Security Policy

Function

Table 1 describes the system management functions on the MM910 web user interface (WebUI).

**Table 1** Function description
Item	Function Description
Web timeout period (minutes)	Maximum idle period (in minutes) after which the user will be logged out of the HMM WebUI. Value range: 5 to 120 Default value: 5
Web 80 Port(HTTP)	Port for automatically switching HTTP to HTTPS. On: enables automatic switching of HTTP to HTTPS. This setting may pose security risks. Off: disables automatic switch of HTTP to HTTPs. This setting helps improve system security. Default value: Off
Login Security Banner Settings	Setting of the login security banner. On: enables the login security banner. The security banner will be displayed don the login page. Off: disables the login security banner. Default value: On
Security Message	Security banner text to be displayed on the login page. Value: a string of up to 1600 characters, which can contain letters, digits, spaces, carriage returns, and the following special characters: !@#$%:;~,.-+=_/\|()[]{}
TLS Version	Versions of the Transport Layer Security (TLS). TLS ensures data confidentiality and integrity between two communicating applications. Different TLS versions can be enabled based on requirements. By default, TLS 1.1 and TLS 1.2 are selected. NOTE: TLS 1.0 poses security risks. Select TLS 1.1 and TLS 1.2 for security purposes.
Enhanced SSL security	Setting of the enhanced SSL security. On: disables the Rivest-Shamir-Adleman (RSA) algorithm, which poses security risks. Off: enables the RSA algorithm. The default value is Off. Default value: Off
SNMP V3 and SNMP Trap V3 Authentication protocol	Authentication protocol to be used. Value: MD5 SHA Default value: SHA NOTE: Using MD5 may pose security risks. You are advised to use SHA.
SNMP V3 and SNMP Trap V3 Privacy protocol	Privacy protocol to be used. Value: DES AES Default value: AES NOTE: Using DES may pose security risks. You are advised to use AES.
SSH Password Authentication	On: allows the user to log in to the MM910 over SSH, using the user name and password. Off: allows the user to log in to the MM910 over SSH, using the public key. Default value: On
Public Key Authentication	On: allows the user to log in to the MM910 over SSH, using the public key. Off: disables the use of the public key for login to the MM910 over SSH. Default value: On
Password Validity Period (Day)	Validity period (in days) of the password. Value range: 0 to 360. The value 0 indicates that the password never expires. Default value: 180 NOTE: When a user password is about to expire in 9 days or less, the system automatically reminds the user to change the password.
Login Policy for Expired Passwords	Login policy for users with expired passwords. The values are as follows: Login not allowed: If a user with an expired password attempts to log in, the message "Login failed because the password has expired" is displayed. Password change required: If a user with an expired password attempts to log in, the password change page is displayed. The user can log in after changing the password. Default value: Login not allowed
Restrict Previous Passwords	Number of previous passwords that cannot be used. Value range: 0 to 5. If this parameter is set to 0, there is no restriction on the use of previously used passwords. Default value: 5
Account Locking	Maximum number of unsuccessful login attempts (1 to 5. Default: 5) after which the user account is locked and the account lockout period (1 to 10 minutes. Default: 10). If a user account is locked, the user cannot log in to the system within the lockout period. NOTE: If the SNMP account is locked, users can still log in to the system over SSH, WebUI, or a serial port. If the SSH, WebUI, or serial port account is locked, users can still log in to the system over SNMP. You can run the smmset -d unlockuser -v username command to unlock the account in an emergency.
Emergency Login User	A user who can log in to the HMM WebUI irrespective of the password validity period or login rules. The user can log in to the MM910 WebUI in case of emergency. Default value: root NOTE: An emergency login user must be an administrator.
VMM port	Port from which the remote VMM data is transferred. Default value: 8501 NOTE: After the port number is changed, the established VMM connections will be disconnected.
KVM service ports	KVM control port: port used to transfer the KVM control messages, such as the messages for obtaining compute node status, exiting the KVM, and switching to split-screen mode. The default port number is 2198. KVM data port: port used to transfer the data input and output by the KVM keyboard and mouse, and to transfer image data. The default port number is 2200. NOTE: After a KVM port number is changed, the established KVM connections will be disconnected.
Import Rule	This button allows you to import user login rules. New login rules will replace existing rules in the OS.
Export Rule	This button allows you to export the MM910 login rules (.cfg) to a local directory. If Compatible with the export mode of an earlier version is not selected, the exported login rule files can be imported for MM910 later than (U54)6.00 only. If Compatible with the export mode of an earlier version is selected, the exported login rule files are compatible with MM910 earlier than (U54) 6.00.
Login Rule	Rules for user login. NOTE: A maximum of 30 login rules are supported. Users who meet one of the selected rules can log in to the MM910 WebUI or CLI.
Time Range	Time period during which users can log in to the MM910. Set the time range based on actual requirements: To specify the login period, set the time range in the YYYY-MM-DD HH format. For example, set the start time to 2014-08-30 08:30 and end time to 2014-12-30 20:30. To specify the start and end dates for login, set the time range in the YYYY-MM-DD format. For example, set the start date to 2014-08-30 and end date to 2014-12-30. To set specify the login period in a day, set the time range in the HH:MM format. For example, set the start time to 08:30 and end time to 20:30. NOTE: The start and end time formats for a rule must be the same.
IP Range	IP address or IP address segment that is allowed to access the MM910. The following formats are supported: xxx.xxx.xxx.xxx: IP address allowed to access the MM910. xxx.xxx.xxx.xxx/mask: IP address segment allowed to access the MM910. NOTE: The value range for mask is 1 to 32.
MAC Range	MAC address or MAC address header that is allowed to access the MM910. The following formats are supported: xx:xx:xx: MAC address header allowed to access the MM910. xx:xx:xx:xx:xx:xx: MAC address allowed to access the MM910.
Password complexity	SMM: setting of the password complexity check for the MM910. Value: On: enables the password complexity check. The MM910 user password is case-sensitive and must meet the following requirements: Contain 8 to 32 characters. Contain a space or one of the following special characters: `~!@#$%^&()-_=+\\|[{}];:'",<.>/? Contain at least two types of the following characters: Uppercase letters A to Z Lowercase letters a to z Digits 0 to 9 Cannot be the same as the user name or the user name in reverse order. Off*: disables the password complexity check. The password must contain 8 to 32 characters. For security purposes, set this parameter to On.
Password complexity	Slotx: setting of the password complexity check for a compute node in slotx. Value: On: enables the password complexity check. The BMC user password must meet the following requirements: Contain 8 to 20 characters. Contain a space or one of the following special characters: `~!@#$%^&()-_=+\\|[{}];:'",<.>/? Contain at least two types of the following characters: Uppercase letters A to Z Lowercase letters a to z Digits 0 to 9 Cannot be the same as the user name or the user name in reverse order. Off*: disables the password complexity check. The password must contain 8 to 20 characters.
KVM encryption	Function for encrypting sensitive KVM data before transmission between the client and the server. Sensitive data includes image data, keyboard data, power-on and power-off data, and private-mode data. On: The KVM data is encrypted by using the AES128 algorithm before being transmitted between the server and the client. Off: The KVM data is not encrypted before transmission. For security purposes, set this parameter to On. Default value: Off NOTE: If VMM encryption is enabled, you must enable KVM encryption. If KVM encryption is enabled, you can determine whether to enable VMM encryption as required. If KVM encryption and VMM encryption are unavailable for a compute node, the compute node does not support encryption. If you need to use the functions, contact technical support. Ensure that no terminal is connected to any KVM before setting KVM encryption and VMM encryption; otherwise, the setting fails. Keyboard data is always encrypted even if the KVM encryption is not enabled.
VMM encryption	Function for encrypting data before the data is transmitted through a virtual medium, such as a virtual DVD-ROM drive, FDD, and folder. On: The data is encrypted by using the AES128 algorithm before being transmitted between the server and the client. Off: The data is not encrypted before transmission. For security purposes, set this parameter to On. Default value: Off NOTE: If VMM encryption is enabled, you must enable KVM encryption. If KVM encryption is enabled, you can determine whether to enable VMM encryption as required. If KVM encryption and VMM encryption are unavailable for a compute node, the compute node does not support encryption. If you need to use the functions, contact technical support. Ensure that no terminal is connected to any KVM before setting KVM encryption and VMM encryption; otherwise, the setting fails. Keyboard data is always encrypted even if the KVM encryption is not enabled.