic Services
NOTE
SSH
3.7.1
These steps will enable the switch to communicate over SSH in a manner that complies with the
evaluated configuration. This requires:
 Generating a public/private key pair with a compliant key generation method
 Disabling non-compliant encryption algorithms
 Enabling credential encryption
When in evaluated configuration, the switch supports data integrity validation through HMAC-SHA1 and
key exchange method through diffie-hellman-group14-sha1. These algorithms are enabled by default
when the switch is in Enhanced Secure Mode (see Section 3.4).
3.7.1.1
Generating a Public/Private Key Pair
To comply with the evaluated configuration as described in the Security Target, keys must be generated
with the following algorithm:
 RSA Digital Signature Algorithm (rDSA) with a key size (modulus) of 2048 bits or greater.
Issue the following command to generate a public/private key pair using this algorithm.
Syntax
crypto key generate ssh rsa bits 2048
The switch will display the following notice:
Installing a new key pair.
If the key/entropy cache is
depleted, this could take up to a minute.
When the key pair is successfully generated, the switch will display the following method:
The installation of a new key pair is successfully completed.
3.7.1.2
Enabling SSH
Prior to enabling SSH services, a public/private key pair must be generated. The operator must
successfully complete the steps described in Section 3.7.1.1: Generating a Public/Private Key Pair before
continuing.
If a public/private key pair was successfully generated, the switch is ready to enable SSH services. Issue
the following command to enable SSH:
Syntax
ip ssh
3.7.1.3
Disabling Unsupported Algorithms
In order to comply with the evaluated configuration, the switch must ensure that the following algorithms
are used for SSH transport encryption:
 AES-CBC-128
 AES-CBC-256
29
To guarantee the use of the above algorithms, the following SSH transport encryption algorithms must be
disabled:
 AES-CBC-192
 AES-CTR-128
 AES-CTR-192
 AES-CTR-256
Issue the following commands to disable unsupported SSH transport algorithms.
Syntax
no ip ssh cipher aes192-cbc
no ip ssh cipher aes128-ctr
3.7.1.4
Securing File Transfers
The switch must use SFTP for remote transfer of files from the switch. Issue the following command to
disable TFTP and force file transfers to use SFTP:
Syntax
ip ssh filetransfer
The switch will respond with the following message:
TFTP and auto-TFTP are now disabled because they cannot be secured with
SSH.
TFTP can be re-enabled with the 'tftp' command.
TLS
3.7.2
3.7.2.1
Disabling Unused Cipher Suites
By default the switch provides all required cipher suites that satisfy the requirements specified in the
Security Target, as well as several others. In order to fully comply with the evaluated configuration, the
operator must disable all non-required cipher suites. The following TLS cipher suite is required:
 TLS_RSA_WITH_AES_128_CBC_SHA
 TLS_RSA_WITH_AES_256_CBC_SHA
Issue the following command to disable the unused cipher suites:
Syntax
tls application all lowest-version tls1.0 cipher aes128-sha
tls application all lowest-version tls1.0 cipher aes256-sha
write mem
Issue the show config command and verify that both TLS ciphersuites are set, and that both
ciphersuites are configured to use TLS version 1.0.
30
3.7.2.2
Generating Trust Anchors and Credentials for Syslog
The evaluated configuration requires the switch to establish a trusted channel over TLS between the
switch and a syslog server. In order to use TLS to establish a trusted channel, the switch must first
generate a certificate that can be used to validate connections between the switch and an application
server. This section will walk through the following steps:
 Generate a trust anchor and identity profile on the switch
 Generate a certificate signing request
 Generate keys and certificates via an external application (for example, OpenSSL)
 Install the signed certificate on the application server
 Install the signed certificate on the switch
Because the installation and generation of signed certificates requires the use of third-party software, it is
the operator’s responsibility to ensure signed certificates are generated and installed correctly.
The operator must perform the following steps to secure TLS:
1. Issue the following command to establish a Trust Anchor on the switch:
Syntax
crypto pki ta-profile HP
2. Issue the following command to establish an identity profile on the switch:
Syntax
crypto pki identity-profile 5400R subject common-name 5400R org HPE
org-unit RND state CA country US
3. Issue the following command to create the certificate signing request:
Syntax
crypto pki create-csr certificate-name syslog_cert ta-profile HPE
usage all key-type rsa key-size 2048
The switch will generate and display a unique certificate signing request. For example:
Figure 3-25. Generated certificate signing request
31
4. Copy the text of this certificate signing request (including -----BEGIN CERTIFICATE
REQUEST----- and -----END CERTIFICATE REQUEST-----) as plaintext and paste it to an
external file named “syslog_request.csr”. This file must be copied to the workstation that
will generate the certificates.
5. Use the certificate signing request to generate the certificate chain. Certificates must be X.509 v3
compliant, generated using RSA with a key size of 2048 bits. For example, to generate the
certificate chain with OpenSSL:
a. Create an X.509v3 extensions file named “v3.ext”, containing the following text:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:TRUE
extendedKeyUsage=serverAuth,clientAuth
6.
7.
8.
9.
b. Run the following commands to generate the certificate chain:
i. openssl req –out hp-ca.pem –new –x509 –days 730 –newkey
rsa:2048
ii. openssl x509 –extfile v3.ext –req –in syslog_request.csr –
CA hp-ca.pem –CAkey privkey.pem –CAcreateserial –out
syslog_cert.pem
Copy the trust anchor/CA certificate, private key, and extensions file (hp-ca.pem,
privkey.pem, and v3.ext in the above example) and copy them to a location on the syslog
server. These files will be used in Section 3.7.2.3 to setup the trusted channel.
Copy the trust anchor/CA certificate to an SFTP server accessible to the switch. The switch must
be able to copy the certificate from this server via SFTP.
Copy the text of the signed certificate (syslog_cert.pem in the above example). This text will
be pasted into the console on the switch.
Install the trust anchor certificate on the switch by issuing the following command:
Syntax
copy sftp ta-certificate HPE <sftp-ip-addr> hp-ca.pem
<sftp-ip-addr> must be a valid connection string for an SFTP server containing the trust
anchor/CA certificate. For example, to connect to an SFTP server at IP address 192.168.10.1
with user name “admin”, issue the command:
copy sftp ta-certificate HPE [email protected] hp-ca.pem
The switch may prompt for acceptance of the remote SFTP server’s host key:
The authenticity of host ‘192.168.10.1’ cannot be established.
DSA key fingerprint is
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Do you want to accept this host key? [(y)es/(n)o/(o)nce]
Press [Y] or [O] to connect to the remote SFTP server. Input the password, when prompted, as
in the below example:
Figure 3-26. Installing trust anchor certificate
32
10. Install the signed certificate by issuing the following command:
Syntax
crypto pki install-signed-certificate
The switch will prompt for a new certificate:
Paste the certificate here and enter:
Paste the contents of the signed certificate copied in step 8, as in the below example:
Figure 3-27. Installing a signed certificate
Certificate installation is complete. Proceed to the next section to create a trusted channel.
3.7.2.3
Creating a Trusted Channel with a Remote Syslog Server
In order to comply with the evaluated configuration, the switch must establish a trusted channel to a
remote syslog server over TLS.
This section requires the establishment of signed certificates on both the switch and the remote syslog
server. The steps in Section 3.7.2.2: Generating Trust Anchors and Credentials for Syslog must be
successfully completed before establishing the trusted channel.
Additionally, the syslog server must be configured to authenticate over TLS using signed certificates. In
the following example, a Linux machine running Syslog-ng 3.7.2 is configured to authenticate with the
switch over the trusted channel.
33
1. As root, update the Syslog-ng configuration to receive log messages from the trusted channel.
a. Create a file /etc/syslog-ng/conf.d/5400R.conf with the following contents:
@version:3.7
options {
perm(0640);
stats_freq(3600);
threaded(yes);
keep-timestamp(no);
};
source 5400R_tls_source {
syslog( ip(0.0.0.0) port(6514)
transport("tls")
tls( key-file("/etc/pki/syslog-ng/syslog-key.pem")
cert-file("/etc/pki/syslog-ng/syslog-cert.pem")
peer-verify(optional-untrusted)
ca-dir("/etc/pki/syslog-ng/ca.d")
)
);
};
destination d_5400R { file("/var/log/5400R.log"); };
log { source(5400R_tls_source); destination(d_5400R); };
2.
3.
4.
5.
6.
7.
b. Edit the file /etc/syslog-ng/syslog-ng.conf and add the following line if it is not
already present:
i. @include “/etc/syslog-ng/conf.d/*.conf”
Issue the following command to create the destination log file for messages from the switch:
a. touch /var/log/5400R.log
Issue the following commands to create and the certificate storage for the syslog server:
a. mkdir -p /etc/pki/syslog-ng/ca.d
Place the files copied from Section 3.7.2.2 step 6 (hp-ca.pem, privkey.pem, and v3.ext)
in the directory /etc/pki/syslog-ng/ca.d.
Issue the following commands to generate the certificate chain for the syslog server:
a. cd /etc/pki/syslog-ng/ca.d
b. openssl genrsa -out sylog-key.pem 2048
c. openssl req -key syslog-key.pem -new -out syslog-csr.pem
d. openssl x509 –extfile v3.ext -req -in syslog-csr.pem -CA hpca.pem -CAkey privkey.pem -CAcreateserial -out syslog-cert.pem
e. mv syslog-key.pem /etc/pki/syslog-ng
f. mv syslog-cert.pem /etc/pki/syslog-ng
A symbolic link to the trust anchor/CA must be created for Syslog-ng to utilize. Issue the
following commands to create the symbolic link:
a. openssl x509 -noout -hash -in hp-ca.pem
i. This command will generate a hash for the trust anchor/CA (e.g., 6d2962a8).
b. Use the output from the previous command to create the symbolic link. For example,
with a hash of 6d2962a8, use the following invocation:
i. ln -s hp-ca.pem 6d2962a8.0
Finally, issue the following command to restart the syslog server:
a. service syslog-ng restart
34
Once signed certificates are generated and installed, the operator must configure the switch to send logs
to the syslog server. Issue the following command on the switch to establish a trusted channel between
the switch and the remote syslog server:
Syntax
logging <ip-address> tls
The <ip-address> parameter must be the IP address of a remote syslog server capable of establishing
a trusted channel with the switch over TLS 1.0, TLS 1.1, or TLS 1.2. For example, to establish a trusted
channel with a server at IP address 192.168.1.25, issue the following command:
HPE Switch(config)# logging 192.168.1.25 tls
If properly configured, events will appear on the syslog server in the file /var/log/2920.log
User, Password, and Session Management
NOTE
Configuring Login Banner
3.8.1
The evaluated configuration requires the display of an administrator-specified advisory notice prior to
login. By default, the switch will display the following banner:
Figure 3-28. Default login banner
The operator must issue the following command to specify a “message of the day” (login) banner:
Syntax
banner motd %
The system will prompt for a banner:
Enter TEXT message.
End with the character ‘%’
Enter the following banner:
This is the MOTD banner
%
35
The operator must also issue the following command to specify an “exec” (post-login) banner:
Syntax
banner exec %
The system will prompt for a banner:
Enter TEXT message.
End with the character ‘%’
Enter the following banner:
This is the post-login banner
%
After the banners are set, the switch will display the MOTD banner before beginning the login process.
For example, when connecting over SSH:
Figure 3-29. Configured Message of the Day banner
Upon successful login, the switch will display the exec banner:
Figure 3-30. Configured Exec banner with previous login message
Configuring Session Timeouts
3.8.2
The evaluated configuration requires the establishment of time limits to automatically disconnect sessions
after a given period of inactivity. The switch supports inactivity timers for both remote and local (serial)
connections. By default, all timers are disabled. The operator must establish inactivity timers for both
local and remote sessions.
Issue the following commands to set an inactivity timer of 5 minutes for (SSH) and local (serial/USB)
sessions:
Syntax
console idle-timeout 300
console idle-timeout serial-usb 300
Sessions idle for longer than 5 minutes will be terminated automatically.
36
Configuring Role-Based Access Control
3.8.3
3.8.3.1
Establishing Minimum Password Length
In order to comply with the evaluated configuration, the switch must establish a minimum password length
of 15 characters. By default, the switch does not enforce a minimum password length.
The operator must issue the following command to establish a minimum password length:
Syntax
password minimum-length 15
For security, passwords should contain a mix of upper- and lower-case characters, numbers, and special
characters. The following special characters are supported:
! @ # $ % ^ & * ( ) - _ = + [ ] { } \ | ; : ‘ “ , < > / ? .
3.8.3.2
Establishing User Names and Passwords
The evaluated configuration requires that the switch authenticate all users that are capable of managing
the switch either locally or remotely. To this end, the operator must create user names and passwords for
administrators to authenticate against.
To accomplish this, the operator must create an administrator group and assign administrators to it. This
allows individual, discrete administrators to authenticate with and configure the switch. To completely
secure the switch, a password must also be assigned to the switch’s Operator role. This ensures that all
access to the switch (including read-only access) is protected.
First, the operator must enable local authorization by issuing the following command:
Syntax
aaa authorization commands local
Next, create an administrator group and assign an admin user to it. Issue the following command to
create the administrator group (named “authorized admin”):
Syntax
aaa authorization group authorized_admin 1 match-command “.*” permit
This command creates the group authorized_admin and allows its members access to all commands
on the switch (via match-command “.*” permit).
Next, issue the following command to create an administrator account and assign a password:
Syntax
aaa authentication local-user admin group authorized_admin password
plaintext
The switch will prompt for a password and confirmation. Enter a password that is at least 15 characters
long:
37
Figure 3-31. Creating an administrator
Groups can contain up to 16 users. For example, to create a second administrator named “root”:
Figure 3-32. Creating an additional administrator
This allows users admin and root to authenticate as administrators, each with their own password.
Finally, in order to completely secure the switch from unauthorized access, a password must be assigned
to the Operator role. Issue the following command to create a password:
Syntax
password operator user-name user
The switch will prompt for a password and confirmation. Once the password is successfully established,
the switch will disable incompatible services.
Figure 3-33. Assigning an Operator password
The switch is now protected from anonymous access. When beginning console sessions, login with the
user name user for read-only access, or admin for full administrator access.
38
3.8.3.3
Protecting Credentials
To comply with the evaluated configuration, user name and password information must be saved,
encrypted, and hidden. The operator must run the following commands to encrypt user credentials:
Syntax
encrypt-credentials
Before beginning encryption, the switch will warn about incompatibility:
Figure 3-34. Warning when running command "encrypt-credentials"
Press [Y] to begin encryption.
The operator must also run the following command to save credentials and public keys:
Syntax
Include-credentials
As before, the switch will issue an incompatibility warning:
39
Figure 3-35. Compatibility warning when running command "include-credentials"
Press [Y] to continue. The switch will also issue a security warning:
Figure 3-36. Security warning when running command "include-credentials"
Press [Y] to continue.
Finalizing Configuration
Disabling Services Not Under Evaluation
3.9.1
NOTE
The evaluated configuration requires the operator to disable the following services not under evaluation:
 Telnet
 Web Management
 DHCP
 SNMP
The operator must issue the following commands to disable the above services:
Syntax
no telnet-server
no web-management
no dhcp-server enable
40
no snmpv3 enable
no snmp-server enable
Booting to Evaluated Configuration
3.9.2
To save the evaluated configuration, the operator must issue the following command:
Syntax
write mem
The above command will commit the evaluated configuration to persistent storage.
Finally the operator must issue the following command to reboot the switch in the evaluated configuration:
Syntax
boot system flash secondary
This will reboot the system from the secondary image.
Continue (y/n)?
Press [Y] to reboot. When the switch finishes booting, it will be in the evaluated configuration.
41
4 Role-Based Access Control
Overview of RBAC
The CLI is preconfigured with the following privilege levels to help protect the switch from unauthorized
access:
 Operator
 Manager
At any privilege level you can:
 List all of the commands available at that level
 List the options for a specific command
At a given privilege level you can list and execute the commands that level offers, plus all of the
commands available at preceding levels. For example, at the Operator level, you can list and execute
only the Operator level commands. However, at the Manager level, you can list and execute the
commands available at both the Operator and Manager levels.
For added security, these privilege levels can be password protected. Additionally, for finer-grained
access control, the switch allows the creation of discrete user groups with user-defined command access.
See Section 4.1.2 for details.
4.1.1
Privilege Levels
Privilege levels control the type of access to the CLI. To implement this control, you must set at least a
Manager password. Without a Manager password configured, anyone having serial or network access to
the switch can reach all CLI levels.
Privileges are hierarchical, and can be gained or lost within the same session, as shown in the following
chart:
Figure 4-1. Access sequence for privilege levels
42
Privilege Level
Operator Level
Example of Prompt and Permitted Operations
HPE
show <command>
Switch>
Ping <argument>
link-test <argument>
enable
menu
logout
exit
View status and configuration
information.
Perform connectivity tests.
Elevate privilege to Manager level
Move from the CLI interface to the
menu interface
Exit from the CLI interface and
terminate the console session
Same as logout
Table 4-1. Privilege Level Hierarchy: Operator Privilege
Privilege Level
Manager Level
Global Configuration Level
Context Configuration Level
Example of Prompt and Permitted Operations
HPE Switch#
Perform system-level actions such as
system control, monitoring, and
diagnostic commands, plus any of the
Operator-level commands. For a list
of available commands, enter ? at the
prompt.
HPE Switch(config)#
Execute configuration commands,
plus all Operator and manager
commands. For a list of available
commands, enter ? at the prompt
HPE Switch(eth-1/5)# Execute context-specific configuration
HPE Switch(vlancommands, such as a particular
100)#
VLAN or switch port. This is useful for
shortening the command strings you
type, and for entering a series of
commands for the same context. For
a list of available commands, enter ?
at the prompt.
Table 4-2. Privilege Level Hierarchy: Manager Privilege
43
4.1.1.1
Moving Between Privilege Levels
Change in Levels
Operator level to Manager level
Manager level to Global
configuration level
Global configuration level to a
Context configuration level
Context configuration level to
another Context configuration
level
Move from any level to the
preceding level
Move from any level to the
Manager level
Example of Prompt, Command, and Result
HPE Switch> enable
After you enter enable, the
Password: _
Password prompt appears.
HPE Switch# _
After you enter the Manager
password, the system prompt
appears with the # symbol.
HPE Switch# config
HPE Switch(config)#
HPE Switch(config)# vlan
10
HPE Switch(vlan-10)#
The CLI accepts e as the
interface e 1/3
abbreviated form of
HPE Switch(int-1/3)#
ethernet.
HPE Switch(int-1/3)# exit
HPE Switch(config)# exit
HPE Switch# exit
HPE Switch>
HPE Switch(int-1/3)# end
HPE Switch#
Or
HPE Switch(config)# end
HPE Switch#
Table 4-3. Privilege level mutability
4.1.1.2
Operator Privileges
At the operator level you can examine the current configuration and move between interfaces without
being able to change the configuration. A > character delimits the Operator-level prompt. For example:
HPE Switch> _ (Example of the Operator prompt.)
When using the enable command to move to the Manager level, the switch prompts you for the Manager
password if one has already been configured.
4.1.1.3
Manager Privileges
Manager privileges give you three additional levels of access: Manager, Global Configuration, and
Context Configuration. A # character delimits any Manager prompt. For example:
HPE Switch# _ (Example of the Manager prompt.)

Manager level: Provides all Operator level privileges plus the ability to perform system-level
actions that do not require saving changes to the system configuration file. The prompt for the
Manager level contains only the system name and the "#" delimiter, as shown above. To select
this level, enter the enable command at the Operator prompt and enter the Manager password,
when prompted. For example:
Enter enable at the Operator prompt.
HPE Switch> enable
The CLI will prompt for the Manager password:
Password:
44
The Manager prompt appears after the correct Manager password is entered:
HPE Switch# _

Global configuration level: Provides all Operator and Manager level privileges, and enables you
to make configuration changes to any of the switch’s software features. The prompt for the Global
Configuration level includes the system name and (config). To select this level, enter the
config command at the Manager prompt. For example:
Enter config at the Manager prompt:
HPE Switch# config
The switch responds with the Global Config prompt:
HPE Switch(config)# _

Context configuration level: Provides all Operator and Manager privileges, and enables you to
make configuration changes in a specific context, such as one or more ports or a VLAN. The
prompt for the Context Configuration level includes the system name and the selected context.
For example:
HPE Switch(eth-1)#
The Context level is useful, for example, for executing several commands directed at the same
port or VLAN, or if you want to shorten the command strings for a specific context area. To select
this level, enter the specific context at the Global Configuration level prompt. For example, to
select the context level for an existing VLAN with the VLAN ID of 10, you would enter the
following command and see the indicated result:
HPE Switch(config)# vlan 10
4.1.1.4
Available Commands by Privilege Level
At a given privilege level you can list and execute the commands that level offers, plus all of the
commands available at preceding levels. For example, at the Operator level, you can list and execute
only the Operator level commands. However, at the Manager level, you can list and execute the
commands available at both the Operator and Manager levels.
45
4.1.1.5
Available Operator Commands
The available commands for each level are as follows:
Command
Description
chassislocate
dir
Control the chassis locate LED. Display a list of the files and subdirectories in a directory on a USB device. display
enable
exit
Display current system information. Enter the Manager command context. Return to the previous context or terminate current console/telnet session if you are in the Operator context level. link-test
Test the connection to a MAC address on the LAN. Terminate this console or telnet session. Enter the menu‐based console user interface. Toggle paging mode. Send IPv4 ping requests to a device on the network. Send IPv6 ping requests to a device on the network. Exit the current command view Display switch operation information. Trace the IPv4 route to a device on the network. Trace the IPv6 route to a device on the network. Verify the signature of a switch firmware image. logout
menu
page
ping
ping6
quit
show
traceroute
traceroute6
verify
Table 4-4. Available Operator commands
46
4.1.1.6
Available Manager Commands
Commands available to the Manager role will vary depending on context.
In the default context, users with the Manager role have access to the following commands:
Command
Description
backup
Backup next startup‐configuration file to TFTP server Reboot the device. Control the chassis locate LED. Clear information. Configure or show the current time, date, and local time offset. Specify a command alias Enter the Configuration context. Copy data files from a source to a destination. Configure debug logging. Delete a file Set the diagnostic level. Display a list of the files and subdirectories in a directory on a USB device. Display current system information. Enter the Manager command context. Return to the Manager Exec context. Erase stored data files. Return to the previous context or terminate current console/telnet session if you are in the Operator context level. Retrieve and display the value of the MIB objects specified. Retrieve and display the value of the next MIB object for each OID specified Kill other active console, Telnet, or SSH sessions. Test the connection to a MAC address on the LAN. Display log events. Terminate this console or telnet session. Enter the menu‐based console user interface. Toggle paging mode. Send IPv4 ping requests to a device on the network. Send IPv6 ping requests to a device on the network. Execute a command and redirect its output to the device channel for the current session. boot
chassislocate
clear
clock
command-alias
configure
copy
debug
delete
diagnostic-level
dir
display
enable
end
erase
exit
getMIB
getNextMIB
kill
link-test
log
logout
menu
page
ping
ping6
print
47
Command
Description
process-tracking
Enable process tracking for active management module or specified interface modules. Exit the current command view Reboot system/board/card Re‐execute a command from the history. Perform a warm reboot of the switch now or at a specified time. Rename the specified configuration. Repeat a previous command multiple times. Reset operation Restore next startup‐configuration file from TFTP server Exit to User View Save current configuration Schedule system task Specify the lines displayed on one screen Display log events. Enable show‐message‐type or cli‐interactive mode on the switch. Set the value of a MIB object. Enter the Switch Setup screen for basic switch configuration. Display switch operation information. Initiate an SSH client session to another network device. Specify system startup parameters Set the default configuration file. Enter the System View. Enable task monitoring of the specified feature. Initiate an outbound telnet session to another network device. Configure terminal properties. Run diagnostic tests. Trace the IPv4 route to a device on the network. Trace the IPv6 route to a device on the network. Enter the Monitor ROM Console. Enter a key to upgrade system software and enable advanced features. Verify the signature of a switch firmware image. quit
reboot
redo
reload
rename
repeat
reset
restore
return
save
schedule
screen-length
security-logging
session
setMIB
setup
show
ssh
startup
startup-default
system-view
task-monitor
telnet
terminal
test
traceroute
traceroute6
update
upgrade-software
verify
walkMIB
write
Walk through all instances of the object specified displaying the MIB object names, instances, and values. View or save the running configuration of the switch.
Table 4-5. Available Manager commands: default context
48
In the configuration context, users with the Manager role have the following commands available:
Command
aaa
access-list
alias
arp
arp-protect
auto-tftp
autorun
backup
banner
boot
cdp
chassislocate
class
clear
clock
command
command-alias
comware-help-display
configure
console
control-plane-protection
copy
core-dump
crypto
cwmp
Description Configure the switch Authentication, Authorization, and Accounting features. Configure an entry in a standard (1‐99) or extended (100‐199) Access Control List. Create a short name for the specified commands. Remove the specified IP address entry from the local ARP cache. Configure Dynamic ARP Protection. Enable/disable automatic software image download via TFTP during boot. Configure Autorun. Backup next startup‐configuration file to TFTP server Configure a login banner. Reboot the device. Set various CDP (Cisco Discovery Protocol) parameters. Control the chassis locate LED. Create a traffic class to match specified packets. Clear information. Configure or show the current time, date, and local time offset. Specify command configuration information Specify a command alias Enable Comware‐compatible commands and include help describing their equivalent ProVision commands. Enter the Configuration context. Set various console parameters. Enable or disable the Control Plane Protection feature. Copy data files from a source to a destination. Enable core dump on management modules or interfaces or configure the TFTP server to which a core dump file can be uploaded. Install or remove authentication files for the SSH or HTTPS server or for Autorun. Configure the CPE WAN Management Protocol (TR‐069). 49
Command
Description
debug
delete
dhcp
dhcp-relay
dhcp-server
dhcp-snooping
dhcpv6-relay
dhcpv6-snooping
diagnostic-level
dir
Configure debug logging. Delete a file Configure DHCP option processing. Enable and configure DHCP relay. Configure the switch‐based DHCP service. Enable and configure DHCP snooping. Enable DHCPv6 relay on the device. Configure DHCPv6 snooping. Set the diagnostic level. Display a list of the files and subdirectories in a directory on a USB device. Disable various features on the device. Display current system information. Enable or disable the Device Link Detection Protocol (DLDP) to monitor link status. Enter the Manager command context. Enable encryption of credentials in configuration; or set or clear the pre‐shared‐key used to encrypt credentials Return to the Manager Exec context. Erase stored data files. Return to the previous context or terminate current console/telnet session if you are in the Operator context level. Configure various external power supply operational and configuration parameters. Enable fastboot on the switch. Enable a link fault finder check and set parameters for it. Configure static filters to drop specified traffic. Enable/disable the ability to clear the password(s) and/or configuration via the front panel buttons. Retrieve and display the value of the MIB objects specified. Retrieve and display the value of the next MIB object for each OID specified Enable/disable GARP VLAN Registration Protocol (GVRP). Specify the device name for administrative purposes. Specify the connection idle timeout for login users disable
display
dldp
enable
encrypt-credentials
end
erase
exit
external-power-supply
fastboot
fault-finder
filter
front-panel-security
getMIB
getNextMIB
gvrp
hostname
idle-timeout
50
Command
Description
igmp
Configure various global IGMP parameters for the switch. Configure an IGMP proxy domain. Prevent MAC addresses from being learned when VLAN is untagged. Enable/disable including passwords and credentials in each configuration when saved onto a remote server or workstation. Configure instrumentation monitoring. Enter the Interface Configuration Level, or execute one command for that level. Configure various IP parameters for the switch. Configure IPv6. Configure global jumbo frame parameters for the switch. Configures authentication key chains and individual keys. Kill other active console, Telnet, or SSH sessions. Configure UniDirectional Link Detection (UDLD) settings. Test the connection to a MAC address on the LAN. Configure LLDP settings. Lock out a MAC address. Display log events. Enable the display of log event numbers when log is displayed via the CLI or via the menu. Add an IP address to the list of receiving Syslog servers. Terminate this console or telnet session. Configure loop protection. Set the MAC address table age‐out time. Configures SNMP traps for changes in the MAC address table. Set the VLAN that is to be used as the management VLAN. Set the maximum number of VLANs the switch will support. Enter the menu‐based console user interface. Define the mirror port for diagnostic purposes. Enter the OOBM context. Configure OpenFlow parameters or enter OpenFlow configuration context. Toggle paging mode. igmp-proxy-domain
Ignore-untagged-mac
include-credentials
instrumentation
interface
ip
ipv6
jumbo
key-chain
kill
link-keepalive
link-test
lldp
lockout-mac
log
log-numbers
logging
logout
loop-protect
mac-age-time
mac-notify
management-vlan
max-vlans
menu
mirror-port
oobm
openflow
page
51
Command
Description
password
Configure the local password and username for an access level. Send IPv4 ping requests to a device on the network. Send IPv6 ping requests to a device on the network. Configure a classifier policy. Set the port‐security operation(s) for each port in port list. Configure redirection for BYOD VLANs. Set the VLAN that is to be used as the primary VLAN. Execute a command and redirect its output to the device channel for the current session. Enable process tracking for active management module or specified interface modules. Configure Quality of Service (QoS) parameters for traffic prioritization and bandwidth control. Exit the current command view Configure a RADIUS server for Authentication, Authorization, and Accounting. Reboot system/board/card Re‐execute a command from the history. Perform a warm reboot of the switch now or at a specified time. Rename the specified configuration. Repeat a previous command multiple times. Reset operation Restore next startup‐configuration file from TFTP server Exit to User View Rmon features. Enter a route map context to create or modify a route map. Configure the switch routing protocols. Save current configuration Configure power saving features. Schedule system task Specify the lines displayed on one screen Enable/disable enhanced secure mode Display log events. Enable show‐message‐type or cli‐interactive mode on the switch. ping
ping6
policy
port-security
portal
primary-vlan
print
process-tracking
qos
quit
radius-server
reboot
redo
reload
rename
repeat
reset
restore
return
rmon
route-map
router
save
savepower
schedule
screen-length
secure-mode
security-logging
session
52
Command
Description
setMIB
setup
Set the value of a MIB object. Enter the Switch Setup screen for basic switch configuration. Configure an sFlow sampling instance. Display switch operation information. Create a smart‐link group. Configure the device SNMP server. Configure SNMPv3. Configure the Simple Network Time Protocol (SNTP). Set the parameters for operation of the switch in a spanning tree topology. Specify the TX/RX rate of user terminal interface Initiate an SSH client session to another network device. Enter the stacking context or configure the stacking feature. Specify system startup parameters Set the default configuration file. Lock down a MAC address to a port on a VLAN. Specify the host name Enter the System View. Configure a TACACS+ server for Authentication, Authorization, and Accounting. Enable task monitoring of the specified feature. Enable TCP Push Preserve mode. Initiate an outbound telnet session to another network device. Enable/disable telnet server on the switch. Configure terminal properties. Run diagnostic tests. Enable/disable TFTP, trivial file transfer protocol. Configure or show the current time, date, and local time offset. Configure the protocol used for network time synchronization. Configure the cipher suite for the specified application. Trace the IPv4 route to a device on the network. Trace the IPv6 route to a device on the network. Add or remove a switch port from a port trunk. Specify the protocol layer used by the switch for trunk load balancing. sflow
show
smart-link
snmp-server
snmpv3
sntp
spanning-tree
speed
ssh
stacking
startup
startup-default
static-mac
sysname
system-view
tacacs-server
task-monitor
tcp-push-preserve
telnet
telnet-server
terminal
test
tftp
time
timesync
tls
traceroute
traceroute6
trunk
trunk-load-balance
53
Command
Description
update
upgrade-software
Enter the Monitor ROM Console. Enter a key to upgrade system software and enable advanced features. Enable or disable UFD globally and set the UFD parameters. Enable the USB host port. Verify the signature of a switch firmware image. Add, delete, edit VLAN configuration or enter a VLAN context. Walk through all instances of the object specified displaying the MIB object names, instances, and values. Configure the device web server. uplink-failure-detection
usb-port
verify
vlan
walkMIB
web-management
write
View or save the running configuration of the switch.
Table 4-6. Available Manager commands: config context
4.1.1.7
Logging In
When you use a console to log on to the switch, and passwords are set, you will be prompted to enter a
username and/or password. For example:
Figure 4-2. Switch login prompt with password and optional username set
Usernames and passwords are case sensitive. If no passwords are set when you log onto the CLI, you
will enter at the Manager level. For example:
HPE Switch# _
54
4.1.1.8
Logging Out (CLI)
To terminate a CLI session, use the following command:
Syntax
Logout
Exit from the CLI interface and terminate the console session.
For example, to terminate a session when logged in as a manager,
Issue the logout command:
HPE Switch# logout
Do you want to log out (y/n)?
Press [Y] to confirm. If there are unsaved configuration changes, the switch will prompt for confirmation:
Do you want to save the current configuration (y/n)?
Press [Y] to save the current configuration. Press [N] to return to discard the current configuration.
The switch will then terminate the current session. Exit from the terminal program, turn off the terminal, or
close the Telnet application program.
55
4.1.1.9
Logging Out (Menu)
The method for ending a menu session and exiting from the console depends on whether, during the
session, you made any changes to the switch configuration that require a switch reboot to activate. (Most
changes via the menu interface need only a Save, and do not require a switch reboot.) Configuration
changes that need a reboot are marked with an asterisk (*) next to the configured item in the menu and
also next to the Switch Configuration item in the Main Menu:
Figure 4-3. Main Menu with change requiring reboot
1. In the current session, if you have not made configuration changes that require a switch reboot to
activate, return to the Main Menu and press [0] (zero) to log out. Then just exit from the terminal
program, turn off the terminal, or quit the Telnet session.
2. If you have made configuration changes that require a switch reboot— that is, if an asterisk (*)
appears next to a configured item or next to Switch Configuration in the Main Menu:
a. Return to the Main Menu
b. Press [6] to select Reboot Switch and follow the instructions on the reboot screen.
Rebooting the switch terminates the menu session, and, if you are using Telnet,
disconnects the Telnet session.
3. Exit from the terminal program, turn off the terminal, or close the Telnet application program.
56
4.1.2
Creating Authorization Groups
This feature allows more granular localized control over user access when accessing the switch through
the console or by telnet or SSH. Instead of allowing access to all commands with the “manager”
command, or very restricted access with the “operator” command, the local access can be customized to
allow the commands that the local account is authorized to execute. The new local accounts are in
addition to and independent of the existing manager and operator accounts, with the exception that if a
user name is set for a manager or operator account, that name cannot be the same as any of the local
user account names.
To do this, groups are created that contain up to 16 user accounts. The group has a list of match
commands that determine if that user is authorized to execute that command. Up to 100 local user
accounts are supported. The local user accounts are stored in the configuration as an SHA1 hash, which
is only displayed if “include-credentials” is enabled. A password is required for the local user accounts,
but nothing else.
There is one default group — operator. Users assigned to the operator group have only operator
privileges.
Applying the authorization group to a local user account only occurs if the user logs in using local as the
primary authentication method and the aaa authorization commands local command has been
executed. Authorization groups are not supported when the login method is set as secondary local
authentication.
These commands are authorized at all access levels:
 Exit
 Logout
 Page
 Redo
 Repeat
 End
57
5 Audit Functionality
The Event Log records operating events in single- or double-line entries and serves as a tool to isolate
and troubleshoot problems.
Once the log has received 2000 entries, it discards the oldest message each time a new message is
received. The Event Log window contains 14 log entry lines. You can scroll through it to view any part of
the log.
In addition to local event log storage, the switch supports synchronization of event logs with a remote
event log server via a secure channel. Events are synchronized with remote log servers whenever new
messages are received.
NOTE
The Event Log is erased if power to the switch is interrupted or if you enter the boot system command.
The contents of the Event Log are not erased if you:
 Reboot the switch by choosing the Reboot Switch option from the menu interface.
 Enter the reload command from the CLI.
Accessing Audit Logs
Use the show logging command to display audit logs.
Syntax
show logging <a|b|r|s|t|m|p|e|w|i|d|filter|option-str|substring ...>
The options a|r|substring can be used in combination with an event class option.
a
Display all log events, including those from previous boot cycles
b
Display log events as time since boot instead of date/time format
r
Display log events in reverse order (most recent first)
s
Display the active and standby management module log events when operating
in nonstop switching mode
t
Display log events in granularity in 10 milliseconds
substring
Instructs the switch to display only those events that match the substring
The remaining event class options are listed in order of severity – lowest severity first. The output of the
command is confined to event classes of equal or higher severity. Only one of the options d|i|w|e|p|m
can be used in the command at a time.
m
Major event class
e
Error event class
p
Performance event class
w
Warning event class
i
Information event class
d
Debug event class
filter
Display log filter configuration and status information
OPTION-STR Filter events shown
58
For example, issuing the show logging command will produce output similar to the following:
Figure 5-1. Sample log
59
5.1.1
Audit log format
Each Audit Log entry is composed of six or seven fields, depending on whether numbering is turned on or
not:
Figure 5-2. Audit Log entry format
See the following table for a description of each field:
Item
Severity
Date
Time
Event number
System Module
Event Message
Description
One of the following codes (from highest to lowest
severity):
M — (major) indicates that a fatal switch error has
occurred.
E — (error) indicates that an error condition
occurred on the switch.
W — (warning) indicates that a switch service has
behaved unexpectedly.
I — (information) provides information on normal
switch operation.
D — (debug) is reserved for HPE internal
diagnostic information.
The date in the format mm/dd/yy when an entry is
recorded in the log.
The time in the format hh:mm:ss when an entry is
recorded in the log.
The number assigned to an event. You can turn
event numbering on and off with the [no] lognumber command.
The internal module (such as ports for port
manager) that generated a log entry. If VLANs are
configured, a VLAN name also appears for an
event that is specific to an individual VLAN.
A brief description of the operating event
Table 5-1. Audit Log entry fields
60
5.1.2
5.1.2.1
List of Auditable Events (As Mandated by the NDPP)
Telnet Events
Auditable event
RMON_TLNT_CONN
NDPP Requirement
FIA_UAU_EXT.2
FIA_UIA_EXT.1
RMON_TLNT_DISCON
(There is no log displayed FIA_UAU_EXT.2
FIA_UIA_EXT.1
FTA_SSL.4
when the user name and password are not set.)
Sample Audit Record Format
W 05/22/13 20:39:20 03362 auth:
User 'hpn123' logged in from
10.100.221.1 to telnet session
W 05/22/13 20:49:12 03363 auth:
User 'hpn123' logged out of telnet
session from 10.100.221.1
RMON_TLNT_WARNING
FIA_UAU_EXT.2
FIA_UIA_EXT.1
W 05/22/13 21:02:06 00419 auth:
Invalid user name/password on
TELNET session User ‘hpn123’
is trying to login from
10.100.221.2
RMON_USER_KILL_DISCON
FIA_UAU_EXT.2
FIA_UIA_EXT.1
FTA_SSL.4
RMON_TIMER_EXP_DISCON
FIA_UAU_EXT.2
FIA_UIA_EXT.1
FTA_SSL.3
FTA_SSL_EXT.1
W 05/22/13 20:49:12 03363 auth:
User 'hpn123' logged out
from 10.100.221.1 as telnet
session is terminated by
user/admin
W 05/22/13 20:49:12 04242 auth:
from 10.100.221.1 due to
inactivity timer timeout for
TELNET session
Table 5-2. Auditable telnet events
5.1.2.2
SSH Server Events
Auditable event
RMON_TIMER_EXP_DISCON
NDPP Requirement
FIA_UAU_EXT.2
FIA_UIA_EXT.1
FTA_SSL.4
FCS_SSH_EXT.1
FTP_ITC.1
FTP_TRP.1
FIA_UAU_EXT.2
FIA_UIA_EXT.1
FTA_SSL.3
FCS_SSH_EXT.1
FTA_SSL_EXT.1
FTP_ITC.1
FTP_TRP.1
W 05/22/13 20:49:12 03363 auth:
from 10.100.221.1 as SSH
session is terminated by user
I 05/22/13 20:49:12 04242 auth:
from 10.100.221.1 due to
inactivity timer timeout for SSH
session
Table 5-3. Auditable SSH server events
61
5.1.2.3
SSH Client Events
Auditable event
RMON_SSH_CLIENT_CONN_START
RMON_SSH_CLIENT_CONN_STOP
RMON_SSH_CLIENT_CONN_FAILED
NDPP Requirement
FIA_UAU_EXT.2
FIA_UIA_EXT.1
FCS_SSH_EXT.1
FTP_ITC.1
FTP_TRP.1
FIA_UAU_EXT.2
FIA_UIA_EXT.1
FTA_SSL.4
FCS_SSH_EXT.1
FTP_ITC.1
FTP_TRP.1
FIA_UAU_EXT.2
FIA_UIA_EXT.1
FCS_SSH_EXT.1
FTP_ITC.1
FTP_TRP.1
I 06/13/13 22:16:18 03340
ssh: User ‘hpn123’: SSH
client connection to
10.100.226.1 started
I 06/13/13 22:16:24 03341
ssh: User ‘hpn’1’:SSH client
connection to 10.100.226.1
stopped
W 05/22/13 01:34:47 00419
auth: User ‘hpn1’: Invalid
user name /password on
SSH session from
10.100.14.1
Table 5-4. Auditable SSH client events
5.1.2.4
SSH/SFTP
Auditable event
RMON_SSH_SFTP_SESS
RMON_SFTP_ERR
NDPP Requirement
FIA_UAU_EXT.2
FIA_UIA_EXT.1
FCS_SSH_EXT.1
FTP_ITC.1
FTP_TRP.1
FIA_UAU_EXT.2
FIA_UIA_EXT.1
FCS_SSH_EXT.1
RMON_SFTP_XFER_COMPLETE
FAU_GEN.1
RMON_SFTP_CONN_FAILED
FCS_SSH_EXT.1
FTP_ITC.1
FTP_TRP.1 RMON_SFTP_XFER_START
FAU_GEN.1
I 06/13/13 22:24:24 03310 sftp: User ‘hpn1’: SFTP session from 10.100.1.42 W 07/08/13 02:10:44 03311 ssh: User ‘hpn1’: SFTP error. Invalid auth privilege level to transfer file from 10.100.226.1 I 06/13/13 22:24:24 03310 User ‘hpn1’: File Transfer complete from 10.100.1.42 W 06/13/13 22:31:00 03311 sftp: User ‘hpn1’:SFTP connection failure while connecting from 10.200.30.10 I 06/13/13 22:24:24 03318 sftp: User ‘hpn1’ : File transfer from 10.23.10.22 is in progress Table 5-5. Auditable SSH/SFTP events
62
5.1.2.5
SSH/SCP
Auditable event
RMON_SSH_SCP_SESS
NDPP Requirement
FIA_UAU_EXT.2
FIA_UIA_EXT.1
FCS_SSH_EXT.1
FTP_ITC.1
FTP_TRP.1 RMON_SCP_ERR
FIA_UAU_EXT.2
FIA_UIA_EXT.1
RMON_SSH_SCP_SESS_STOP
FIA_UAU_EXT.2
FIA_UIA_EXT.1
FCS_SSH_EXT.1
FTP_ITC.1
FTP_TRP.1
FTA_SSL.4
I 05/28/13 03:34:05 00637 ssh: scp session from 10.100.226.1 W 05/28/13 03:34:04 03362 auth: User 'hpn1' login from 10.100.226.1 W 05/28/13 02:20:25 00639 ssh: scp_error :User 'hpn1' is logged in from 10.100.10.4 and cannot access the file invalid: No such file or directory. W 05/28/13 02:20:25 00639 ssh: scp_error :User 'hpn1' is logged in from 10.100.10.4 and cannot access flash: Permission denied. I 05/28/13 03:34:05 02667 ssh:
User 'hpn2': SCP session ended
from 10.100.162. Table 5-6. Auditable SSH/SCP events
5.1.2.6
SSL
Auditable event
NDPP Requirement
RMON_SSL_CONNECT
FIA_UAU_EXT.2
FIA_UIA_EXT.1
FCS_TLS_EXT.1
FTP_ITC.1
FTP_TRP.1
RMON_SSL_DISCONNECT
FIA_UAU_EXT.2
FIA_UIA_EXT.1
FCS_TLS_EXT.1
FTP_ITC.1
FTP_TRP.1
FTA_SSL.4
Sample Audit Record
Format I 11/28/03 00:53:41 00468
ssl: User ‘hpn123’ logged
into SSL/TLS session for
OpenFlow Controller
Instance 1
from 10.100.14.1
I 10/11/13 00:53:41 00468
ssl: User ‘hpn123' logged
into SSL/TLS session for
Syslog from 10.100.14.1
I 11/28/03 00:53:41 00470
out of SSL session for
OpenFlow Controller
Instance 1 from
10.100.14.1
I 11/28/03 00:53:41 00470
out of SSL session for
Syslog from 10.100.14.1
63
RMON_SSL_CONN_FAILED
RMON_OPFL_TCP_CONN_FAILED
FIA_UAU_EXT.2
FIA_UIA_EXT.1
FCS_TLS_EXT.1
FTP_ITC.1
FTP_TRP.1
FIA_UAU_EXT.2
FIA_UIA_EXT.1
FCS_TLS_EXT.1
FTP_ITC.1
FTP_TRP.1
W 11/28/03 00:53:32
00469 ssl: User ‘hpn123’:
SSL connection failed for
OpenFlow session from
10.200.100.23.
W 11/28/03 00:53:32
00469 ssl: User ‘hpn123’:
SSL connection failed for
Syslog session from
10.200.100.23.
OPENFLOW: OpenFlow
Instance t1: TCP
connection failed while
connecting to the
controller with IP address
20.0.0.2.
OPENFLOW: OpenFlow
Instance t1: TCP
connection failed while
connecting to the
controller with IP address
20.0.0.2 via SSL.
FIA_UAU_EXT.2
FIA_UIA_EXT.1
FCS_TLS_EXT.1
FTP_ITC.1
FTP_TRP.1
FTA_SSL.4 RMON_SSL_CERTIFICATE
FAU_GEN.1
RMON_AUTH_USER_SESSION_TIMEOUT
FIA_UAU_EXT.2
FIA_UIA_EXT.1
FTA_SSL.3
FTA_SSL_EXT.1
W 11/28/03 00:53:32 04241 auth: User 'hpn123' logged out from 10.100.221.1 as the SSL session was terminated by user I 11/28/03 00:53:32 00471 ssl: SSL certificate: Subject: Common Name=hp, Loc=blr, State=ka, Cntry=in, Org=hp, OrgUnit=hpn I 07/02/13 11:08:18 04242
http: User 'nar' logged
out from 10.100.221.1 due
to session timeout
Table 5-7. Auditable SSL events
64
5.1.2.7
Console: Secondary
Auditable event
NDPP Requirement
RMON_CONSOLE_TIME_OUT
FIA_UAU_EXT.2
FIA_UIA_EXT.1
FTA_SSL_EXT.1
FTA_SSL.3
RMON_CONSOLE_OPERATOR_USR_PWD_SET
FIA_UAU_EXT.2
FIA_UIA_EXT.1
RMON_CONSOLE_OPERATOR_USR_PWD_RESET
FIA_UAU_EXT.2
FIA_UIA_EXT.1
RMON_CONSOLE_MANAGER_USR_PWD_SET
FIA_UAU_EXT.2
FIA_UIA_EXT.1
RMON_CONSOLE_MANAGER_USR_PWD_RESET
FIA_UAU_EXT.2
FIA_UIA_EXT.1
RMON_CONSOLE_INCLUDE_CRED
FIA_UAU_EXT.2
FIA_UIA_EXT.1
Sample Audit Record
Format W 08/29/13 09:15:53
04242 auth: User
'hpn2' logout from
0.0.0.0 due to
inactivity timer
timeout for
CONSOLE session
I 10/14/09 08:42:34
02714 auth: User
‘hpn1’ : Operator
mode password is set
I 10/14/09 08:42:34
02715 auth: User
mode password is
reset
I 10/14/09 08:42:34
02716 auth: User
‘hpn1’ : Manager
mode password is set
RMON_CONSOLE_NO_INCLUDE_CRED
FIA_UAU_EXT.2
FIA_UIA_EXT.1
RMON_CONSOLE_SECURE_MODE_EN
FAU_GEN.1
RMON_CONSOLE_SECURE_MODE_DIS
FAU_GEN.1
RMON_CONSOLE_ENCRYPT_CRED
FAU_GEN.1
FIA_UAU_EXT.2
FIA_UIA_EXT.1
I 10/14/09 08:42:34
02717 auth: User
mode password is
reset
I 10/14/09 08:42:34 04237 auth: Include credentials enabled I 10/14/09 08:42:34 04238 auth: Include credentials disabled I 10/14/09 08:42:34 02718 auth: Transitioned to Enhanced secure mode I 10/14/09 08:42:34 02719 auth: Transitioned to standard secure mode I 10/14/09 08:42:34 04235 auth: Encrypt credential enabled 65
RMON_CONSOLE_NO_ENCRYPT_CRED
FAU_GEN.1
FIA_UAU_EXT.2
FIA_UIA_EXT.1
I 10/14/09 08:42:34
04236 auth: Encrypt
credentials disabled
RMON_ENABLE_MODE
FAU_GEN.1
FIA_UAU_EXT.2
FIA_UIA_EXT.1
I 10/14/09 08:42:34
0424 mgr: User
‘hpn1’: Moved to
manager mode for
the SSH/Telnet/SSL
session from IP
address 10.100.23.34
Table 5-8. Auditable console events
5.1.2.8
Firmware Updates
Auditable event
RMON_FIRMWARE_UPDATE
NDPP Requirement
FAU_GEN.1
FPT_TUD_EXT.1
TFTP:
I 10/14/09 08:47:30 04244
update: User ‘hpn1’: Secondary
Image updated via network TFTP
from 10.100.24.2
I 10/14/09 08:45:35 00131 tftp:
Transfer completed
Firmware version:
Before update: x.x.x
After update : x.x.x.
USB:
I 10/14/09 08:47:30 04244
Image updated via USB
Firmware version:
XMODEM:
I 10/14/09 08:47:30 04244
Image updated via xmodem
Firmware version:
SFTP:
I 10/14/09 08:47:30 04244
Image updated via sftp
Firmware version:
Table 5-9. Auditable firmware update events
66
5.1.2.9
Self-Tests
Auditable event
RMON_SYSTEM_SELF_TEST_BEGIN
NDPP Requirement
FAU_GEN.1
RMON_SYSTEM_SELF_TEST_FAIL
FAU_GEN.1
RMON_SYSTEM_SELF_TEST_END
FAU_GEN.1
RMON_CRYPTO_SELF_TEST_END
FAU_GEN.1
I 10/14/09 08:47:30 03802
chassis: System Self test
started on Slot A
W 10/14/09 08:47:30 03804
failed on Slot A
I 10/14/09 08:47:30 03803
completed on Slot A
I 01/01/90 00:00:25 03401
crypto: Function POWER UP
passed selftest.
Table 5-10. Auditable self-test events
5.1.2.10 SYSLOG
Auditable event
RMON_SYSLOG_START
NDPP Requirement
FAU_GEN.1
RMON_SYSLOG_STOP
FAU_GEN.1
I 10/14/09 08:47:30 04331
syslog: Information logging
started on the SYSLOG server
xx.xx.xx.xx over TCP/UDP/TLS
protocol
I 10/14/09 08:47:30 04332
syslog: Information logging
stopped on the SYSLOG server
xx.xx.xx.xx over TCP/UDP/TLS
protocol
Table 5-11. Auditable syslog events
5.1.2.11 Time Protocols
Auditable event
RMON_NCL_NEW_TIME
NDPP Requirement
FAU_GEN.1
FPT_STM.1
RMON_TIMEP_SET_TIME
FAU_GEN.1
FPT_STM.1
RMON_SNTP_UPDATED_TIME
FAU_GEN.1
FPT_STM.1
I 06/10/13 04:02:45 00178 mgr:
Updated time by 739682734
seconds. Previous time was
Mon Jan 1 00:36:54
1990.Current time is Mon Jun
10 04:02:28 2013
I 06/10/13 04:02:45 00122
timep: Updated time by
739682734 seconds from the
server with IP address
192.168.1.1. Previous time was
Mon Jan 1 00:36:54
1990.Current time is Mon Jun
10 04:02:28 2013
I 06/10/13 04:02:45 00413 SNTP:
Updated time by 739682734
seconds from server with the IP
address 192.168.1.1. Previous time
was Mon Jan 1 00:36:54
1990.Current time is Mon Jun 10
04:02:28 2013
Table 5-12. Auditable time protocol event
67
6 Self-tests
The switch will perform a series of self-tests upon booting from a power cycle, or from the CLI boot
command.
Self-tests are designed to verify the integrity of cryptographic functions, and as such are run before any
cryptographic functionality is invoked. Should any tests fail, the switch will enter an error state.
The switch will perform the following tests:
Test
RNG KAT1
SHA1 KAT1
SHA256 KAT1
SHA512 KAT1
HMAC_SHA1 KAT1
3DES KAT1
AES KAT1
DSA PCT2
DSA2 PCT2
RSA KAT1
ECDSA PCT2
Purpose
Validate correct operation of Random Number
Generator
Validate correct operation of SHA1 cryptographic
algorithm
Validate correct operation of SHA256
cryptographic algorithm
Validate correct operation of SHA512
Validate correct operation of HMAC_SHA1
Validate correct operation of 3DES cryptographic
algorithm
Validate correct operation of AES cryptographic
algorithm
Validate correct operation of DSA cryptographic
algorithm
Validate correct operation of DSA2 cryptographic
algorithm
Validate correct operation of RSA cryptographic
algorithm
Validate correct operation of DSA2 cryptographic
algorithm
Table 6-1. Cryptographic Self-Tests
In the event of a test failure, the switch will crash with a message similar to the following:
Product Code information:
Directory:
/ws/swbuildm/rel_quebec_qaoff/code/build/anm(swbuildm_rel_quebec_qaoff_
rel_queb
ec)
Date: Jan 16 2016 14:05:04
Version: KB.15.18.0008 573
Software exception at cryptoInit.c:267 -- in 'swInitTask', task ID =
0xaa43980
-> Crypto powerup selftests failed.
Callstack: 0x001de608 0x001e03b0 0x001def60 0x011e6208 0x0004e568
0x0004fe50 0x013e4074 0x013ea5f8 0x016eedec
1. Known Answer Test. 2. Pairwise Consistency Test
68
Front Panel LED Behavior
During self-tests, the front-panel LEDs will exhibit the following behavior:
 Initially, Power, Fault, Locator, and all the switch chassis LEDs are on. Then, after
approximately 30 seconds, all the module LEDs go on as the modules receive power and code is
downloaded to them, the Fault LED goes off, and the chassis LEDs turn orange and then go off
except Test, Fan, and Power, which turn green
 When the download of code to the modules is completed, the module LEDs go off. You may see
each port LED go on briefly, in sequence, as the port is tested.
 For the duration of the self-test, the Test LED stays on
When the self-tests complete successfully, the front panel LEDs will exhibit the following behavior:
 The Power LED stays on, and the Status LEDs on the switch chassis stay on for the devices
installed: one for each switch module installed, one for each power supply installed, and one for
all the fans.
 The Fault, Locator, and Test LEDs are off
 The port LEDs on the switch modules go into their normal operational mode:
o If the ports are connected to active network devices, the Link LEDs stay on and the
Mode LEDs behave according to the mode selected. In the default mode (Activity), the
Mode LEDs should flicker showing network activity on the port.
o If the ports are not connected to active network devices, the LEDs will stay off.
69
7 Process List
The following processes running on the switch relate to features required by the evaluated configuration.
NOTE
All processes on the switch (including those not related to the evaluated configuration) run at the highest
privilege level (i.e., root) unless otherwise specified.
Name
Description
Notes
CnfTrMgr crlMgrCtrl EvLogCtrl ftTask ConfigTree Manager task CRL manager ctrl task Event logging task File Transfer Task HttpCtrl HTTP control task Httpd IkmTask HTTP Daemon ID and key management task LoginTrkFlush RMConRedirCtrl Handles user login records rdMgmt Console Redir RMCRAmmInput Conredir input task on AMM RSAKeyGen SecmodCtrl SesInp1 RSA key generator task Secure Mode task Console session I/O handler SesInp2 Console session I/O handler SesInp3 Console session I/O handler SesInp4 Console session I/O handler Handles configuration updates Certificate Revocation List Used for software updates and file transfers to/from switch With HTTP daemon, handles TLS/SSL connections Management task used in the installation of private keys, certificates, trust anchors, etc. Redirects management module console Redirects management module console Handles console I/O. Pre‐
allocated at boot. Runs whether or not console is connected. Handles console I/O. Pre‐
allocated at boot. Runs whether or not console is connected. 70
SesInp5 Console session I/O handler SesInp6 Console session I/O handler Sess1 Console session Sess2 Console session Sess3 Console session Sess4 Console session Sess5 Console session Sess6 Console session SntpTask SNTP control task Ssh0 SSH Session Ssh1 SSH Session Ssh2 SSH Session Handles console I/O. Pre‐
allocated at boot. Runs whether or not console is connected. Manages individual console session. Pre‐allocated at boot. Runs whether or not console is connected. Manages individual console session. Pre‐allocated at boot. Runs whether or not console is connected. Manages individual console session. Pre‐allocated at boot. Runs whether or not console is connected. Manages individual console session. Pre‐allocated at boot. Runs whether or not console is connected. Manages individual console session. Pre‐allocated at boot. Runs whether or not console is connected. Manages individual console session. Pre‐allocated at boot. Runs whether or not console is connected. Synchronizes switch with remote time server over SNTP. Manages individual SSH session. Pre‐allocated at boot. Runs whether or not SSH session is connected. Manages individual SSH session. Pre‐allocated at boot. Runs whether or not SSH session is connected. Manages individual SSH session. Pre‐allocated at boot. Runs whether or not SSH session is connected. 71
Ssh3 SSH Session Ssh4 SSH Session Ssh5 SSH Session SshAlrm SSH alarm control Sshd Telnetd TelSes1 SSH Daemon Telnet Daemon Telnet Session Handler TelSes2 Telnet Session Handler TelSes3 Telnet Session Handler TelSes4 Telnet Session Handler TelSes5 Telnet Session Handler TelSes6 Telnet Session Handler TimepTask TimeP Control Task uiCore uiCtrl USB_Server_Task Session IO dispatcher System Mgmt. Entity USB Driver server task Manages individual SSH session. Pre‐allocated at boot. Runs whether or not SSH session is connected. Manages individual SSH session. Pre‐allocated at boot. Runs whether or not SSH session is connected. Manages individual SSH session. Pre‐allocated at boot. Runs whether or not SSH session is connected. Handles and responds to SSH events Manages individual telnet session. Pre‐allocated at boot. Runs whether or not telnet session is connected. Manages individual telnet session. Pre‐allocated at boot. Runs whether or not telnet session is connected. Manages individual telnet session. Pre‐allocated at boot. Runs whether or not telnet session is connected. Manages individual telnet session. Pre‐allocated at boot. Runs whether or not telnet session is connected. Manages individual telnet session. Pre‐allocated at boot. Runs whether or not telnet session is connected. Manages individual telnet session. Pre‐allocated at boot. Runs whether or not telnet session is connected. Synchronizes switch with remote time server over TimeP. Handles CLI I/O Provides CLI backend UsbClient USB Driver client task Table 7-1. Relevant Process list
72
The following processes will also be running on the switch, but do not relate to the evaluated
configuration. All processes run at the highest privilege level (i.e., root) unless otherwise specified.

















































8021xCtrl
AcctCtrl
AdMgrCtrl
AgentIO
AsicCtrl
BulkOnly
byodCtrl
ByodHttpd
CdATftp
CdpCtrl
CdUpld
ChassCtrl
ChassMgr
ClistCtrl
CntrsCtrl
CrashFrz
CrashHdl
dcaCtrl
DebugCtrl
DevIdle
DevMm2mmQ0Rx
DevMm2mmQ2Rx
DevOobmLink
DevOobmRx
DevPollRx
DevPollTx
DHCPClint
DhcpdCtrl
Dhcpv6CCtl
Dhcpv6CRcv
Dhcpv6Rly
DiscCtrl
DldpCtrl
DnldCtrl
DrvPoll
DsnoopCtrl
Dsnoopv6Ctrl
DTCtrl
DTHelper
DTIscpRcv
DTKeepAlive
EaseCtrl
ErrTriage
FabricMgr
FanMgr
FastlogCtrl
fault_handler
fdrIntLogTask
FfCtrl

















































FileServer
GarpCtrl
ghsDbgTask
ghsFRCTask
GvrpCtrl
HealthMonitor
HpespMgr
HpespMgrAlrm
HSmgr
HttpCtRv
ICLMgr
Idle
idmCtrl
IgmpCtrl
InetServer
InstCtrl
IOAssistant0
IOTask
IpAdMCtrl
IpCtrl
IpPktRecv
IpVlanInfo
IspMaster
LACPCtrl
LdBalCtrl
LinkTest
LinkTstIp
lldpCtrl
LoopPCtrl
LoopPTx
LpmgrCtrl
macsecCtrl
MLD
MstpCtrl
MTM
NSA
NSR
NullPipeOut
NvfsCtrl
OFCtrlTask
OFNetTask
OFPktRecv
OobmCtrl
OobmIfCtr
OobmTx
Pim
PimRecv
PoeMstCtl
PORTSECMCtrl
















































PosixServer
PpmgrCtrl
PvGreCtrl
PvstCtrl
PwrMgr
RadiusCtrl
RadiusR
RaGuardCtrl
RdAssist
RdHelper
rdiscRcv
rdiscRcv6
rdiscTimer
RdMgtCtrl
ResourceManager
RfsCtrl
RMirrorCtrl
RouteCtrl
SDIOCardIOTask
SensorMgr
SIGIO Task
SIHeartbtCtrl
SmartlinkCtrl
SnmpCtrl
SnmpEvt
SnmpFrwd
SnmpRcv
StackCtrl
StkIpCtrl
SvcWorkQ
Syncer
TacacsCtrl
TacacsR
TftpDmn
TftpFrwd
ThermalMgr
UdldCtrl
UDPFCtrl
UfdCtrl
Unmounter
VirusThCtrl
VlsCtrl
VrrpCtrl
VrrpPSEND
VrrpStaticRt
VxlanCtrl
VxServer
WebAuth
73

HPE 5400R Switch Series Version 5.011 Common Criteria

Transcription

Similar documents

Standard Console 425-6012

JULIAN - Armani/Casa

George Steck Console Spec Sheet

Piano Spec Sheet Template

Remote System Management

Eco-Exmoor Devon Ltd Case Study:

wabano.com 3-day culturally-based healing program for Indigenous

RESULTS COMMERCIAL INSIGHTS CHALLENGES

StairMaster Gauntlet - Tower Fitness Equipment Services Inc.