AVAYA DOCUMENTATION CENTER
Find answers to your technical questions and learn how to use our products
No results found
Search suggestions:
- Use fewer tags and filters.
- Use different search terms.
Filters
AVAYA DOCUMENTATION CENTER
Find answers to your technical questions and learn how to use our products
No results found
Search suggestions:
- Use fewer tags and filters.
- Use different search terms.
Filters
Maintaining and Troubleshooting Avaya Call Management System
Configuring the encryption passphrase
Last Updated : May 07, 2024 |
About this task
CMS automatically encrypts the data partitions on the storage disk drive during an OVA deployment. Encryption is not optional — the data partitions on the storage disk drive are always encrypted. A newly-deployed or upgraded system is assigned two default encryption passphrases.
You can choose from either of the following default encryption passphrases:
CMSdefault
CMSsvcdefault
The customer must decide whether they will require an encryption passphrase to be entered on the console after the system has shut down and rebooted. This includes shutdowns for administrative or maintenance procedures such as turning FIPS on and off, CMSADM restore, LAN restore, RPM update, software upgrades, and regular maintenance reboots as recommended by Avaya. It also includes unplanned shutdowns such as a system crash.
Caution:
If the customer requires an encryption passphrase after a shutdown, that passphrase must be entered on the system console. The passphrase cannot be entered remotely after the system has rebooted. You can work around this requirement by temporarily disabling the encryption passphrase before doing the reboot, but you must remember to enable the encryption passphrase after the reboot is complete. However, if the system crashes, there is no workaround and the encryption passphrase must be entered on the system console.
Important:
Whether the customer requires the encryption passphrase after a shutdown and reboot, the customer must change the passphrase from the default to a passphrase known only to the customer and Avaya services. The customer must record the new encryption passphrase in a safe, secure location.
Before you begin
Consult with the customer to find out whether they want to require an encryption passphrase after a shutdown and reboot. The customer can always change this decision.
Procedure
- Log on as root.
Important:
You cannot directly log on as root from a remote connection. You must log on using an administered CMS user ID, then use
su - rootto log on with root privileges. - Enter:
cmssvc. The system displays the following menu:Avaya(TM) Call Management System Services Menu Select a command from the list below. 1) auth_display Display feature authorizations 2) weblm_set Set up the connection to the WebLM 3) run_ids Turn Informix Database on or off 4) run_cms Turn Avaya CMS on or off 5) setup Set up the initial configuration 6) swinfo Display switch information 7) swsetup Change switch information 8) uninstall Remove the CMS rpm from the machine 9) patch_rmv Backout an installed CMS patch 10) back_all Backout all installed CMS patches from machine 11) security Administer CMS security features Enter choice (1-11) or q to quit: - Enter the number that corresponds to the security command. The system displays the following menu:
Select one of the following: 1) FIPS 140-2 mode 2) Firewall 3) Enhanced Access Security Gateway (EASG) 4) Disk encryption Enter choice (1-4) or q to quit: - Enter the number that corresponds to the
Disk encryptioncommand. The system displays the following menu:Disk encryption auto-unlocking is enabled. Select one of the following 1) Change encryption passphrase 2) Enable auto-unlocking 3) Disable auto-unlocking Enter choice (1-3) or q to quit: - To change the encryption passphrase, do the following steps:
Important:
Whether the customer requires the encryption passphrase after a shutdown and reboot, the customer must change the passphrase from the default to a passphrase known only to the customer and Avaya services. The customer must record the new encryption passphrase in a safe, secure location.
- Enter the number that corresponds to the
Change encryption passphrasecommand. The system displays the following message:Select one of the following 1) Primary encryption passphrase 2) Secondary encryption passphrase Enter choice (1-2) or q to quit: - Select the primary or secondary encryption passphrase option. The system displays the following message:
Enter current encryption passphrase: - Enter the current encryption passphrase and press Enter.The system displays the following message:
Enter new encryption passphrase: - Enter the new encryption passphrase and press Enter. The system displays the following message:
Re-enter new encryption passphrase: - Re-enter the new encryption passphrase and press Enter.The system displays messages similar to the following example:
Changing passphrase for disk partition /dev/sda3 ... Changing passphrase for disk partition /dev/sda7 ... Changing passphrase for disk partition /dev/sda10 ... Changing passphrase for disk partition /dev/sda11 ... - Repeat these steps for the second passphrase.
- Enter the number that corresponds to the
- To enable encryption auto-unlocking, do the following steps:
- Enter the number that corresponds to the Enable auto-unlocking command. The system displays the following message:
Enter an existing encryption passphrase: - Enter the current encryption passphrase and press Enter. The system displays messages similar to the following example:
Adding auto-unlocking key file to partition /dev/sda3 ... Adding auto-unlocking key file to partition /dev/sda7 ... Adding auto-unlocking key file to partition /dev/sda10 ... Adding auto-unlocking key file to partition /dev/sda11 ... Changing reboot setting ... Auto-unlocking enabled successfully.
- Enter the number that corresponds to the Enable auto-unlocking command. The system displays the following message:
- To disable encryption auto-unlocking, do the following steps:
Caution:
If the customer requires an encryption passphrase after a shutdown, that passphrase must be entered on the system console. The passphrase cannot be entered remotely after the system has rebooted. You can work around this requirement by temporarily disabling the encryption passphrase before doing the reboot, but you must remember to enable the encryption passphrase after the reboot is complete. However, if the system crashes, there is no workaround and the encryption passphrase must be entered on the system console.
- Enter the number that corresponds to the
Disable auto-unlockingcommand. The system displays the following message:Enter an existing encryption passphrase: - Enter the current encryption passphrase and press Enter. The system displays messages similar to the following example:
Changing reboot setting ... Removing auto-unlocking key file from partition /dev/sda3 ... Removing auto-unlocking key file from partition /dev/sda10 ... Removing auto-unlocking key file from partition /dev/sda7 ... Removing auto-unlocking key file from partition /dev/sda11 ...
- Enter the number that corresponds to the