Technical Support Note TS-BTS-SW-0065 Radio Network Flexi GSM Base Stations Flexi WCDMA Base stations Flexi LTE Base Stations Single RAN Approved: 22-Aug-2016 Informative Preventive Corrective Urgent Security Release Upgrade SW Update Parameterization Internal Public Customer Specific TS-BTS-SW-0065 - Mass change of Flexi Base Station accounts - Page 1/12 TS-BTS-SW-0065 APPROVED 3.0 3.0 Confidential © Nokia 2016 Table of Contents 1. 2. 3. 4. 5. 6. 7. 8. Purpose.............................................................................................................................................................................................. 3 Validity ................................................................................................................................................................................................ 3 2.1 IMPACTED TECHNOLOGY........................................................................................................................................................ 3 2.2 IMPACTED SYSTEM AND SW RELEASES .............................................................................................................................. 3 2.3 IMPACTED PRODUCTS ............................................................................................................................................................ 4 2.4 RELATED FEATURES ................................................................................................................................................................. 4 Keywords .......................................................................................................................................................................................... 4 Executive summary ....................................................................................................................................................................... 4 Impact on the network ................................................................................................................................................................. 4 Detailed description ....................................................................................................................................................................... 5 6.1 BTS local operator user account ........................................................................................................................................... 5 6.2 Service account ......................................................................................................................................................................... 6 Solution and correction instructions ......................................................................................................................................... 7 7.1 BTS LOCAL OPERATOR USER ACCOUNT MASS CHANGE .............................................................................................. 7 7.1.1 NEAC ............................................................................................................................................................................................ 8 7.2 SERVICE ACCOUNT PASSWORD MASS CHANGE .............................................................................................................. 9 7.2.1 Script information .................................................................................................................................................................. 10 7.2.2 NEAC .......................................................................................................................................................................................... 10 References ...................................................................................................................................................................................... 11 8.1 RELATED OPERATING DOCUMENTATION ......................................................................................................................... 11 8.2 RELATED CASE ID .................................................................................................................................................................... 11 Contact your local Nokia support 29-Jan-2016 18-May-2016 1.0 2.0 22-Aug-2016 3.0 Approved version 2nd approved version GSM-R added (2.2-2.4), tables 7.1 and 7.2 updated WCDMA17 added FL16A, TL16A, SRAN16.10 validity added TS-BTS-SW-0065 - Mass change of Flexi Base Station accounts - Page 2/12 APPROVED 3.0 Confidential © Nokia 2016 This document contains generic information about products. These can be instructions that explain problem situations in the field, instructions on how to prevent or how to recover from problem situations, announcements about changes o r preliminary information as requirements for new features or releases. Technology GSM WCDMA LTE-FDD LTE-TDD Single RAN X X X X X System Release RG40 RGR40 (EP1) GSM16 RU50 (EP1) WCDMA16 WCDMA17 *) RL70 RL55 FL15A TL15A FL16 TL16 FL16A TL16A SRAN16.2 SRAN16.10 Impact Product SW Release(s) GF1 2.0.0, EX5_2 EXR5_2.1 GF16, EX16 WN9.0, WN9.1, WL9.1, WZ9.1 WBTS16 WBTS17 P8 SW (WBTS17 1.0, WBTS17 2.0 etc. are not impacted) LN7.0, LNF7.0 LNT5.0, LNZ5.0 FL15A, FLF15A TL15A, TLF15A FL16, FLF16 TL16, TLF16 FL16A, FLF16A TL16A, TLF16A SBTS16.2 SBTS16.10 *) If RAN2504 Configurable Service Accounts feature is used in WCDMA 16 MP3/MP4 level it’s highly recommended to do upgrade from WCDMA 16 MP3/MP4 to WCDMA 17 MPx. TS-BTS-SW-0065 - Mass change of Flexi Base Station accounts - Page 3/12 APPROVED 3.0 Confidential © Nokia 2016 Product Flexi EDGE BTS Flexi EDGE BTS GSM-R Flexi Multiradio BTS EDGE Flexi Multiradio 10 BTS EDGE Flexi Multiradio BTS WCDMA Flexi Lite BTS WCDMA Flexi Zone BTS WCDMA Flexi Multiradio BTS LTE Flexi Multiradio BTS TD-LTE Flexi Zone BTS Flexi Zone BTS TD-LTE Single RAN (Flexi Multiradio BTS Single RAN) RG302569 RG302590 RAN1210 RAN2504 LTE1030 LTE679 SR000906 SR000900 Remote BTS password management Remote BTS password management for GSM-R Mass Updating of Local Flexi BTS Passwords via NetAct Configurable Service Accounts Configurable Service Account Local User account management SBTS Nokia Service Account Management SBTS Operator Account Management Service account, BTS local operator user account, toor4nsn, Nemuadmin This Technical Support Note gives guidelines on how to mass change user accounts to Nokia base stations. Both service and element manager user accounts are handled in this TN. If default user names and/or passwords are used, this creates vulnerability which can be exploited if user have access to base station, certain applications, and usernames / passwords. TS-BTS-SW-0065 - Mass change of Flexi Base Station accounts - Page 4/12 APPROVED 3.0 Confidential © Nokia 2016 Nokia have got information that base station user account information might not have been changed during commissioning: using default account information creates vulnerability risk as those default usernames and passwords might be available from internet. Similarly tools used for local base station operation and maintenance are widely used and might be available from internet. Thus it is advised to change each base station’s account information regularly. There are two kind of user accounts at the base stations: Service account and Element manager user account. Also called sometime as BTS Element Manager user account. BTS Element Manager is used for BTS management in general. BTS Element Manager is using the account. And for example BTS has TRS web page which us es this account for login. Plus there are other tools, like command line tools which use this account. BTS local operator user account, called Nemuadmin, comes along with a default passwo rd. The user can connect to the BTS site locally or remotely using BTS local operator user account. Local connection means direct connection from a PC with BTS Element Manager to the BTS using ethernet cable with RJ-45 connector. Remote connection can be established through data communication network (DCN). BTS Element Manager is a Java based application for maintaining and commissioning BTS and Flexi Transport element. Passwords change for BTS local operator user account password and/or Service account password must be done cluster by cluster (not the whole network at once). All the used tools for maintenance/service must be checked after passwords have been o change to first cluster Tools to be verified are those which use the passwords. As the default Nemuadmin password does not fulfill the Nokia local account policy rules, You cannot change the account password back to the default anymore (restore nemuuser) after user password has been changed. TS-BTS-SW-0065 - Mass change of Flexi Base Station accounts - Page 5/12 APPROVED 3.0 Confidential © Nokia 2016 Nokia internal root user account, called toor4nsn (in some GSM sites called as a ‘root’) , comes along with a default password. This user account is created for Nokia internal use only to access on-site Base Station (in service SSH/telnet session) to log-files, internal counters, diagnosis information etc. The SSH access to a Base Station is deactivated by default. The activation requires the authentication with the BTS Site Manager or Transport Web interface with BTS local operator user account. Therefore the person who wants to activate SSH/telnet to get access as the toor4nsn user must know the operator used username and password to activate SSH/telnet access (or ask another authorized person to do so). Due to the reason, that the default toor4nsn password is being publicly known (as it has been disclosed on the Internet), therefore it is recommended to enable SSH access to Base Station on a need basis only. If permanent SSH access to Base Station is required, then in order to block an unauthorized access to Base Station, it is strongly recommended to change the default password for toor4nsn user account according to the instructions provided in this Technical Support Note. Passwords change for BTS Local user account passw ord and/or Service account password must be done cluster by cluster (not the whole network at once). All the used tools for maintenance/service must be checked after passwords have been o change to first cluster Tools to be verified are those which use the passwords. o o It is not possible to change in NetAct (NEAC tool) the toor4nsn password back to default anymore as the default toor4nsn password does no t fulfill the Nokia local account policy rules. It is possible to set back the default toor4nsn password using “sec_eNodeB” tool. The current password is needed for this. This Technical Note provides information how to mass change account information remotely after commissioning. TS-BTS-SW-0065 - Mass change of Flexi Base Station accounts - Page 6/12 APPROVED 3.0 Confidential © Nokia 2016 Flexi EDGE BTS*) X RG302569 BSC16 4.0 and EX16 4.0 (Nov/2016), NetAct 17.2 Flexi Multiradio BTS EDGE X RG302569 BSC16 4.0 and EX16 4.0 (Nov/2016), NetAct 17.2 Flexi Multiradio 10 BTS EDGE X RG302569 BSC16 4.0 and GF16.5 2.0 (Nov/2016), NetAct 17.2 Flexi Multiradio BTS WCDMA X RAN1210 RN8.1, mcRNC4.1, mcRNC16, WN9.1 Flexi Lite BTS WCDMA X RAN1210 RN8.1, mcRNC4.1, mcRNC16,WL9.1 2.0 Flexi Zone BTS WCDMA X RAN1210 mcRNC4.1 4.0, mcRNC162.0, WZ9.1 Flexi Multiradio BTS LTE X LTE679 Flexi Multiradio BTS TD-LTE X LTE679 Flexi Zone BTS X LTE679 RL50FZ Flexi Zone BTS TD-LTE X LTE679 RL55 Flexi Multiradio BTS Single RAN X SR000900 RL10 RL15 SRAN16.2 1.0 (May 2016) *) Flexi EDGE BTS GSM-R: - RG302590: Remote BTS password management for GSM-R - Future roadmap item NEAC = Network Element Access Control (NetAct solution) Script = Temporary solution before NEAC support TS-BTS-SW-0065 - Mass change of Flexi Base Station accounts - Page 7/12 APPROVED 3.0 Confidential © Nokia 2016 For LTE base stations there is LTE679: Local User account management feature which allows the customer to change the local user account name and passw ord from NetAct for multiple LTE Base Stations using the Network Element Access Control (NEAC) tool; please follow the detailed instructions provided in Operating Documentation: Local user management using NEAC: Operating Documentation > Functional Area Description > Operability > LTE RAN O&M Security > O&M user security Security hardening guidelines, including the recommendations for the operator to increase the level of O&M security: FDD-LTE Operating Documentation > Functional Area D escription > Operability > Configuring Security in eNB TD-LTE Operating Documentation > Integrate and Configure > Configuring Security in eNB For Flexi Multiradio BTS Single Radio there is a feature - SR000900: SBTS Operator Account Management which enables the operator to configure local user account username and password (either from NetAct for multiple SBTSs or from Web UI for one particular SBTS). Pl ease follow the detailed instructions provided in Operating Documentation: Operating Documentation > Features > SRAN 16.2, Feature Descriptions and Instructions > Descriptions of operability features > SR000900: SBTS Operator Account Management For WCDMA base stations there is RAN1210: Mass U pdating of Local Flexi BTS Passwords via NetAct feature which allows the customer to change the local user account name and password from NetAct for multiple WCDMA Base Stations using the Network Element Access Control (NEAC) tool; please follow the detailed instructions provided in Operating Documentation: Operating Documentation > Features > Features from Previous Releases > RU10 Feature Descriptions and Instructions > Operability features > RAN1210: Mass Updating of Local Flexi BTS Passwords via NetAct If Network Element Access Control (NEAC) tool of NetAct doesn’t provide support for specific WCDMA Base Station it is possible to use BTS Element Manager account password (change via command line) script. This tool and corresponding user manual can be got by contacting global Technical Support. TS-BTS-SW-0065 - Mass change of Flexi Base Station accounts - Page 8/12 APPROVED 3.0 Confidential © Nokia 2016 Flexi EDGE BTS*) X RG302569 BSC16 4.0 and EX16 4.0 (Nov/2016), NetAct 17.2 Flexi Multiradio BTS EDGE X RG302569 BSC16 4.0 and EX16 4.0 (Nov/2016), NetAct 17.2 Flexi Multiradio 10 BTS EDGE X RG302569 BSC16 4.0 and GF16.5 2.0 (Nov/2016), NetAct 17.2 WCDMA16 3.0 (end august 2016)/ NetAct 16.8. Flexi Multiradio BTS WCDMA X Flexi Lite BTS WCDMA X RAN2504 Flexi Zone BTS WCDMA X RAN2504 Future roadmap item for Zone BTS WCDMA Flexi Multiradio BTS LTE X X LTE1030 FL15A onwards Flexi Multiradio BTS TD-LTE X X LTE1030 TL15A onwards Flexi Zone BTS X X LTE1030 FL15A onwards Flexi Zone BTS TD-LTE X X LTE1030 TL15A onwards Flexi Multiradio BTS Single RAN X X RAN2504 SR000906 In WCDMA17 NEAC solution is available from WBTS17 1.0 onwards Future roadmap item for Lite BTS WCDMA SRAN16.2 1.0 (May 2016) *) Flexi EDGE BTS GSM-R: - RG302590: Remote BTS password management for GSM-R - Future roadmap item NEAC = Network Element Access Control (NetAct solution) Script = Temporary solution before NEAC support TS-BTS-SW-0065 - Mass change of Flexi Base Station accounts - Page 9/12 APPROVED 3.0 Confidential © Nokia 2016 There is so called “sec_eNodeB” tool developed to mass change service account password. This tool and corresponding user manual can be got by contacting global Technical Support. For LTE base stations new feature was introduced in FL15A/TL15A - LTE1030: Configurable Service Accounts. This feature allows the customer to change the toor4nsn password from NetAct for multiple LTE Base Stations using the Network Element Access Control (NEAC) tool; please follow the detailed instructions provided in Operating Documentation: Configuring LTE1030: Configurable Service Accounts using NEAC: Operating Documentation > Troubleshoot > Troubleshooting LTE RAN > LTE troubleshooting use cases > BTS Site Manager connection problems > Changing BTS service account Security hardening guidelines, including the recommendations for the operator to increase the level of O&M security: FDD-LTE Operating Documentation > Functional Area Description > Operability > Configuring Security in eNB TD-LTE Operating Documentation > Integrate and Configure > Configuring Security in eNB For Flexi Multiradio BTS Single Radio there is a feature - SR000906: Nokia Service Account Management which enables the operator to configure the service account password. Pl ease follow the detailed instructions provided in Operating Documentation: Operating Documentation > Features > SRAN 16.2, Feature Descriptions and Instructions > Descriptions of operability features > SR000906: SBTS Nokia Service Account Management For other BTS types tool is not working properly, instead script should be used. TS-BTS-SW-0065 - Mass change of Flexi Base Station accounts - Page 10/12 APPROVED 3.0 Confidential © Nokia 2016 Flexi Multiradio BTS LTE, Operating Documentation Flexi Zone BTS, Operating Documentation Flexi Multiradio BTS TD-LTE, Operating Documentation Flexi Zone BTS TD-LTE, Operating Documentation Single RAN, Operating Documentation WCDMA RAN, Rel. WCDMA 16, Operating Documentation, Issue 02 WCDMA RAN, Rel. WCDMA15FZ, Operating Documentation, Issue 02 NA05841404 - RL70 Acceptance - Fixed us er account with root privileges NA05882528 - Change root password on all E node B's and WBTS's NA05878794 - root password for Nokia products is available on Internet NA05869606 - Cyber attack expected from LTE NA05882858 - Change root password on all E node B's and WBTS's TS-BTS-SW-0065 - Mass change of Flexi Base Station accounts - Page 11/12 APPROVED 3.0 Confidential © Nokia 2016 Disclaimer The information in this document applies solely to the hardware/software product (“Product”) specified herein, and only as specified herein. Reference to “Nokia” later in this document shall mean the respective company within Nokia Group of Companies with whom you have entered into the Agreement (as defined below). This document is intended for use by Nokia's customers (“You”) only, and it may not be used except for the purposes defined in the agreement between You and Nokia ( “Agreement”) under which this document is distributed. No part of this document may be used, copied, reproduced, modified or transmitted in any form or means without the prior written permission of Nokia. If You have not entered into an Agreement applicable to the Product, or if that Agreement has expired or has been terminated, You may not use this document in any manner and You are obliged to return it to Nokia and destroy or delete any copies thereof. The document has been prepared to be used by professional and properly trained personnel, and You assume full responsibility when using it. Nokia welcomes your comments as part of the process of continuous development and improvement of the documentation. This document and its contents are provided as a convenience to You. Any information or statements concerning the suitability, capacity, fitness for purpose or performance of the Product are given solely on an “as is” and “as available” basis in this document, and Nokia reserves the right to change any such information and statements without notice. Nokia has made all reasonable efforts to ensure that the content of this document is adequate and free of material errors and omissions, and Nokia will correct errors that You identify in this document. Nokia's total liability for any errors in the document is strictly limited to the correction of such error(s). Nokia does not warrant that the use of the software in the Product will be uninterrupted or error-free. NO WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY OF AVAILABILITY, ACCURACY, RELIABILITY, TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, IS MADE IN RELATION TO THE CONTENT OF THIS DOCUMENT. IN NO EVENT WILL NOKIA BE LIABLE FOR ANY DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, DIRECT, INDIRECT, INCIDENTAL OR CONSEQUENTIAL OR ANY LOSSES, SUCH AS BUT NOT LIMITED TO LOSS OF PROFIT, REVENUE, BUSINESS INTERRUPTION, BUSINESS OPPORTUNITY OR DATA THAT MAY ARISE FROM THE USE OF THIS DOCUMENT OR THE INFORMATION IN IT, EVEN IN THE CASE OF ERRORS IN OR OMISSIONS FROM THIS DOCUMENT OR ITS CONTENT. This document is Nokia proprietary and confidential information, which may not be distributed or disclosed to any third parties without the prior written consent of Nokia. Nokia is a registered trademark of Nokia Corporation. Other product names mentioned in this document may be trademarks of their respective owners. Copyright © 2016 Nokia. All rights reserved. This product may present safety risks due to laser, electricity, heat, and other sources of danger. Only trained and qualified personnel may install, operate, maintain or otherwise handle this product and only after having carefully read the safety information applicable to this product. The safety information is provided in the Safety Information section in the “Legal, Safety and Environmental Information” part of this document or documentation set. Nokia is continually striving to reduce the adverse environmental effects of its products and services. We would like to encourage you as our customers and users to join us in working towards a cleaner, safer environment. Please recycle product packaging and follow the recommendations for power use and proper disposal of our products and their components. If you should have questions regarding our Environmental Policy or any of the environmental services we offer, please contact us at Nokia for any additional information. TS-BTS-SW-0065 - Mass change of Flexi Base Station accounts - Page 12/12 APPROVED 3.0 Confidential © Nokia 2016