Ajuste de series de precipitación a distintas funciones de probabilidad

Groups contextual area

The contextual area displays the list of the users groups of the equipment.

Table

Every row of the table corresponds to a group for which are indicated:

Name. Group name

Profile. Profile of the users associated to the group:

• Administrator. The user with this profile can both verify the parameters and send commands or change the equipment configuration with no exception.

• Read/Write. The user with this profile can as check the parameters as send commands or execute changes to the equipment configuration except for the following operations: modifying the user list, aligning the date/time of the equipment, force the logout of a user and all those operations available only to the Admin. user.

• Maintenance. The user with this profile can check the parameters and execute only maintenance operations (MAN OP) in the Manual Operations contextual area.

• Read Only. The user with this profile can only check the parameters.

CLI. Permission of the user to access to the equipment even by the application SM-OS (Siae Microelettronica - Operating System).

The active box ( ) indicates that the WEB user is even a CLI user, the inactive box in-dicates that the WEB user is not a CLI User too.

The parameter is read-only because the setting is automatically made by WEB LCT, ac-cording to the profile defined during the group creation: only the users belonging to groups with profile Admin have the functionality CLI enabled.

HTTP. Protocol HTTP (HyperText Transfer Protocol): protocol used to transfer hypertext pages on the WEB.

The active box ( ) indicates that the protocol will be available for the WEB LCT session opened by the users of the group; the inactive box indicates that the protocol will not be available.

HTTPS. Protocol HTTPS (HyperText Transfer Protocol over SSL): variation of HTTP pro-tocol and uses, besides TCP/IP propro-tocol, SSL layer (Secure Sockets Layer) which imple-ments the encryption and the authentication of the transmitted data.

The active box ( ) indicates that the protocol will be available for the WEB LCT session opened by the users of the group; the inactive box indicates that the protocol will not be available.

SNMP. Protocol SNMP (Simple Network Management Protocol): protocol which allows monitoring and controlling the network devices. Option:

• Disabled. Protocol SNMP disabled.

• SNMPv1. First version.

• SNMPv2c. Second version.

• SNMPv3. Third version.

FTP. Protocol FTP (File Transfer Protocol): protocol for the file transfer based on TCP.

The active box ( ) indicates that the protocol will be available for the WEB LCT session opened by the users of the group; the inactive box indicates that the protocol will not be available.

SFTP. Protocol (SSH File Transfer Protocol): protocol for the secure file transfer.

The active box ( ) indicates that the protocol will be available for the WEB LCT session opened by the users of the group; the inactive box indicates that the protocol will not be available.

SSH. Protocol (Secure SHell): protocol for the secure and encrypted access.

The active box ( ) indicates that the protocol will be available for the WEB LCT session opened by the users of the group; the inactive box indicates that the protocol will not be available.

Push-button

Apply. Not available in this context.

Refresh. Update the context.

Help. Open the help on-line.

Add Group. Add a user group.

Remove Group. Delete a user group.

Apply changes. Confirm the changes.

Revert changes. Cancel the changes not confirmed yet.

See also

Groups (command) Users management (info) HTTP/HTTPS protocol (info) SNMP protocol (info) FTP/SFTP protocol (info) SSH protocol (info)

HTTP/HTTPS protocol (info)

HTTP (HyperText Transfer Protocol) is used to transfer hypertext pages within WEB.

All HTTP traffic takes place via the TCP/IP protocol on port 80 of PC.

HTTPS (HyperText Transfer Protocol over SSL) is a variation of HTTP and uses, besides TCP/IP protocol, SSL layer (Secure Sockets Layer) which implements the encryption and the authentication of the transmit-ted data. All HTTPS traffic takes place on port 443 of PC.

In web browsers, URI which refers to this technology is named https.

For more information about RFC 2818 specification (HTTP Over TLS).

AGS-20

Equipment can operate with HTTP protocol or HTTPS protocol.

Protocols are implemented in exclusive mode in such a way that, when a user connects via HTT-PS, HTTP requests will be re-addressed to HTTPS and vice versa.

The use of the protocol HTTP and/or HTTPS at equipment level can be enabled in any moment (see Enable/disable the operating of a communication protocol).

If the operator enables both the HTTP protocol and the HTTPS protocol, the system will auto-matically use the more secure protocol (HTTPS).

The utilization of a protocol during a WEB LCT session depends even on the enabling state of the user, who has opened the session, in relation to the use of this protocol. The protocols enabled for one user depend on the group associated to the user (see Group/User Management).

Example. If the user XY is associated to a group not enabled to the use of HTTPS protocol but only HTTP, this user can open the WEB LCT session only in HTTP mode even if the HTTPS pro-tocol is enabled in the Services Status Config contextual area. In the same way, if the user XY is associated to a group enabled to the use of HTTPS and HTTP protocol, but the HTTPS protocol is disabled in the Services Status Config contextual area, the user XY can open the WEB LCT session in HTTP mode.

As general rule, for the correct use of one protocol, it is necessary that the protocol is enabled to the use and that the user who opens the WEB LCT session is associated to a group enabled to the use of the same protocol.

First time equipment is switched-on or after the restore of the Factory Default, equipment uses HTTP protocol.

The protocol (HTTP or HTTPS) used to open the WEB CT page is defined at level of NMS system.

HTTPS (AGS-20) - SSL certificate

Enabling HTTPS protocol is possible only if you have a digital certificate SSL for WEB Server.

Main aim of this certificate is to authenticate the server (for example, AGS-20 equipment) at the customers’ (e.g., user PC where the WEB LCT page relevant to equipment is opened).

SSL foresees that, on connection, the server provides its certificate; if the certificate is signed by a recognised certification Authority (Trusted certificates), then a secure communication can be started.

From the physical point of view, the certificate is a file containing the information relevant to the issuing authority, to the subject of certificate and additional information indicating the use which the certificate has been released for.

WARNING AGS-20 equipment is not provided with SSL certificates when it is put in field. More-over, the restore of Factory Default deletes possible certificates already loaded on equipment.

How to get a SSL Trusted certificate

You can get a SSL certificate requiring it to a recognised certification authority (Certification Au-thority - CA), that is a public auAu-thority enable to the univocal emission of certificates.

The Certification Authority ensures the identity of the owner of the certificate signing the public and private keys by its own private key.

The procedure to request the certificate can change from CA to CA depending on the required information and on the procedure for the generation and the communication of the pair of key (see documentation of specific CA).

Generally, all CA’s will require to provide a CSR (Certificate Signing Request), that is a request containing the data which shall be certificated. To generate the CSR of an equipment see Gen-erate the Certificate Signing Request for an equipment.

The generation of CSR includes also the generation of a Private Key, which will not be included in CSR itself will be used only to sign the request of certificate.

The information to include in CSR changes depending on the context for which you request the certification. CA will define which information is useful.

In any case the name/address of server (Common Name), which you require the certificate for, will be required.

For the generation of SSL certificates relevant to AGS-20 equipment, the Common Name of the certificate must correspond to the IP address of the equipment for which you wish to use the certificate (for more information, see Certificate license - AGS-20 hereinafter in the chapter).

With IP address we mean the address entered in the URL of the browser to open the page WEB LCT.

As result of the certification request, CA will provide the file relevant to final SSL certificate. This file must be loaded on the equipment (see Download the SSL certificate in an equipment).

SSL UnTrusted certificates - AGS-20

It is possible to create, and load on the equipment, certificates self-generated by the user (e.g.

via OpenSSL).

The self-signed certificates (UnTrusted certificates) are not generally considered trustworthy by browsers. They are useful for verification purpose, but the standard use of them does not ensure the security of server-client connection.

To ensure the security within an equipment network, it is necessary to use certificates signed by a certification authority (Trusted certificates).

Certificate license - AGS-20

The certificate license is valid for only one piece of equipment, because SSL certificates are spe-cific with respect to the Common Name for which they are required and released.

During the authentication of a server (equipment) at a client (user PC), one of the first executed check consists in comparing the value of the field Common Name present in the certificate with the URL of the web page you are opening.

The equipment WEB LCT page is opened at URL //<equipment IP address>. This involves that the Common Name of the certificate must correspond to the equipment IP address.

So, if you wish to migrate a whole network of AGS-20 equipment from HTTP protocol to HTTPS protocol, it is necessary to have a SSL certificate for every equipment where the relevant Com-mon Name corresponds to the equipment IP address.

Certificate expiry - AGS-20

Generally, SSL certificates have a quite long expiry.

When the certificates on the equipment expiry, they must be replaced with new valid certificates by means of the procedures Generate the Certificate Signing Request for an equipment and Download the SSL certificate in an equipment.

How to implement the protocol HTTPS - AGS-20

In summary, the operations to perform in order to implement the use of the protocol HTTPS on AGS-20 equipment are the following:

• Open the WEB LCT page of the equipment for which you wish to generate the request of the certificate (CSR).

• Generate the Certificate Signing Request for an equipment.

During this operation, set the IP address of the equipment indicated in the URL of the WEB page to Common Name.

The system, besides generating the CSR, will send the private RSA key to the equip-ment.

• Copy the CSR and paste it to a text file.

• Send the CST to the chosen CA.

• When CA will send the file containing the SSL certificate signed, load it to the equip-ment (see Download the SSL certificate in an equipequip-ment).

• Verify that the group, which the user used to open the HTTPS session with the equip-ment is associated to, is enabled. Otherwise, it is necessary to enabled him (see Groups contextual area/Users contextual area).

• Verify that the protocol HTTPS at equipment level is enabled, otherwise it is necessary to enable it (see Services Status Config contextual area).

SSL and TLS protocol

The protocols SSL (Secure Socket Layer) and TLS (Transport Layer Security) are encryption pro-tocols which allow a secure communication in TCP/IP networks.

As indicated at the beginning of the chapter, the protocol HTTPS is a variation of HTTP which uses the SSL level for the encryption and the authentication of the transmitted data.

In order to do this, the protocols SSL/TLS use three main functionalities:

• Authentication. The authentication of the identity in the connections can be executed using the encryption with public key (e.g., RSA, DSS etc.).

• Security. In order to ensure a secure connection between two users involved in a communication, the data are protected using encryption algorithms with symmetric key (e.g., DES, RC4, etc.).

• Reliability. The transport level includes a check on the integrity of the message based on a proper MAC (Message Authentication Code) which uses secure hash functions (e.g., SHA, MD5 etc.). In this way, you can verify that the data transmitted between client and server have not been altered during the transmission.

SSL and TLS protocol - AGS-20

AGS-20 equipment uses the protocol TLS version 1.

The user can choose, from the list of CipherSuite, the combination of encryption algorithms sup-ported by the client, sorted according his preferences.

In detail, the list of CipherSuite indicates:

• The algorithm for the Key Exchange.

• The CipherSpec containing the data encryption algorithm (Cipher) with the possible implementation characteristics and the algorithm for the Message Authentication Code (Hash).

AGS-20 equipment manages the following CipherSuite.

See also

Groups (command)

Services Status Config (command) SSL/HTTP Secure (command)

CipherSuite Key Exchange Cipher Hash

RSA-3DES-SHA RSA 3DES SHA

RSA-WITH-AES-128-CBC-SHA RSA AES-128-CBC SHA

RSA-WITH-AES-256-CBC-SHA RSA AES-256-CBC SHA

SNMP protocol (info)

The SNMP protocol is available in 3 versions: SNMPv1, SNMPv2c and SNMPv3.

The main differences between SNMPv1/v2c and SNMPv3 are the management of message security and the control of the accesses.

SNMPv1/v2c

The versions 1 and 2 of SNMP have the security model based on the community: messages are passed not-encrypted and can be copied or modified.

SNMPv3

The version 3 of SNMP, instead, foresees a security model based on the user for the protection of the messages and the control of the access.

In SMNMPv3, every user has his own authentication password and encryption password for the packets.

In order to authenticate the packets, SNMPv3 utilizes the HMAC-MD5 or HMAC-SHA1 algorithm.

The secret key used to calculate the HMAC code is the user password; in order to be authenti-cated, the packet must contain even the user name besides the HMAC code.

Moreover, the SNMPv3 protocol foresees the possibility to cipher the part of the packet contain-ing the OID of the MIB objects and the relevant values uscontain-ing the cipher algorithm DES56; the key used for the cipher procedure is different from the key used for HMAC authentication.

This allows defining if allowing the user an access:

• Without authentication (noAuthNoPriv).

• With authentication (AuthNoPriv).

• With authentication and encryption (AuthPriv).

For more information, refer to RFC 3410, 3411, 3412, 3413, 3414, 3415, 3584 specifications.

AGS-20

The equipment can work with SNMPv1/v2c protocol and with SNMPv3 protocol.

In order to preserve the security, SNMPv3 protocol must be used.

The use of the protocol SNMPv1/v2c and/or SNMPv3 can be enabled at equipment level in any moment (see Enable/disable the operating of a communication protocol).

The use of a protocol during a WEB LCT session, however, depends on the enabling state of the use of this protocol by the user who has opened the session. The protocols enabled for a user depend on the group associated to the user (see Backup/Restore Config.).

Example. If the user XY is associated to a group enabled to the use of the protocol SNMPv3, a WEB LCT session opened by the user XY will accept and process only SNMPv3 packets; the re-ceived SNMPv1/v2c packets will be dropped.

In analogous way, if the user YZ is associated to a group enabled to the use of the protocol SNMPv2c, a WEB LCT session opened by the user YZ will accept and process only SNMPv1/v2c packets.

As general rule, for the correct use of one protocol, it is necessary that the protocol is enabled to the use and that the user who opens the WEB LCT session is associated to a group enabled to the use of the same protocol.

First time equipment is switched-on or after the restore of the Factory Default, equipment uses SNMPv1/v2c protocol.

Tab.3 displays, for every SNMP version, the security levels (noAuthNoPriv, AuthNoPriv, Auth-Priv) supported by the equipment and the description of the provided security mechanisms.

Tab.3 Security mechanisms in SNMPv1/v2c and SNMPv3

model Security level Authentication Encryption Description Notes

SNMPv1/v2c noAuthNoPriv Community

String No Community-based authentica-tion: the passwords are trans-mitted not encrypted and displayed in the traces

This security level is automatically as-signed to a user by the system when the user is associated, during the creation procedure, to a group using the protocol SNMPv1 or SNMPv2c*.

SNMPv3 noAuthNoPriv Username No Authentication based on user

name This security level is automatically

as-signed to a user by the system when the user is associated, during the creation procedure, to a group using the protocol SNMPv3*.

AuthNoPriv MD5 or SHA No Authentication based on algo-rithms MD5 or HMAC-SHA

This security level is automatically as-signed to a user by the system when, during the creation procedure:

• The user is associated to a group us-ing the protocol SNMPv3*.

• The authentication algorithm/pass-word is defined to the user*.

AuthPriv MD5 or SHA DES 56 Authentication based on algo-rithms MD5 or HMAC-SHA and encryption with algo-rithm CBC-DES (DES-56) in addition to authentication

This security level is automatically as-signed to a user by the system when, during the creation procedure:

• The user is associated to a group us-ing the protocol SNMPv3*.

• The authentication algorithm/pass-word and the encryption algorithm/

password are defined to the user*.

FTP/SFTP protocol (info)

FTP (File Transfer Protocol) and SFTP (SSH File Transfer Protocol) are two protocols for the file transfer based on TCP.

Main difference between FTP and SFTP is the management of security.

The FTP protocol does not foresee the data encryption, while the SFTP protocol is based on SSH protocol for the data encryption and the secure file transfer.

AGS-20

The equipment can be used for the file transfer (download/upload) the FTP protocol or the SFTP protocol.

The use of the protocol FTP and/or SFTP can be enabled in any moment (see Enable/disable the FTP and/or SFTP protocol).

If the operator enables the protocols FTP and SFTP at the same time, the system will automat-ically use the most secure protocols (SFTP).

The utilization of a protocol during a WEB LCT session depends even on the enabling state of the user, who has opened the session, in relation to the use of this protocol. The protocols enabled for one user depend on the group associated to the user (see Group/User Management).

Example. If the user XY is associated to a group not enabled to the use of the protocol SFTP, even if the protocol SFTP is enabled in the Ftp/Sftp contextual area, the file transfer between PC and equipment during a WEB LCT session opened by XY will take place via FTP. In the same way, if the user XY is associated to a group not enabled to the use of the protocol SFTP, but the pro-tocol SFTP is not enabled in the context area Ftp/Sftp, the file transfer between PC and equip-ment during a WEB LCT session opened by XY will take place via FTP.

As general rule, for the correct use of one protocol, it is necessary that the protocol is enabled to the use and that the user who opens the WEB LCT session is associated to a group enabled to the use of the same protocol.

When the equipment is switched-on for the first time after the restore of the Factory Default setting or after the recovery of the whole equipment configuration from file (see Backup/Restore

When the equipment is switched-on for the first time after the restore of the Factory Default setting or after the recovery of the whole equipment configuration from file (see Backup/Restore

In document PONTIFICIA UNIVERSIDAD CATÓLICA DEL PERÚ (página 56-0)