Securing the CLM

Overview

Nokia recommends performing the following steps to achieve station security for the CLM:

• Install the latest recommended patch cluster for RHEL. For customers using the Nokia-provided RHEL OS image, only the RHEL OS update can be used for applying OS patches. For customer-sourced and manually deployed RHEL OS instances, the patches must be obtained from Red Hat.

• CLM has no ingress or egress requirements to access the public internet and should be isolated with properly configured firewalls.

• Implement traffic management policies to control access to ports on CLM systems, as detailed in this section

• Use TLS certificates with strong hashing algorithms.

• Enforce minimum password requirements and password renewal policies on user accounts that access the CLM.

• Configure a warning message in the Launchpad Security Statement.

• OAUTH2 authentication module provides login protection mechanisms to prevent denial of service attacks, lockout users for consecutive failed logins and configure maximum sessions for GUI and OSS users. See OAUTH2 user authentication for details.

• When using custom TLS certificates for CLM deployment, ensure that the server private key file is protected when not in use by nsp configurator.

• Optional: Revoke world permissions from compiler executables. See Appendix A, Removing world permissions from compiler executables.

See the NSP Security Hardening Guide for RHEL OS compliance with CIS benchmarks. The supported CIS benchmark best practices are already implemented on RHEL OS images.