Avaya Business Rules Engine Security Guide
Release 3.6 Issue 1 November 2020
© 2020 Avaya Inc. Details?detailId=C20091120112456651010 under the link “Warranty & Product Lifecycle” or All Rights Reserved. such successor site as designated by Avaya. Notice Please note that if You acquired the product(s) from an authorized Avaya Channel Partner While reasonable efforts have been made to outside of the United States and Canada, the ensure that the information in this document is warranty is provided to You by said Avaya complete and accurate at the time of printing, Channel Partner and not by Avaya. Avaya assumes no liability for any errors. Avaya reserves the right to make changes and “Hosted Service” means an Avaya hosted corrections to the information in this document service subscription that You acquire from either without the obligation to notify any person or Avaya or an authorized Avaya Channel Partner organization of such changes. (as applicable) and which is described further in Hosted SAS or other service description Documentation disclaimer documentation regarding the applicable hosted “Documentation” means information published in service. If You purchase a Hosted Service varying mediums which may include product subscription, the foregoing limited warranty may information, operating instructions and not apply but You may be entitled to support performance specifications that are generally services in connection with the Hosted Service as made available to users of products. described further in your service description Documentation does not include marketing documents for the applicable Hosted Service. materials. Avaya shall not be responsible for any Contact Avaya or Avaya Channel Partner (as modifications, additions, or deletions to the applicable) for more information. original published version of Documentation Hosted Service unless such modifications, additions, or deletions were performed by or on the express behalf of THE FOLLOWING APPLIES ONLY IF YOU Avaya. End User agrees to indemnify and hold PURCHASE AN AVAYA HOSTED SERVICE harmless Avaya, Avaya's agents, servants and SUBSCRIPTION FROM AVAYA OR AN AVAYA employees against all claims, lawsuits, demands CHANNEL PARTNER (AS APPLICABLE), THE and judgments arising out of, or in connection TERMS OF USE FOR HOSTED SERVICES ARE with, subsequent modifications, additions or AVAILABLE ON THE AVAYA WEBSITE, deletions to this documentation, to the extent HTTP://SUPPORT.AVAYA.COM/LICENSEINFO made by End User. UNDER THE LINK “Avaya Terms of Use for Hosted Services” OR SUCH SUCCESSOR SITE Link disclaimer AS DESIGNATED BY AVAYA, AND ARE Avaya is not responsible for the contents or APPLICABLE TO ANYONE WHO ACCESSES reliability of any linked websites referenced within OR USES THE HOSTED SERVICE. BY this site or Documentation provided by Avaya. ACCESSING OR USING THE HOSTED Avaya is not responsible for the accuracy of any SERVICE, OR AUTHORIZING OTHERS TO DO information, statement or content provided on SO, YOU, ON BEHALF OF YOURSELF AND these sites and does not necessarily endorse the THE ENTITY FOR WHOM YOU ARE DOING SO products, services, or information described or (HEREINAFTER REFERRED TO offered within them. Avaya does not guarantee INTERCHANGEABLY AS “YOU” AND “END that these links will work all the time and has no USER”), AGREE TO THE TERMS OF USE. IF control over the availability of the linked pages. YOU ARE ACCEPTING THE TERMS OF USE ON BEHALF A COMPANY OR OTHER LEGAL Warranty ENTITY, YOU REPRESENT THAT YOU HAVE Avaya provides a limited warranty on Avaya THE AUTHORITY TO BIND SUCH ENTITY TO hardware and software. Refer to your sales THESE TERMS OF USE. IF YOU DO NOT agreement to establish the terms of the limited HAVE SUCH AUTHORITY, OR IF YOU DO NOT warranty. In addition, Avaya’s standard warranty WISH TO ACCEPT THESE TERMS OF USE, language, as well as information regarding YOU MUST NOT ACCESS OR USE THE support for this product while under warranty is HOSTED SERVICE OR AUTHORIZE ANYONE available to Avaya customers and other parties TO ACCESS OR USE THE HOSTED SERVICE. through the Avaya Support website: Licenses THE SOFTWARE LICENSE TERMS http://support.avaya.com/helpcenter/getGeneric AVAILABLE ON THE AVAYA WEBSITE,
November 2020 Avaya Business Rules Engine Security Guide 2
HTTP://SUPPORT.AVAYA.COM/LICENSEINFO multiple users. “Instance” means a single copy of , UNDER THE LINK “AVAYA SOFTWARE the Software executing at a particular time: (i) on LICENSE TERMS (Avaya Products)” OR SUCH one physical machine; or (ii) on one deployed SUCCESSOR SITE AS DESIGNATED BY software virtual machine (“VM”) or similar AVAYA, ARE APPLICABLE TO ANYONE WHO deployment. DOWNLOADS, USES AND/OR INSTALLS License type(s) AVAYA SOFTWARE, PURCHASED FROM AVAYA INC., ANY AVAYA AFFILIATE, OR AN AVAYA CHANNEL PARTNER (AS Designated System(s) License (DS). End User APPLICABLE) UNDER A COMMERCIAL may install and use each copy or an Instance of AGREEMENT WITH AVAYA OR AN AVAYA the Software only: 1) on a number of Designated CHANNEL PARTNER. UNLESS OTHERWISE Processors up to the number indicated in the AGREED TO BY AVAYA IN WRITING, AVAYA order; or 2) up to the number of Instances of the DOES NOT EXTEND THIS LICENSE IF THE Software as indicated in the order, SOFTWARE WAS OBTAINED FROM ANYONE Documentation, or as authorized by Avaya in OTHER THAN AVAYA, AN AVAYA AFFILIATE writing. Avaya may require the Designated OR AN AVAYA CHANNEL PARTNER; AVAYA RESERVES THE RIGHT TO TAKE LEGAL Processor(s) to be identified in the order by type, ACTION AGAINST YOU AND ANYONE ELSE serial number, feature key, Instance, location or USING OR SELLING THE SOFTWARE other specific designation, or to be provided by WITHOUT A LICENSE. BY INSTALLING, End User to Avaya through electronic means DOWNLOADING OR USING THE SOFTWARE, established by Avaya specifically for this OR AUTHORIZING OTHERS TO DO SO, YOU, purpose. ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING, Cluster License (CL). End User may install and DOWNLOADING OR USING THE SOFTWARE use each copy or an Instance of the Software (HEREINAFTER REFERRED TO INTERCHANGEABLY AS “YOU” AND “END only up to the number of Clusters as indicated USER”), AGREE TO THESE TERMS AND on the order with a default of one (1) Cluster if CONDITIONS AND CREATE A BINDING not stated. “Cluster” means a group of Servers CONTRACT BETWEEN YOU AND AVAYA INC. and other resources that act as a single system. OR THE APPLICABLE AVAYA AFFILIATE (“AVAYA”). Shrinkwrap License (SR). You may install and Avaya grants You a license within the scope of use the Software in accordance with the terms the license types described below, with the and conditions of the applicable license exception of Heritage Nortel Software, for which agreements, such as “shrinkwrap” or the scope of the license is detailed below. Where “clickthrough” license accompanying or the order documentation does not expressly applicable to the Software (“Shrinkwrap identify a license type, the applicable license will License”). be a Designated System License as set forth below in Section M(i)1 or 2 as applicable. The Transaction License (TR). End User may use applicable number of licenses and units of capacity for which the license is granted will be the Software up to the number of Transactions one (1), unless a different number of licenses or as specified during a specified time period. A units of capacity is specified in the documentation “Transaction” means the unit by which Avaya, at or other materials available to You. “Software” its sole discretion, bases the pricing of its means computer programs in object code, licensing and can be, without limitation, provided by Avaya or an Avaya Channel Partner, measured by the usage, access, interaction whether as stand-alone products, pre-installed on (between client/server or hardware products, and any upgrades, updates, customer/organization), or operation of the patches, bug fixes, or modified versions thereto. “Designated Processor” means a single stand- Software within a specified time period (e.g. per alone computing device. “Server” means a set of hour, per day, per month). Some examples of Designated Processors that hosts (physically or Transactions include but are not limited to each virtually) a software application to be accessed by greeting played/message waiting enabled, each
November 2020 Avaya Business Rules Engine Security Guide 3
personalized promotion (in any channel), each otherwise stated, each Instance of a product must callback operation, each live agent or web chat be separately licensed and ordered. For example, session, each call routed or redirected (in any if the end user customer or Avaya Channel Partner would like to install two Instances of the channel). End User may not exceed the number same type of products, then two products of that of Transactions without Avaya’s prior consent type must be ordered. and payment of an additional fee. Third Party Components Heritage Nortel Software “Third Party Components” mean certain “Heritage Nortel Software” means the software software programs or portions thereof included in that was acquired by Avaya as part of its the Software or Hosted Service may contain purchase of the Nortel Enterprise Solutions software (including open source software) Business in December 2009. The Heritage Nortel distributed under third party agreements (“Third Software is the software contained within the list Party Components”), which contain terms of Heritage Nortel Products located at regarding the rights to use certain portions of the http://support.avaya.com/LicenseInfo/ under the Software (“Third Party Terms”). As required, link “Heritage Nortel Products,” or such successor information regarding distributed Linux OS site as designated by Avaya. For Heritage Nortel source code (for those products that have Software, Avaya grants Customer a license to distributed Linux OS source code) and identifying use Heritage Nortel Software provided hereunder the copyright holders of the Third Party solely to the extent of the authorized activation or Components and the Third Party Terms that authorized usage level, solely for the purpose apply is available in the products, Documentation specified in the Documentation, and solely as or on Avaya’s website at: embedded in, for execution on, or for http://support.avaya.com/Copyright or such communication with Avaya equipment. Charges successor site as designated by Avaya. The for Heritage Nortel Software may be based on open source software license terms provided as extent of activation or use authorized as specified Third Party Terms are consistent with the license in an order or invoice. rights granted in these Software License Terms, and may contain additional rights benefiting You, Copyright such as modification and distribution of the open source software. The Third Party Terms shall Except where expressly stated otherwise, no use take precedence over these Software License should be made of materials on this site, the Terms, solely with respect to the applicable Third Documentation, Software, Hosted Service, or Party Components, to the extent that these hardware provided by Avaya. All content on this Software License Terms impose greater site, the documentation, Hosted Service, and the restrictions on You than the applicable Third product provided by Avaya including the Party Terms. selection, arrangement and design of the content is owned either by Avaya or its licensors and is The following applies only if the H.264 (AVC) protected by copyright and other intellectual codec is distributed with the product. THIS property laws including the sui generis rights PRODUCT IS LICENSED UNDER THE AVC relating to the protection of databases. You may PATENT PORTFOLIO LICENSE FOR THE not modify, copy, reproduce, republish, upload, PERSONAL USE OF A CONSUMER OR post, transmit or distribute in any way any OTHER USES IN WHICH IT DOES NOT content, in whole or in part, including any code RECEIVE REMUNERATION TO (i) ENCODE and software unless expressly authorized by VIDEO IN COMPLIANCE WITH THE AVC Avaya. Unauthorized reproduction, transmission, STANDARD ("AVC VIDEO") AND/OR (ii) dissemination, storage, and or use without the DECODE AVC VIDEO THAT WAS ENCODED express written consent of Avaya can be a BY A CONSUMER ENGAGED IN A PERSONAL criminal, as well as a civil offense under the ACTIVITY AND/OR WAS OBTAINED FROM A applicable law. VIDEO PROVIDER LICENSED TO PROVIDE AVC VIDEO. NO LICENSE IS GRANTED OR Virtualization SHALL BE IMPLIED FOR ANY OTHER USE. The following applies if the product is deployed ADDITIONAL INFORMATION MAY BE on a virtual machine. Each product has its own OBTAINED FROM MPEG LA, L.L.C. SEE ordering code and license types. Unless HTTP://WWW.MPEGLA.COM
November 2020 Avaya Business Rules Engine Security Guide 4
Service Provider country or territory where the Avaya product is used. THE FOLLOWING APPLIES TO AVAYA CHANNEL PARTNER’S HOSTING OF AVAYA Preventing Toll Fraud PRODUCTS OR SERVICES. THE PRODUCT “Toll Fraud” is the unauthorized use of your OR HOSTED SERVICE MAY USE THIRD telecommunications system by an unauthorized PARTY COMPONENTS SUBJECT TO THIRD party (for example, a person who is not a PARTY TERMS AND REQUIRE A SERVICE corporate employee, agent, subcontractor, or is PROVIDER TO BE INDEPENDENTLY not working on your company's behalf). Be aware LICENSED DIRECTLY FROM THE THIRD that there can be a risk of Toll Fraud associated PARTY SUPPLIER. AN AVAYA CHANNEL with your system and that, if Toll Fraud occurs, it PARTNER’S HOSTING OF AVAYA PRODUCTS can result in substantial additional charges for MUST BE AUTHORIZED IN WRITING BY your telecommunications services. AVAYA AND IF THOSE HOSTED PRODUCTS USE OR EMBED CERTAIN THIRD PARTY Avaya Toll Fraud intervention SOFTWARE, INCLUDING BUT NOT LIMITED TO MICROSOFT SOFTWARE OR CODECS, If You suspect that You are being victimized by Toll Fraud and You need technical assistance or THE AVAYA CHANNEL PARTNER IS support, call Technical Service Center Toll Fraud REQUIRED TO INDEPENDENTLY OBTAIN Intervention Hotline at +1-800-643-2353 for the ANY APPLICABLE LICENSE AGREEMENTS, United States and Canada. For additional support AT THE AVAYA CHANNEL PARTNER’S EXPENSE, DIRECTLY FROM THE telephone numbers, see the Avaya Support APPLICABLE THIRD PARTY SUPPLIER. website: http://support.avaya.com, or such successor site as designated by Avaya. WITH RESPECT TO CODECS, IF THE AVAYA Security Vulnerabilities CHANNEL PARTNER IS HOSTING ANY PRODUCTS THAT USE OR EMBED THE H.264 Information about Avaya’s security support CODEC OR H.265 CODEC, THE AVAYA policies can be found in the Security Policies and CHANNEL PARTNER ACKNOWLEDGES AND Support section of AGREES THE AVAYA CHANNEL PARTNER IS https://support.avaya.com/security RESPONSIBLE FOR ANY AND ALL RELATED FEES AND/OR ROYALTIES. THE H.264 (AVC) Suspected Avaya product security vulnerabilities CODEC IS LICENSED UNDER THE AVC are handled per the Avaya Product Security PATENT PORTFOLIO LICENSE FOR THE Support Flow PERSONAL USE OF A CONSUMER OR (https://support.avaya.com/css/P8/documents/1 OTHER USES IN WHICH IT DOES NOT 00161515). RECEIVE REMUNERATION TO: (I) ENCODE Downloading Documentation VIDEO IN COMPLIANCE WITH THE AVC STANDARD ("AVC VIDEO") AND/OR (II) For the most current versions of Documentation, DECODE AVC VIDEO THAT WAS ENCODED see the Avaya Support website: BY A CONSUMER ENGAGED IN A PERSONAL http://support.avaya.com, or such successor site ACTIVITY AND/OR WAS OBTAINED FROM A as designated by Avaya. VIDEO PROVIDER LICENSED TO PROVIDE Contact Avaya Support AVC VIDEO. NO LICENSE IS GRANTED OR SHALL BE IMPLIED FOR ANY OTHER USE. See the Avaya Support website: ADDITIONAL INFORMATION FOR H.264 (AVC) http://support.avaya.com for product or Hosted AND H.265 (HEVC) CODECS MAY BE Service notices and articles, or to report a OBTAINED FROM MPEG LA, L.L.C. SEE problem with your Avaya product or Hosted HTTP://WWW.MPEGLA.COM. Service. For a list of support telephone numbers and contact addresses, go to the Avaya Support Compliance with Laws website: http://support.avaya.com (or such You acknowledge and agree that it is Your successor site as designated by Avaya), scroll to responsibility for complying with any applicable the bottom of the page, and select Contact Avaya laws and regulations, including, but not limited to Support. laws and regulations related to call recording, Trademarks data privacy, intellectual property, trade secret, fraud, and music performance rights, in the
November 2020 Avaya Business Rules Engine Security Guide 5
The trademarks, logos and service marks (“Marks”) displayed in this site, the Documentation, Hosted Service(s), and product(s) provided by Avaya are the registered or unregistered Marks of Avaya, its affiliates, its licensors, its suppliers, or other third parties. Users are not permitted to use such Marks without prior written consent from Avaya or such third party which may own the Mark. Nothing contained in this site, the Documentation, Hosted Service(s) and product(s) should be construed as granting, by implication, estoppel, or otherwise, any license or right in and to the Marks without the express written permission of Avaya or the applicable third party. Avaya is a registered trademark of Avaya Inc. All non-Avaya trademarks are the property of their respective owners.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
November 2020 Avaya Business Rules Engine Security Guide 6
Contents
Chapter 1: Introduction ...... 9 Purpose ...... 9 Revision History ...... 9 New in this release ...... 9
Chapter 2: Working with HTTP/HTTPS ...... 11 About HTTP/HTTPS settings in ABRE ...... 11 Enabling or Disabling HTTP ...... 11
Chapter 3: Working with TLS settings ...... 12 Enable/Disable TLS version 1.1 ...... 12 Enable/Disable TLS for local Config/Audit Log DB ...... 12 Enable/Disable TLS for RDR DB ...... 13 Enable/Disable TLS for PostgreSQL RDR DB ...... 13 Enable/Disable TLS for MySQL RDR DB ...... 14 Enable/Disable TLS for Oracle RDR DB ...... 14 Enable/Disable TLS for Microsoft SQL Server RDR DB ...... 16 Enable/Disable TLS for CMS Connector ...... 16 Enable/Disable TLS for Kafka ...... 18
Chapter 4: Working with SSL Certificates ...... 19 Changing SSL Certificates for Web Access (NGINX) ...... 19 Changing SSL Certificates for local Config/Audit Log DB ...... 19 SSL Certificates for CMS Connector ...... 20
Chapter 5: Other security settings...... 21 IPTables ...... 21 Port Matrix ...... 21 Data Privacy - GDPR ...... 21 Enable/Disable Enhanced Access Security Gateway (EASG) ...... 22 FIPS Enable/Disable ...... 23 AIDE Integration ...... 23 Updating AIDE database...... 25 Monitoring ...... 26 Cross-Origin Resource Sharing (CORS) ...... 26 Installing Haveged - Entropy Daemon ...... 27
November 2020 Avaya Business Rules Engine Security Guide 7
Chapter 6: Resources ...... 28 Related resources ...... 28 Support ...... 29
Appendix – A: Configuring Internal Firewall ...... 30 Script Execution - Example ...... 31 Enabling other Ports ( for CMS Connector or Import Export Tool ) ...... 37 Disabling firewall / Clearing current firewalld settings ...... 37
November 2020 Avaya Business Rules Engine Security Guide 8
Chapter 1: Introduction
Purpose
This document explains how to setup security related features in Avaya Business Rules Engine. This document is intended for anyone who wants to configure security related settings for Avaya Business Rules Engine.
Revision History
Release Date Release number Summary of Changes
Updated as per the ‘New in August 2020 3.6 this release’ section as given as below.
New in this release
• Avaya Aura® System Manager (SMGR) Single Sign-On (SSO) integration with BRE: SMGR provides a wide range of security functionality including Identity Management, Authentication, Authorization and Single Sign-on (SSO). These functions are provided to applications running inside the SMGR container and are also extended to applications running on a remote device or machine. Single Sign-On (SSO) is the property of being able to access multiple secured and related, but independent or distributed software systems and applications. With this property a user logs in once and gains access to all systems without being prompted to log in again at each system. SSO can be achieved between applications/services running in the same application container or between applications/services in different containers and machines. • ABRE in AACC Solution: Earlier ABRE was used in Avaya Aura Communication Manager (CM)/Elite solution. ABRE’s Decision API could find the best agent group to route the call based on the call statistics retrieved from CM via the ABRE CMS Connector. Now, you can use ABRE in the Avaya Aura Contact Center (AACC) solution in a similar way. As per the requirement, both Avaya Aura® Experience Portal (AEP) and Callback Assist (CBA) needs ABRE in AACC solution. AEP SS app checks statistics data from ABRE to determine which AACC node has an available agent and find the best node that can
November 2020 Avaya Business Rules Engine Security Guide 9
service the call. CBA can also use BRE statistics to determine when to launch a call- back, based on agent availability. • Add Companies and Locations fields for Applications: The entity Application have Company and Location fields to be set like the product has for Agent Group. The user can now assign an Application to these two other entities to take advantage of the entities' Global Properties. • Other enhancements in BRE 3.6: o Decision Function and Agent Group cloning to increase BRE efficiency o Enhanced ASG (EASG) o Operating system hardening o Customizable security warning banner display o Security-related header usage o BRE File Integrity Checker support o Change BRE stop commands to send SIGTERM first and if that does not work, send SIGKILL o New script to configure an external RDR DB in BRE o Configurable tenant switch context on system level o Enhanced security on cookies usage o Disable HTTP support for Web Admin and Admin API o Multi-Tenancy: Change Tenant context is configurable on System Level o Dimension Value can leverage Negation and Contains operators
November 2020 Avaya Business Rules Engine Security Guide 10
Chapter 2: Working with HTTP/HTTPS
About HTTP/HTTPS settings in ABRE
HTTPS is a protocol used for securing communication between two systems e.g. BRE and BRE clients. By default, both HTTP and HTTPS are supported for Decision API and only HTTPS for Web Admin and Admin API. Enabling or Disabling HTTP
About this task In order to tighten security, HTTP can be disabled and HTTPS can be enforced for Decision API using the following procedure: Procedure Run the following CMT command: sudo su - avayadr -c "cluster-mgr.sh --command http-config -- action
November 2020 Avaya Business Rules Engine Security Guide 11
Chapter 3: Working with TLS settings
Enable/Disable TLS version 1.1
By default, TLS v1.2 and TLS v1.1 are enabled in order of preference. If you want to disable TLS v1.1, follow the procedure below. Procedure Open the file /etc/nginx/conf.d/abre-ssl.conf for editing. Remove "TLSv1.1" from the line “ssl_protocols TLSv1.2 TLSv1.1;” Save the file. Restart NGINX using the following command: command systemctl restart nginx Enable/Disable TLS for local Config/Audit Log DB
By default, TLS connection to the local PostgreSQL DB is disabled, The local PostgreSQL DB is used for Config DB, Audit Log DB, and RDR DB if external RDR DB is not used. In order to tighten security and enable TLS for the local PostgreSQL DB, please follow the procedure below. Procedure
1. Run the following script:
sudo su -c "/{ABRE installation folder}/bin/configure-tls- certs.sh
o Example to enable TLS:
sudo su -c "/opt/Avaya/abre/bin/configure-tls-certs.sh - enabletls"
o Example to disable TLS:
sudo su -c "/opt/Avaya/abre/bin/configure-tls-certs.sh - disabletls" Note Avaya Business Rules Engine Services must be restarted after successful execution of the script to apply changes.
November 2020 Avaya Business Rules Engine Security Guide 12
Enable/Disable TLS for RDR DB Enable/Disable TLS for PostgreSQL RDR DB
To enable TLS connectivity for an external PostgreSQL RDR DB, follow the procedure below: Procedure The connection URL CMT node property must be updated to include additional parameters "?sslmode=require", for example: server.rdr.db.connection.url=jdbc:postgresql://10.133.92.135:5555 /dynamicrouting_rdr_db?sslmode=require TLS connection requires a certificate and additional settings on the PostgreSQL DB server side: a. Create (add) certificate (server.crt and server.key): cd
o Enable ssl in postgresql.conf (add following parameters):
ssl = true ssl_cert_file = '
November 2020 Avaya Business Rules Engine Security Guide 13
If only a specific IP address is allowed to reach the database, change from 8 to 32 and indicate the IP address to be mapped. Then, no ranges would be considered and only the specific address you provided will be allowed to communicate with PostgreSQL. When finding any communication problem with the database, you may also change the permission mode from md5 (the one recommended above) to 'trust'. c. Restart PostgreSQL service to apply changes (in example below the name of the service is "dr-postgres"): Using the following command: service dr- postgres restart
Enable/Disable TLS for MySQL RDR DB
To enable TLS connectivity for an external MySQL RDR DB, follow the procedure below: Procedure The connection URL CMT node property must be updated to include additional parameters "&allowPublicKeyRetrieval=true&useSSL=true&verifyServerCertificate=false", for example: server.rdr.db.connection.url=jdbc:mysql://10.133.92.132:3306/rdr?useTi mezone=true&serverTimezone=UTC&useLegacyDatetimeCode=false&allowPublic KeyRetrieval=true&useSSL=true&verifyServerCertificate=false
Enable/Disable TLS for Oracle RDR DB
To enable TLS connectivity for an external Oracle RDR DB, follow the procedure below: Procedure The connection URL CMT node property must be replaced with one which has TCPS protocol specified, note that port is also changed respectively, for example: server.rdr.db.connection.url=jdbc:oracle:thin:@(DESCRIPTION=(ADDR ESS=(PROTOCOL=tcps)(HOST=10.135.10.31)(PORT=2484))(CONNECT_DATA=( SERVICE_NAME=XE))) Import certificate used by Oracle DB to local truststore (Example of rootcertificate.crt creation is available at step #3):
o Copy rootcertificate.crt from Oracle DB server to ABRE node and run the following script:
sudo su -c "/{ABRE installation folder}/bin/configure-tls- certs.sh -import /full/path/to/rootcertificate.crt" Note: Avaya Business Rules Engine Services must be restarted after successful execution of the script to apply the changes.
November 2020 Avaya Business Rules Engine Security Guide 14
2. TLS connection requires a certificate and additional settings on the Oracle DB server side, for example:
a. Create certificate store (it's called a wallet): mkdir /certs cd /opt/oracle/product/18c/dbhomeXE/bin ./orapki wallet create -wallet /certs/root -pwd welcome123 -nologo ./orapki wallet remove -trusted_cert_all -wallet /certs/root -pwd welcome123 -nologo ./orapki wallet add -wallet /certs/root -dn CN=ABRE,\ O=Avaya,\ C=US -keysize 2048 -self_signed -validity 7300 - pwd welcome123 -sign_alg sha256 -nologo ./orapki wallet export -wallet /certs/root -dn CN=ABRE,\ O=Avaya,\ C=US -cert /certs/root/rootcertificate.crt -pwd welcome123 -nologo ./orapki wallet create -wallet /certs/root -auto_login IMPORTANT: Reduce access rights of certificate store to read-only only for user executing OracleDB (in example below the user is "oracle"): chown oracle:oinstall /certs chown oracle:oinstall /certs/root chown oracle:oinstall /certs/root/cwallet.sso /certs/root/ewallet.p12 chmod 600 /certs/root/cwallet.sso /certs/root/ewallet.p12 b. Enable TCPS listener and add following parameters to [dbhomeXE]/network/admin/listener.ora: (ADDRESS=(PROTOCOL=tcps)(HOST=lushrb031.gl.avaya.com)(PORT= 2484))(Security=(my_wallet_directory=/certs/root))) WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTOR Y=my_wallet_directory=/certs/root))) SSL_CLIENT_AUTHENTICATION=FALSE
Note: Note that TCPS protocol is listening on different port, not the same as TCP. In the example above port for TCPS is 2484. c. Add the following parameters to [dbhomeXE]/network/admin/sqlnet.ora: WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTOR Y=/certs/root))) SQLNET.ENCRYPTION_SERVER=accepted d. Restart Oracle DB service to apply the changes (in example below the name of the service is "oracle-xe-18c"):
November 2020 Avaya Business Rules Engine Security Guide 15
systemctl restart oracle-xe-18c lsnrctl status
Optional settings (Automating shutdown and startup) Oracle recommends that you configure the system to automatically start Oracle Database when the system starts, and to automatically shut it down when the system shuts down. Automating database shutdown guards against incorrect database shutdown. To automate the startup and shutdown of the listener and database, execute the following commands as root: systemctl daemon-reload systemctl enable oracle-xe-18c
Enable/Disable TLS for Microsoft SQL Server RDR DB
To enable TLS connectivity for an external Microsoft SQL Server RDR DB, follow the procedure below: Procedure The connection URL CMT node property must be updated to include additional parameters "encrypt=true;trustServerCertificate=true;authenticationScheme=NativeA uthentication;", for example: server.rdr.db.connection.url=jdbc:sqlserver://10.133.92.142:1433;Datab aseName=rdr;encrypt=true;trustServerCertificate=true;authenticationSch eme=NativeAuthentication; Enable/Disable TLS for CMS Connector
By default, TLS connection to CMS Connector is disabled. To tighten security and enable TLS connectivity for CMS Connector using stunnel, follow the procedure below. Procedure Configure actual CMS to enable its own stunnel. a. For more information about stunnel configuration, see CMS Security Guide (Installation and Configuration Instructions to Implement a Secure Socket (TLS/Certificate-Based) Connection for CMS Real-Time Connector Interfaces) available at https://support.avaya.com b. Provide the following information to CMS side: i. Port for secure connection: 7201
November 2020 Avaya Business Rules Engine Security Guide 16
ii. Provide CA certificate if needed. CA part of the certificate used by stunnel is located here: ${AVAYA_HOME}/cms- connector/config/security/stunnel/ssl/dr.crt On CMS Connector side: a. The stunnel.enabled property must be set to true in ${AVAYA_HOME}/cms- connector/config/application/metrics_connector_communicatio n.properties Note: CMS Connector needs to be restarted for the changes to take effect. b. Firewall rules need to be configured using provided script (configureFirewalld.sh) which can be found in the installation ISO file under /Tools i. To enable the Firewalld service and open port 7201 for incoming secured feed from stunnel used on actual CMS side, run the following script: sudo su -c "/{mounted ISO folder}/Tools/configureFirewalld.sh"
[root@dc1nd1~]# /mnt/Tools/configureFirewalld.sh
1) Settings forgeneric node of the cluster 2) Settings for standalone CMS Connector 3) Clear current firewalld settings 4) Exit Please, select the option:
Select the correct option depending on where CMS Connector is installed:
▪ In case CMS Connector is installed on one of ABRE nodes, select option "1" ▪ In case CMS Connector is installed on standalone machine, select option "2"
Answer "y" to the following request during script execution:
-- Leave the 7201 port open to receive secure CMS Feed (Agent Group Metrics) in this server? (y/n): y
ii. Required routing changes (to re-write the secure feed address to appear as if a wrapped CMS is connecting from the CMS client machine instead of the local machine running stunnel) will be applied automatically. Note: For more information about firewall configuration, see Appendix-A: Configuring Internal Firewall in the following section of this guide.
November 2020 Avaya Business Rules Engine Security Guide 17
To disable TLS connectivity for CMS Connector: Disable stunnel on CMS side. On CMS Connector side - revert the "stunnel.enabled" property value to "false" in ${AVAYA_HOME}/cms- connector/config/application/metrics_connector_communication.prop erties. Reconfigure firewall to allow plain-text port 7200 instead of secure 7201 used by stunnel. Note: CMS Connector needs to be restarted for the changes to take effect.
Enable/Disable TLS for Kafka
To enable SSL for Kafka on ABRE servers, run the following command on each node of the Cluster: su - avayadr -c "cluster-mgr.sh --command update-cluster- configuration --set kafka-ssl-enabled --value true" Note: Avaya Business Rules Engine Services must be restarted To enable SSL for Kafka producers on Metrics Connectors (E.g.: CMS Connector, AACC Connector), follow the procedure below: a. In '
November 2020 Avaya Business Rules Engine Security Guide 18
Chapter 4: Working with SSL Certificates
The administrator should setup the system to use HTTPS and must replace the default self- signed certificate, on every node in the cluster, with a new certificate issued by a trusted certificate authority (e.g. Avaya SMGR, Verisign, etc.). This must be done prior to placing the solution in production. It is also the administrator's responsibility to update the certificate before it expires.
Changing SSL Certificates for Web Access (NGINX)
Procedure
1. Put the new certificate and private key file(s) in a directory of your preference. 2. Open the file /etc/nginx/conf.d/abre-ssl.conf for editing. 3. Change the property ssl_certificate, to point to the full path of the file that contains the new SSL certificate (e.g.: /etc/nginx/ssl/new-abre-cert.crt ). 4. Change the property ssl_certificate_key, to point to the full path of the file that contains the new SSL private key (e.g.: /etc/nginx/ssl/new-abre-key.key ). 5. Change the property ssl_ciphers, to add the ciphers present in the certificate e.g.: ("EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES256-GCM- SHA384"). To check the ciphers in the certificate run the command echo -n | openssl s_client -connect
IMPORTANT • It is not mandatory to keep certificates and private keys in separate files. • Usually, the certificates and keys used by NGINX in Avaya Business Rules Engine are saved under directory /etc/nginx/ssl. It is recommended, although not mandatory, that you save your new files in this directory.
Changing SSL Certificates for local Config/Audit Log DB
Procedure Put the new certificate and private key files in the directory: [AVAYA_HOME]/abre/config/security/
November 2020 Avaya Business Rules Engine Security Guide 19
Apply same access and ownership rights to certificate files as default certificate has, which was created in above section Enable/disable TLS for local Config/Audit Log DB ( [AVAYA_HOME]/abre/config/security/server.key ) - read-only only for user dr-postgres. Open the file [AVAYA_HOME]/abre/data/pgsql/postgresql.conf for editing. Change the property ssl_cert_file, to point to the full path of the file that contains the new SSL certificate (e.g.: ssl_cert_file = '/opt/Avaya/abre/config/security/new_server.crt' ). Change the property ssl_key_file, to point to the full path of the file that contains the new SSL private key (e.g.: ssl_key_file = '/opt/Avaya/abre/config/security/new_server.key' ). Save the file. Restart PostgreSQL( systemctl restart dr-postgres ).
SSL Certificates for CMS Connector
If you want to change the SSL certificate and CA files for the CMS Connector, follow the procedure below. Procedure Put the new certificate and CA file(s) in a directory of your preference. Open the file [AVAYA_HOME]/cms- connector/config/security/stunnel/stunnel_cmsc.conf for editing. Change the property cert and CAfile, to point to the full path of the file that contains the new SSL certificate (e.g.: [AVAYA_HOME]/cms- connector/config/security/stunnel/ssl/stunnel.pem ) Save the file. Restart the CMS Connector.
Important notes: • Usually, the certificates and keys used by CMS Connector in Avaya Business Rules Engine are saved under the directory [AVAYA_HOME]/cms- connector/config/security/stunnel/ssl. It is recommended, although not mandatory, that you save your new files in this directory • If needed, provide new CA certificate file to stunnel on CMS side (can be used in case CMS's stunnel client is configured to verify certificate used by stunnel on CMS Connector side).
November 2020 Avaya Business Rules Engine Security Guide 20
Chapter 5: Other security settings
IPTables
To secure the communication between the nodes that are part of the Avaya Business Rules Engine cluster, as well as, the communication with the external environment, BRE provides a script to configure the internal Linux firewall, This script enables the Firewalld service, configuring specific rules for this service. For more information about this configuration, see Avaya Business Rules Engine Security Guide – Appendix-A available at http://support.avaya.com.
Port Matrix
The list of ports used by BRE can be found in the Port Matrix in the Avaya Business Rules Engine Planning Guide available at http://support.avaya.com. The Port Matrix can be used to identify the ports which should be configured on external firewalls.
Data Privacy - GDPR
Avaya Business Rules Engine (BRE) does not interface directly with end-user data subjects. BRE does not define nor require any personal data. Depending upon use cases, BRE may receive calling Phone Number (ANI) as Primary Data and any other data as secondary Data. When requests are sent to the product, the requests are sent via Decision Request REST interface and include a JSON object. The requests are sent by an application in the customer’s environment to BRE. This application can include whatever information it chooses in the JSON object. Personal Data should not be included in this JSON object; including Personal Data in this JSON object is considered to be mis-configuration (in which case the below storage locations apply and need to be managed). The following BRE components may record the calling phone number and should be treated as follows: • log files - the phone number is not recorded in any BRE log files. In Decision Functions / Strategy Scripts, it is possible to add new logs; ensure that any new logs do NOT reveal the ANI. • Elasticsearch - contains the called phone number; however, Elasticsearch records are deleted every 38 hours. • RDR (routing decision record) DB - contains a log of the decision request BRE received (including the called phone number - ANI) and the decision BRE made. The RDR database is typically an external database provisioned by the customer. A sample database script remove_phone_in_rdr.sh is provided to obfuscate the ANI in RDR
November 2020 Avaya Business Rules Engine Security Guide 21
records matching a specified phone number. The customer's database administrator should use this script to update the RDR records, should someone request to have their personal information removed. The script will blank the ANI (located in the from field) in the RDR record. Aside from ANI, no other personal information should pass through BRE, therefore, the database export function is not applicable. Data stored in the RDR DB, needs to comply with the retention period of the data controller. This is the responsibility of the customer's RDR database administrator. Data stored in RDR DB needs to comply with the restore operation, and delete operations may need to be re- performed after a restore. This is the responsibility of the customer's RDR database administrator. o To obfuscate a particular ANI in the RDR database, simply specify it as a parameter during script execution e.g. ./remove_phone_in_rdr.sh 1234567890. You can specify "any" as a parameter to obfuscate all phone numbers currently present in the RDR DB e.g. ./remove_phone_in_rdr.sh any Communication with BRE can be secured (using TLS, and/or HTTPS). By default, both HTTP and HTTPS are enabled to facilitate upgrades. HTTPS is a protocol used for securing communication between two systems e.g. BRE and BRE clients. In order to tighten security, HTTP can be disabled, and HTTPS enforced following the procedure documented in a section above. The HTTPS transport protocol can use “In Transit” encryption controls through TLS negotiation. The TLS version can be configured, following the procedure documented in a section above. The SSL certificate and key can be changed, following the procedure documented in a section above. For the RDR records to be sent to the customer’s RDR database, BRE configuration defines the JDBC Connection URL, Hibernate Dialect, and DB vendor specific JDBC Driver Class. The procedure for configuring BRE to communicate with the RDR database can be found in the Avaya Business Rules Engine Integration Guide available at http://support.avaya.com. Further details for securing the communication, are documented in a section above In transit ANI data, uses end to end TLS encryption; at rest ANI data encryption in the RDR DB is the responsibility of the customer's RDR database administrator. The list of ports used by BRE can be found in the Port Matrix discussed in the section above. The Port Matrix can be used to identify the ports which should be configured on external firewalls. RBACs are implemented at the BRE OS level and RDR DB level. Enable/Disable Enhanced Access Security Gateway (EASG)
BRE is installed with EASG disabled and through administrative action, the customer must enable the use of the Avaya Services Logins and EASG on their products if they want to provide remote access to them. • To enable EASG, run the following command: /opt/Avaya/bin/easg/EASGManage.sh --enableEASG
November 2020 Avaya Business Rules Engine Security Guide 22
• To disable EASG, run the following command: /opt/Avaya/bin/easg/EASGManage.sh --disableEASG • To check the status of EASG in the system, run the following command: EASGStatus If a high-security conscious customer wants to remove EASG completely, the EASG RPM and library functions, and all EASG users must be removed. If EASG is removed, the only way to re-establish EASG functionality will be via an upgrade, patch or fresh install. To remove EASG completely, run the following command: /opt/Avaya/bin/easg/uninstall.sh
FIPS Enable/Disable
For FIPS compliance, the script setupfips.sh is available (after ABRE is installed) to enable/disable FIPS functionality. • To enable FIPS support in an ABRE deployment, run the following command on every node and in all clusters: /{ABRE installation folder}/abre/bin/fips-support/setupfips.sh -e e.g. /opt/Avaya/abre/bin/fips-support/setupfips.sh -e • To disable FIPS support in an ABRE deployment, run the following command on every node and in all clusters: /{ABRE installation folder}/abre/bin/fips-support/setupfips.sh -d e.g. /opt/Avaya/abre/bin/fips-support/setupfips.sh -d • To check FIPS status on a node, run this command: /{ABRE installation folder}/abre/bin/fips-support/setupfips.sh -s e.g. /opt/Avaya/abre/bin/fips-support/setupfips.sh -s
IMPORTANT • Ensure that the Haveged service is enabled before enabling FIPS on the server. For detailed instructions, see Installing Haveged - Entropy Daemon. If ABRE is installed via ABRE 3.6 OVA deployment, then the Haveged RPM also gets installed, and you would just need to start and enable the Haveged service. • The system must be rebooted after the enable/disable FIPS command is executed.
AIDE Integration
Integrity of ABRE files can be configured to be monitored by file integrity checker, such as AIDE ( Advanced Intrusion Detection Environment ). Following settings are recommended for AIDE. Escalating rules to monitor more properties can lead to unnecessary information in AIDE report, decreasing the monitoring area can lead to
November 2020 Avaya Business Rules Engine Security Guide 23
potential intruder’s attack to be unnoticeable. Make additional changes to AIDE rules configuration on your own risk. Depending on setup, you may want to configure AIDE to monitor both BRE + Connector (AACC/CMS), or do it separately.
Procedure In order to add ABRE directories under AIDE monitoring, add the following lines to AIDE configuration file (/etc/aide.conf by default): Note: All examples are using CMS-Connector as example. If you are using AACC Connector, just change the path for CONNECTORHOME accordingly to point to AACC-Connector instead of CMS, the rules will remain the same. For ABRE + Connector: a. Define home folders at the very beginning of the configuration file: Note: Change file paths accordingly if installation folder is not default. @@define ABREHOME /opt/Avaya @@define CONNECTORHOME/opt/Avaya/cms-connector b. Add the following rules to the rule section: @@{ABREHOME}/abre/ DATAONLY !@@{ABREHOME}/abre/config/auto-generated !@@{ABREHOME}/abre/config/zookeeper.properties !@@{ABREHOME}/abre/config/kafka-local.properties !@@{ABREHOME}/abre/config/kafka-consolidated.properties !@@{ABREHOME}/abre/backup !@@{ABREHOME}/abre/data !@@{ABREHOME}/abre/logs @@{ABREHOME}/third-party/gigaspaces R !@@{ABREHOME}/third-party/gigaspaces/.*/deploy !@@{ABREHOME}/third-party/gigaspaces/.*/work @@{CONNECTORHOME} DATAONLY !@@{CONNECTORHOME}/logs
For ABRE Standalone (no connectors installed on same server): a. Define home folders at the very beginning of the configuration file. Note:
November 2020 Avaya Business Rules Engine Security Guide 24
Change file paths accordingly if installation folder is not default. @@define ABREHOME /opt/Avaya b. Add the following rules to the rule section: @@{ABREHOME}/abre/ DATAONLY !@@{ABREHOME}/abre/config/auto-generated !@@{ABREHOME}/abre/config/zookeeper.properties !@@{ABREHOME}/abre/config/kafka-local.properties !@@{ABREHOME}/abre/config/kafka-consolidated.properties !@@{ABREHOME}/abre/backup !@@{ABREHOME}/abre/data !@@{ABREHOME}/abre/logs @@{ABREHOME}/third-party/gigaspaces R !@@{ABREHOME}/third-party/gigaspaces/.*/deploy !@@{ABREHOME}/third-party/gigaspaces/.*/work
For Connector (AACC/CMS) Standalone: a. Define home folders at the very beginning of the configuration file (Change the file paths accordingly if installation folder is not default): @@define CONNECTORHOME /opt/Avaya/cms-connector @@define ABREHOME /opt/Avaya b. Add the following rules to the rule section: @@{CONNECTORHOME} DATAONLY @@{ABREHOME}/abre/ DATAONLY !@@{CONNECTORHOME}/logs !@@{ABREHOME}/abre/logs !@@{ABREHOME}/abre/data
Updating AIDE database
Procedure
1. To Initialize new AIDE database, run the following command:
aide --init
November 2020 Avaya Business Rules Engine Security Guide 25
2. To update AIDE DB, run the following command
aide --update
3. To start using the database, remove the .new substring from the initial database file name:
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Monitoring
You must perform the integrity checks by running the following command: aide --check Note: • Configure AIDE to run on cron or run it manually to monitor integrity of the system files. • Update database accordingly when upgrading to new releases / after installing Service Packs.
Cross-Origin Resource Sharing (CORS)
If required, the product can add the html headers to enable CORS. Procedure to add the headers to the decisions API: Open the file: /etc/nginx/conf.d/dr-services.conf. Inside of the location abre-decision-api, add the following lines: add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; add_header 'Access-Control-Allow-Headers' '*' always; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content- Range' always; if ($request_method = OPTIONS ) { return 200; } Save the file. To load the new headers, execute the command: service reload nginx.
The location abre-decision-api will be like this after the changes: location ~ ^/abre-decision-api(/.*)?$ { proxy_pass http://dr_routing_rest_pu_jetty; proxy_redirect http://dr_routing_rest_pu_jetty/ /;
November 2020 Avaya Business Rules Engine Security Guide 26
proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; add_header 'Access-Control-Allow-Headers' '*' always; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always; if ($request_method = OPTIONS ) { return 200; } } Notes: • This procedure should be executed on all Management and Core nodes of the cluster. • The CMS Connector servers does not require this procedure.
Installing Haveged - Entropy Daemon
To ensure randomness with random number generator in Linux and avoid issues with cryptographic systems, install Haveged daemon on each node as shown in the following procedure: Procedure Mount ABRE iso file. Navigate to the iso mount point and install Haveged by running the following command: yum localinstall ./RPMS/haveged-1.9.13-1.el7.x86_64.rpm Run the following command to start Haveged: systemctl start haveged Run the following command to enable Haveged service to start during OS startup: systemctl enable haveged
November 2020 Avaya Business Rules Engine Security Guide 27
Chapter 6: Resources
Related resources
The following table lists the documents related to Avaya Desktop Wallboard. Download the documents from the Avaya Support website at http://support.avaya.com.
Title Use this resource to: Audience Administering Avaya Administer the BRE Web admin IT personnel and Business Rules Engine application. personnel in different Lines of Business Installing Avaya Business Install, configure, and verify Avaya Implementation Rules Engine Business Rules Engine engineers, Field environment at a customer site. technicians, Business partners, Solution providers, and Customers Installing and configuring Install, configure, and verify Avaya Implementation Avaya Business Rules Business Rules Engine Import engineers, Field Engine Import Export tool Export Tool at a customer site. technicians, Business partners, Solution providers, and Customers Avaya Business Rules Gain a high-level understanding of Implementation Engine Planning Guide the product features, functions, engineers, Field capacities, and limitations within technicians, Business the context of solutions and verified partners, Solution reference configurations providers, and Customers Avaya Business Rules Understand the deployment Implementation Engine Cluster models of Avaya Business Rules engineers, Field Management Guide Engine (BRE). technicians, Business partners, Solution
providers, and Customers Avaya Business Rules Setup security related features in Implementation Engine Security Guide Avaya Business Rules Engine. engineers, Field technicians, Business partners, Solution providers, and Customers
November 2020 Avaya Business Rules Engine Security Guide 28
Avaya Business Rules Understand AACC and CMS Implementation Engine Integration Guide connector setup and connectivity, engineers, Field Admin API and Decision REST technicians, Business Interface, Alarms, and other partners, Solution integration settings providers, and Customers Avaya Business Rules Maintain and monitor Avaya Implementation Engine Maintenance Guide Business Rules Engine into engineers, Field production. technicians Avaya Business Rules Write/update scripts for Avaya Implementation Engine Scripting Guide Business Rules Engine elements. engineers, Field technicians
Support
Go to the Avaya Support website at http://support.avaya.com for the most up-to-date documentation, product notices, and knowledge articles. You can also search for release notes, downloads, and resolutions to issues. Use the online service request system to create a service request. Chat with live agents to get answers to questions or request an agent to connect you to a support team if an issue requires additional expertise.
November 2020 Avaya Business Rules Engine Security Guide 29
Appendix – A: Configuring Internal Firewall
To secure the nodes (servers) using the internal Linux firewall (Firewalld), Avaya Business Rules Engine provides a script to configure the communication between the nodes that are part of the Avaya Business Rules Engine cluster and also the communication with the external environment. The user should run this script on EACH Avaya Business Rules Engine nodes of the cluster, manually. The firewall configuration script (configureFirewalld.sh) can be found in the installation ISO file under /Tools and: • Performs backup of the current Firewalld configuration • Prompts the user for input to guide the configuration, such as: o The entire list of IP Addresses for the Avaya Business Rules Engine Cluster, including Core Services, Management Services, Messaging Services, Aggregation Services, Reporting Services o The entire list of IP Addresses for standalone CMS/AACC Connectors o Whether to keep port 80 open to the external environment.
▪ Port 443 is the default port provided for Administration, APIs and Routing Requests, but the user can also use port 80 if required (only Routing Requests) .
o Whether the server where the script is being executed will receive secure data from the CMS o If the answer is yes, the script opens port 7201 to receive data from the external environment o If the answer is no, the script will prompt whether the server where the script is being executed will receive plain text data from the CMS.
▪ If the answer is yes, the script opens port 7200 to receive data from the external environment. ▪ If the CMS will send the feed via a different port, the firewall should be manually configured, to open the desired port.
o Whether the server where the script is being executed will receive data from the AACC.
▪ If the answer is yes, the script permits multicast packets to receive data from the external environment.
November 2020 Avaya Business Rules Engine Security Guide 30
• Confirms the user input and configures the Firewalld based on this input.
IMPORTANT • This script flushes the current Firewalld configuration. After script execution, only the Avaya Business Rules Engine input will remain on the node. • The list of HTTP enablement ports and IP Addresses should be the same on all the Avaya Business Rules Engine nodes (excluding standalone connector's servers) . The only variation may be regarding the CMS/AACC feed, where the user should enable this option only on the servers that will receive data from a CMS/AACC. o Second option of the script must be used for the case when CMS Connector is installed on the standalone server. o In case when AACC Connector is installed on standalone server - it doesn't require firewall configuration. • Whenever port 80 is closed to the external environment, Decision API will no longer be accessible via HTTP. The user must use HTTPS instead.
Script Execution - Example
This example configures the Avaya Business Rules Engine Cluster deployed as 3 Nodes in 2 Data Centers with 1 CMS Connector and 1 AACC Connector per Data Center, disabling the HTTP port: • Data Center 1 o Nodes
▪ 192.168.0.2 ▪ 192.168.0.3 ▪ 192.168.0.4 ( with AACC Connector )
o CMS Connector
▪ 192.168.0.5
• Data Center 2 o Nodes
▪ 192.168.1.2 ▪ 192.168.1.3 ▪ 192.168.1.4
o CMS Connector
▪ 192.168.1.5
November 2020 Avaya Business Rules Engine Security Guide 31
o AACC Connector
▪ 192.168.1.6
Executing in the Avaya Business Rules Engine Nodes (192.168.0.2, 192.168.0.3, 192.168.1.2, 192.168.1.3, 192.168.1.4) [root@dc1nd1 ~]# /mnt/Tools/configureFirewalld.sh 1) Settings for generic node of the cluster 2) Settings for standalone CMS Connector 3) Clear current firewalld settings 4) Exit Please, select the option: 1 This option will clean the current firewalld configuration and add the Avaya Business Rules Engine firewalld required configuration Confirm the input? (y/n)?y - Performing backup of the current Firewalld configuration. Backup file: /etc/firewalld/zones/public.xml.backup_2020-10- 16_18:06:32 Backup file: /etc/firewalld/zones/trusted.xml.backup_2020-10- 16_18:06:32 Backup file: /etc/firewalld/zones/connectors.xml.backup_2020-10- 16_18:06:32 Settings for generic node of the cluster -- Enter the IPs of all nodes, including the ones in remote DC (comma separated): 192.168.0.2,192.168.0.3,192.168.0.4,192.168.1.2,192.168.1.3,192.168.1. 4 -- Enter the IPs of all standalone CMS/AACC Connectors (comma separated): 192.168.0.5,192.168.1.5,192.168.1.6 -- Leave http port 80 open (non secure)? (y/n): n -- Leave the 7201 port open to receive secure CMS Feed (Agent Group Metrics) in this server? (y/n): n -- Leave the 7200 port open to receive CMS Feed (Agent Group Metrics) in this server? (y/n): n -- Leave multicast packets enabled to receive AACC Feed (Agent Group Metrics) in this server? (y/n): n
November 2020 Avaya Business Rules Engine Security Guide 32
The script is about to apply the changes on this server. Confirm the input? (y/n)?y - Cleaning up current Firewalld configuration. - Applying changes: firewall-cmd --zone=public --add-service=https --permanent success firewall-cmd --zone=trusted --add-source=192.168.0.2 --permanent success firewall-cmd --zone=trusted --add-source=192.168.0.3 --permanent success firewall-cmd --zone=trusted --add-source=192.168.0.4 --permanent success firewall-cmd --zone=trusted --add-source=192.168.1.2 --permanent success firewall-cmd --zone=trusted --add-source=192.168.1.3 --permanent success firewall-cmd --zone=trusted --add-source=192.168.1.4 --permanent success firewall-cmd --new-zone=connectors --permanent success firewall-cmd --reload success firewall-cmd --zone=connectors --add-source=192.168.0.5/32 --permanent success firewall-cmd --zone=connectors --add-source=192.168.1.5/32 --permanent success firewall-cmd --zone=connectors --add-source=192.168.1.6/32 --permanent success firewall-cmd --zone=connectors --add-port=2181/tcp --permanent success firewall-cmd --zone=connectors --add-port=9092/tcp --permanent success
November 2020 Avaya Business Rules Engine Security Guide 33
Done! To review the results, please, check the script log file (/tmp/configureFirewalld.log)
Executing in Nodes that contain AACC Connector (192.168.0.4) [root@dc1aaccconn1 ~]# /mnt/Tools/configureFirewalld.sh 1) Settings for generic node of the cluster 2) Settings for standalone CMS Connector 3) Clear current firewalld settings 4) Exit Please, select the option: 1 This option will clean the current firewalld configuration and add the Avaya Business Rules Engine firewalld required configuration Confirm the input? (y/n)?y - Performing backup of the current Firewalld configuration. Backup file: /etc/firewalld/zones/public.xml.backup_2020-10- 17_20:08:50 Backup file: /etc/firewalld/zones/trusted.xml.backup_2020-10- 17_20:08:50 Backup file: /etc/firewalld/direct.xml.backup_2020-10-17_20:08:50 Settings for generic node of the cluster -- Enter the IPs of all nodes, including the ones in remote DC (comma separated): 192.168.0.2,192.168.0.3,192.168.0.4,192.168.1.2,192.168.1.3,192.168.1. 4 -- Enter the IPs of all standalone CMS/AACC Connectors (comma separated): 192.168.0.5,192.168.1.5,192.168.1.6 -- Leave http port 80 open (non secure)? (y/n): n -- Leave the 7201 port open to receive secure CMS Feed (Agent Group Metrics) in this server? (y/n): n -- Leave the 7200 port open to receive CMS Feed (Agent Group Metrics) in this server? (y/n): n -- Leave multicast packets enabled to receive AACC Feed (Agent Group Metrics) in this server? (y/n): y The script is about to apply the changes on this server. Confirm the input? (y/n)?y
November 2020 Avaya Business Rules Engine Security Guide 34
- Cleaning up current Firewalld configuration. - Applying changes: firewall-cmd --zone=public --add-service=https --permanent success firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT success firewall-cmd --zone=trusted --add-source=192.168.0.2 --permanent success firewall-cmd --zone=trusted --add-source=192.168.0.3 --permanent success firewall-cmd --zone=trusted --add-source=192.168.0.4 --permanent success firewall-cmd --zone=trusted --add-source=192.168.1.2 --permanent success firewall-cmd --zone=trusted --add-source=192.168.1.3 --permanent success firewall-cmd --zone=trusted --add-source=192.168.1.4 --permanent success firewall-cmd --new-zone=connectors --permanent success firewall-cmd --reload success firewall-cmd --zone=connectors --add-source=192.168.0.5/32 --permanent success firewall-cmd --zone=connectors --add-source=192.168.1.5/32 --permanent success firewall-cmd --zone=connectors --add-source=192.168.1.6/32 --permanent success firewall-cmd --zone=connectors --add-port=2181/tcp --permanent success firewall-cmd --zone=connectors --add-port=9092/tcp --permanent success
November 2020 Avaya Business Rules Engine Security Guide 35
Done! To review the results, please, check the script log file (/tmp/configureFirewalld.log)
Executing in the standalone CMS Connector Nodes (192.168.0.5, 192.168.1.5) [root@dc1cmsconn1 ~]# /mnt/Tools/configureFirewalld.sh 1) Settings for generic node of the cluster 2) Settings for standalone CMS Connector 3) Clear current firewalld settings 4) Exit Please, select the option: 2 Standalone CMSC. This option will enable CMSC port Confirm the input? (y/n)?y - Performing backup of the current Firewalld configuration. Backup file: /etc/firewalld/zones/public.xml.backup_2020-10- 17_20:13:11 Backup file: /etc/firewalld/zones/trusted.xml.backup_2020-10- 17_20:13:11 Backup file: /etc/firewalld/zones/connectors.xml.backup_2020-10- 17_20:13:11 Backup file: /etc/firewalld/direct.xml.backup_2020-10-17_20:13:11 Settings for standalone CMS Connector -- Leave the 7201 port open to receive secure CMS Feed (Agent Group Metrics) in this server? (y/n): n -- Leave the 7200 port open to receive CMS Feed (Agent Group Metrics) in this server? (y/n): y The script is about to apply the changes on this server. Confirm the input? (y/n)?y - Cleaning up current Firewalld configuration. - Applying changes: firewall-cmd --zone=public --add-port=7200/tcp --permanent success Done! To review the results, please, check the script log file (/tmp/configureFirewalld.log)
November 2020 Avaya Business Rules Engine Security Guide 36
Enabling other Ports ( for CMS Connector or Import Export Tool )
If the CMS sends the feed to a port other than 7200, the user must run the following command on the CMS Connectors that will receive the feed: firewall-cmd --zone=public --add-port=
If the IET is installed on host with enabled firewall, the user must run the following command to open ports used to connect to IET: firewall-cmd --zone=public --add-port=8080/tcp --permanent firewall-cmd --zone=public --add-port=8443/tcp --permanent systemctl restart firewalld
Disabling firewall / Clearing current firewalld settings
Firewall configuration is preserved during Avaya Business Rules Engine upgrades, to clean firewall configuration, execute the following script with 3rd option "Clear current firewalld settings" selected as shown below: [root@dc1cmsconn1 ~]# /mnt/Tools/configureFirewalld.sh
Result: 1) Settings for generic node of the cluster 2) Settings for standalone CMS Connector 3) Clear current firewalld settings 4) Exit Please, select the option: 3
This option will clean current firewalld configuration Confirm the input? (y/n)?y
- Performing backup of the current Firewalld configuration.
November 2020 Avaya Business Rules Engine Security Guide 37
Backup file: /etc/firewalld/zones/public.xml.backup_2020-10- 23_11:59:46 Backup file: /etc/firewalld/zones/trusted.xml.backup_2020-10- 23_11:59:46 Backup file: /etc/firewalld/zones/connectors.xml.backup_2020-10- 23_11:59:46
Done!
To review the results, please, check the script log file (/tmp/configureFirewalld.log)
November 2020 Avaya Business Rules Engine Security Guide 38