NSP user authentication

Basic elements

The NSP user-authentication mechanism, OAUTH2, provides the following single sign-on (SSO) functions:

• local and remote user authentication

• configurable login protection

“Configuring single sign-on” in the NSP Installation and Upgrade Guide describes the NSP SSO functions and parameters.

OAUTH2

OAUTH2 is an implementation of the Keycloak open-source identity and access-management solution that employs the standard OAuth 2.0 protocol. OAUTH2 maintains a local user database, supports remote users, and can temporary or permanently lock out users to prevent brute-force or random-guess attacks.

Local user authentication

NSP local user authentication uses robust password encryption, and has rules that govern the password change and complexity requirements.

Password encryption

A one-way cryptographic hash is applied to all NSP user passwords stored in the local database. The encryption protects against an accidental or intentional database disclosure, as the password cannot be decrypted. To further mitigate against password attacks, a randomized salt is added to each user password before the one-way cryptographic hash is applied.

Password complexity

User password complexity rules are configurable; the following are the defaults, which state that a password must:

• be at least ten characters

• not be the same as the previous three passwords

• include at least one of the following special characters

  ( ) ? ~ ! @ # $ % & * _ +

• include at least one lowercase character

• include at least one uppercase character

• include at least one digit

• not be the username

• not equal the email address

Password changes

One administrator account is created by default during NSP system installation. During the initial administrator login using the default password, the user is prompted to change the password. The creation of additional local users includes an option to force the user to change the password during the initial login.

Note: Nokia recommends that you enable the initial password-change option.

Remote user authentication

The NSP supports LDAP/S, RADIUS, and TACACS+ remote user access. The NSP cannot authenticate NFM-P remote users, but can import NFM-P users to the NSP local user database.

See the NSP Installation and Upgrade Guide for remote-user configuration information.

Note: If LDAP is used for remote access, it is strongly recommended that you use LDAPS to secure the LDAP communication.

Login protection

You cannot enable both temporary and permanent user lockout; if user lockout is to be enforced, only one mechanism can be active at any time.

Note: Temporary user lockout is enabled by default.

Note: Nokia recommends deploying the NSP with brute-force protection enabled and the parameters configured in accordance with your security policy.

Session controls

To enhance security, an idle session timeout and token lifespan can be applied. The timeout and lifespan apply to NSP SSO and REST sessions:

Note: Functions that require near-real-time event updates communicate continuously with the NSP, so do not time out from inactivity.

You are encouraged to assess the number of concurrent sessions that your deployment requires, and to set the maximum allowed number to the lowest value that meets the requirement.