CyberPower MCARD400 Remote Management Card User Guide

MCARD400 Remote Management Card
User Guide Remote Management Card
RMCARD400

MCARD400 Remote Management Card

Security Guide
The Remote Management Card allows a UPS system and environmental sensor to be managed, monitored, and configured.

Introduction

This document provides a guide for the security features for firmware version V1.0.2 above of RMCARD400.
Following parts would be included.

• User Account Types
• User Account Authentication
• HyperText Transfer Protocol (HTTP) HTTP and Hyper Text Transfer Protocol over Secure Sockets Layers (HTTPS)
• SNMPv1 and SNMPv3
• Telnet and Secure Shel v2 (SSH)
• File transfer protocols (FTP) and Secure Copy (SCP)

User Account Types
The RMCARD400 provide two user account types for login.

• Administrator: be able to access all items in Web interface and all commands in the command line interface.
• Viewer: be able to access read features in Web interface.

Note:

1. The user will be asked to set a new username and password upon the first login.
2. The Administrator account is also used for the FTP login, CLI interface, Power Device Network Utility, and Upgrade and Configuration Utility.
3. Cyber Power Switched PDU device has addition “outlet user” account. For more account information, please refer to device’s help file.

User Account Authentication
The RMCARD400 provides local and remote user account authentication.

• Local: the username and password are managed and verified by RMCARD400.
• Remote: the username and password are managed and verified by a central Remote Authentication Dial-In User Service (RADIUS) or Lightweight Directory Access Protocol (LDAP) Server.

Configure authentication method on the Web page of [System->Security-> Management]

authentication fails then Local Account settings will be used to log in.
RADIUS Only| Use RADIUS configuration settings to log in.
LDAP, Local Account| Use LDAP configuration settings to log in. If LDAP authentication fails then Local Account settings will be used to log in.
LDAP Only| Use LDAP configuration settings to log in.

• The “Admin/Viewer Manager IP” defines the allowable login IP to access RMCARD400. Following samples:
If you allow any IP address to access RMCARD400, you can set as 0.0.0.0 or 255.255.255.255.
If you allow any IP with subnet of 192.168.0.0 to access RMCARD400, you can set as 192.168.20.0/16.
Local Account
Configure the Local Account parameters on the Web page of **[ System-

Security->Local Account]**

• The maximum length of both User Name and Password of Administrator is 64 characters.
• The maximum length of both User Name and Password of Viewer is 64 characters.

RADIUS
When a user logs in the RMCARD, an authentication request will be sent to the RADIUS server to determine the permission level of the user with the RADIUS function enabled.
Supported RADIUS Servers
RMCARD400 supports Free RADIUS v2.x • Microsoft Server 2008 2012 2019 Network policy Server (NPS) .Other RADIUS may work but not have been fully tested.
Configure RMCARD400
Configure the RADIUS parameters on the Web page of [System->Security->RADIUS Configuration].

authentication is successful the settings will be saved.
Skip Test| Save RADIUS server settings without testing.

Configure the RADIUS Server You have to configure your RADIUS server to make it work with RMCARD400. Sample:

1. Add a new attribute to RADIUS Dictionary as the Cyber vendor: 3808 – Vendor
2. Add two new specific attributes to RADIUS server interface under the vendor:

(1) Cyber-Service-Type (integer variable) Cyber-Service-Type can accept three integer parameter values: 1- Administrator 2 – Viewer 3 – Outlet User (2 )Cyber-Outlets (string variable) Cyber-Outlets can accept a string describing outlet numbers. This attribute will let the outlet user access and control the designated outlets. For example, Cyber-Outlets=”1,2,5″ allows the user to control outlets 1, 2 and 5.
The example of the Dictionary File:

LDAP
When a user logs in the RMCARD, an authentication request will be sent to the LDAP server to determine the permission level of the user with the LDAP function enabled.
Supported LDAP Servers
RMCARD400 supports Open LDAP v2.x Windows AD Server 2008 • 2012 • 2019.
Configure RMCARD400
Configure the LDAP parameters on the Web page of [System->Security->LDAP Configuration] .

choroid).
LDAP Authentication
Authentication Mode| Identifies the method to use for authentication.
• Anonymous: Bind Request using Simple Authentication with a zero-length bind DN and a zero -length password.
• Accredited User: Bind Request using Simple Authentication with a Bind DN and Bind Password.
• By Logon User: Bind Request using  Simple Authentication with a User Base DN and login Password.
LDAP Authorization|
Authorization Mode| Identifies the method to use for authorization.
• By User Attribute: Determine access level by User Attribute and User Attribute Value.
• By Group: Determine access level by group which search DN information such as the following Group Base DN, Group Attribute and Group Attribute Value.
LDAP Server Type
| Select LDAP server type as OPENLDAP.
| Select LDAP server type as   Windows AD.
AD Domain| The AD Domain of the Active Directory server.
LDAP Test|
Test Setting| Test LDAP(S) server using user name and password settings.
If authentication is successful the settings will be saved.
Skip Test| Save LDAP(S) server  settings without testing.

Configure the LDAP Server
You have to configure your RADIUS server to make it work with RMCARD40 O. Add one of the attributes below to description on the LDAP Server for indicating the user account type and authentication:
1. cyber_admin (Administrator)
2. cyber_viewer (Viewer)
3. cyber_outlet=”string” (Outlet user)
The string entered in cyber outlet designates what outlets the Outlet User can access and control. For example, cyber outlet=”1,2,5″ allows the user to control outlets 1, 2 and S.

Security Features

The RMCARD400 provides basic security and high security for the access protocols. The basic security protocol transmits the authentication and data with plain text without encryption, and the high security protocol transmits the authentication and data with encryption. It is recommended that choose and enable the high security protocol to access and disable the basic security protocol.

Summary of the protocols
Web Server

Basic Security Access
• User Name and Password. (transmit with plain text without encryption)
• Configurable server Port
• Service can be enabled or disabled
• Accessible IP filter| High Security Access
• Support TLS.
• User Name and Password. (transmit TLS encryption)
• Configurable server Port.
• Service can be enable or disable
• Accessible IP filter

SNMP Service

Basic Security Access
• Community name (transmit with plain text without encryption)
• Service can be enabled or disabled
• 4 access Community
• Accessible IP filter
• Capability of read/write/forbidden to the specific Community| High Security Access

• 4 User Profiles
• Authentication by an authentication passphrase with SHA or MD5 hash algorithm
• Encryption by a privacy passphrase with AES or DES encryption algorithm
• Accessible IP filter

Command line interface

 Basic Security Access
• User Name and Password. (transmit with plain text without encryption)
• Configurable server Port
• Service can be enabled or disabled
• Accessible IP filter| High Security Access
• User Name and Password. (transmit with SSH encryption)
• Configurable server Port
• Service can be enabled or disabled
• Accessible IP filter

File Transfer protocol

Basic Security Access
•User Name and Password. (transmit
with plain text without encryption)
•Configurable server Port
•Service can be enabled or disabled| High Security Access
•User Name and Password. (transmit
with SSH encryption)
•Configurable server Port
•SCP is enabled when SSH is enabled
•Accessible IP filter

Web Server

HTTP and HTTPS
HyperText Transfer Protocol (HTTP) provides basic security access with user name password – configurable port and accessible IP, but the user name – password and transmitting data are not encrypted. HyperText Transfer Protocol over Secure Sockets Layers (HTTPS) transmits the user name, password, and data with encryption and provides authentication of RMCARD400 via digital certificates.
Configure the HTTP/ HTTPS parameters on the Web page of [System- >Network Service->Web Service].

Access
Allow Access| Enable the access to HTTP or HTTPS service. The HTTPS supports encryption algorithm list as follow:
• AES (256/128 bits)
• Camellia (256/ 128 bits)
• DES (168 bits)
Http Settings
Http Port| The TCP/IP port of the Hypertext Transfer Protocol (HTTP) (80 by default)
Https Settings
Https Port| The TCP/IP port of the Hypertext Transfer Protocol Secure (HTTPS) (443 by default)
Certificate Status| •Valid Certificate (or Invalid Certificate): Click to view Certificate detailed information.
Upload Certificate: Click to upload a certificate and replace the current one.

Note:

1. The format of uploading digital certificate must be a standard PEM (Privacy Enhanced Mail).
2. RMCARD400 supports Transport Layer Security(TLS) V1.2 and V1.3 .

Following is the example to create the certificate with OpenSSL and upload the certification.

1. Create a folder “CA” and copy openssl.cnf into it.
2. Type “opens’ genres -des3 -out rootca.key 2048” and input password of key
3. Type “opensslreq -new -key rootca.key -out rootca.key” and input information of Root CA certificate.
4. Type “opens’ x509 -ret -days 7305 -shalextfile openssl.cnf -extensions v3_ca­signkey rootca.key -in rootca.key -out rootca.crt” to create Root CA certificate.
5. Type “openssl genres -out server.key 2048” to create server key.
6. Type “openssl req new -key server.key -out server.req” and input information of certificate.
7. Type “openssl x509 -req -days 3650 -shal extfile openssl.cnf -extensions v3_reg -CA rootca.crt -CAkey rootca.key -CAserial rootca.srI -CAcreateserial -in server.req -out server.crt” to create server certificate.
8. Then you can see the following three files
9. Create a file which name RMC.crt and past the content of three files into it.
10. Upload the file MC.crt” on the web page of [System->Network Service->Web Service].

SNMPv1 and SNMPv3

SNMPv1 provides basic security access with community , Access type and accessible IP, but the community ‘ and transmitting data are not encrypted. SNMPv3 transmits data with encryption and provides authentication with passphrase.
Configure the SNMPv1 parameters on the Web page of [ System- >Network Service->SNMPv1 Service].

SNMPv1 Service
Allow Access| Set the SNMPv1 service to either Enable or Disable.
SNMPv1 Access Control
Community| The name used to access this community from a Network Management System (NMS). The field must be 1to 15 characters in length.
IP Address| NMS access can be restricted by entering a specific IP address or an IP network subnet mask. The following subnet mask rules apply:
• 192.168.20.255: Access only by an NMS on the 192.168.20 segment.
• 192.255.255.255: Access only by an NMS on the 192 segment.
• 0.0.0.0 (the default setting) or 255.255.255.255: Access by any NMS on any segment.
Access Type| The allowable action for the NMS through the community and IP address.
• Read Only: GET command allowed any time; SET command restricted.
• Write/Read: GET command allowed any time; SET command allowed anytime unless a user session is active.
• Forbidden: GET and SET commands are restricted.

Configure the SNMPv3 parameters on the Web page of [ System- >Network Service>SNMPv3 Service].

SNMPv3 Service

Allow Access| Set the SNMPv3 service to either Enable or Disable.
SNMPv3 Access Control
User Name| The name to identify SNMPv3 user. The field must be 1 to 31 characters in length.
Authentication| The hash type for authentication. MD5/SHA can be selected.
Protocol|
---|---
Authentication Password| The password used to generate the key used for authentication.
The field must be 16 to 31 characters in length.
Privacy Protocol| The type of data encryption/decryption.  DES/AES can be selected.
Privacy Password| The password used to generate the key used for encryption. The field must be 16 to 31 characters in length.
IP Address| NMS access can be restricted by entering a specific IP address or an IP network subnet mask. The following subnet mask rules apply:
• 192.168.20.255: Access only by an NMS on the 192.168.20 segment.
• 192.255.255.255: Access only by an NMS on the 192 segment.
•  0.0.0.0 (the default setting) or 255.255.255.255: Access by any NMS on any segment.

Telnet and Secure Shell (SSH)

Telnet provides basic security access with user name • password • configurable port and accessible IP, but the user name – password and transmitting data are not encrypted. Secure Shell (SSH)transmits the user name, password, and data with encryption.
Configure the Telnet and SSH parameters on the Web page of [System- >Network Service->Console Service]

Access
Allow Access| Enable the access to Telnet or SSH version 2, which encrypts transmission of user names, passwords and data.
Telnet Settings
Telnet Port| The TCP/IP port (23 by default) that Telnet uses to communicate.
SSH Settings
SSH Port| The TCP/IP port (22 by default) that SSH uses to communicate.
Host key Status| Display the status of Hotkey fingerprint to show whether it is valid or invalid.
• Upload Host key: Click to upload a Hotkey and replace the current one.
• Export Host key: Click to export the current Hotkey.
Host key Fingerprint| The host key fingerprint uploaded by users will be displayed in this field.

Note:

1. If you enable the access of SSH, the SCP service would be enabled automatically.

2. RMCARD400 support the following SSH Algorithm(s):
   – SSH Version: SSHv2
   – Kex exchange:
   • ecdh-sha2-nistp521
   • ecdh-sha2-nistp384
   • ecdh-sha2-nistp256
   • diffie-hellman-groupl4-sha256
   – Ciphers:
   • aes256-ctr
   • aes256-cbc
   • aes128-cbc
   • 3des-cbc
   • aes128-ctr
   • aes128-cbc
   • 3des-cbc
   – Signatures:
   • ssh-rsa
   • ssh-rsa (RSA Key length 2048-bit or 4096-bit)
   – MAC:
   • hmac-sha2-256

3. Accessible IP setting following the setting in [System- >Security->Local Account].

FTP and SCP

FTP provides basic security access with user name – password and configurable port, but the user name – password and transmitting data are not encrypted. Secure Copy (SCP) transmits the user name, password, and data with encryption.
Configure the FTP parameters on the Web page of [System- >Network Service->FTP Service]

change port setting to any unused port from 5000 to 65535 to enhance security.

Note:

1. The SCP is enabled when you enable SSH.
2. If SCP is chosen, recommend to disable the access of FTP server for security.
3. Accessible IP setting following the setting in [System- >Security->Local Account].

Appendix 1 Reset to Factory Default Setting / Recover from a Lost Password
To reset the Cyber Power Remote Management Card to its factory default setting (including web log-in user name and password), please following these steps:

1.  Remove the card from the UPS without turning the UPS off.
2. Remove the jumper from the reset pins as illustrated. Do not dispose of the jumper.
3. Insert the card into the expansion port on the UPS.
4. Wait until the green Tx/Rx LED is flashing (the frequency of the ON/OFF flashing is once per second).
5. Remove the card again.
6. Place the jumper back onto the Reset pins.
7. Install card into the expansion port again and tighten the retaining screws.

Appendix 2 Example of upgrade firmware with Secure Copy(SCP) command
For Windows Users:

1. Download any Putty Secure Copy client (PSCP) utility.

2. Save the firmware files and the PSCP Utility in the same folder.

3. Open the Command Line Interface and change the path to where the firmware files and the PSCP Utility are saved.

4. Enter the following command to perform the firmware update: pscp –scp @:
   Note:
   (1) The SSH setting on the RMCARD must be Enabled.
   (2) is the filename of the firmware file. There is one firmware file to upload: cpsrm4safw_XXX.
   (3) is the username of the SSH account on the RMCARD.
   (4) Ensure to add “:” after the IP address.
   For example: pscp-scpcpsrm4safw_xxx cyber@192.168.1.100:
   Note: cpsrm4safw_xxx is the firmware file of the version being updated.

5.  After executing the command, a message may appear asking if you trust the host. To continue type “y” for yes within 10 seconds.

6. On the next screen enter the RMCARD password. The firmware file transfer may take a couple minutes to complete. Please wait until the progress indicator displays 100%. The system will automatically log out and reboot after the transfer is complete.

7. If the firmware file transfer is unsuccessful you will see an error message. Attempt to retype the command and execute it again.

For Linux, MacOS and Unix Users:

1. Install the related distribution of an SSH or SCP client, for example Openssl client.

2. Open the Terminal and change the path to where the firmware files are saved.

3. Enter the following Command to perform firmware update: scp @< IP address of RMCARD>:
   Note:
   (1) The SSH setting on the RMCARD must be Enabled.
   (2) is the filename of the firmware file. There is one firmware file to upload: cpsrrn4safw_XXX.
   (3) is the username of the SSH account on the RMCARD.
   (4) Ensure to add “:” after the IP address.
   For example: scp cpsrm4safw_xxx cyber@192.168.1.100:
   Note: cpsrm4safw_xxx is the firmware file of the version being updated.

4. After executing the command, a message may appear asking if you trust the host. To continue type “ y for yes within 10 seconds.

5. On the next screen enter the RMCARD password. The firmware file transfer may take a couple minutes to complete. Please wait until the progress indicator displays 100%. The system will automatically log out and reboot after the transfer is complete.

6. If the firmware file transfer is unsuccessful you will see an error message. Attempt to retype the command and execute it again.

Appendix 3 Example of save and restore configuration settings with Secure Copy(SCP) command

For Windows Users:

1. Download any Putty Secure Copy client (PSCP) utility.

2. Save the configuration file and the PSCP Utility in the same folder.

3. Open the Command Line Interface and change the path to where the configuration file and the PSCP Utility are saved.

4. Enter the following command to restore configuration: pscp scp @:
   Note:
   (1) The SSH setting on the RMCARD must be Enabled.
   (2) is the filename of the configuration file with a default format of
   CONFIG_YYYY_MM_DD_HHMM.tar.gz.
   (3) is the username of the SSH account on the RMCARD.
   (4) Ensure to add “:” after the IP address.
   For example:
   pscp –scp CONFIG_YYYY_MM_DD_HHMM.tar.gz cyber@192.168.1.100:
   Note: CONFIG_YYYY_MM_DD_HHMM.tar.gz is the configuration file to be restored.

5. After executing the command, a message may appear asking if you trust the host. To continue type “y” for yes within 10 seconds.

6. On the next screen enter the RMCARD password. Please wait until the progress indicator displays 100%. The system will automatically log out and reboot after the transfer is complete.

For Linux, MacOS and Unix Users:

1. Install the related distribution of an SSH or SCP client, for example OpenSSH client.

2. Open the Terminal and change the path to where the configuration files are saved.

3. Enter the following Command to restore configuration: scp ©< IP address of RMCARD>:
   Note:
   (1) The SSH setting on the RMCARD must be Enabled.
   (2) is the filename of the configuration file with a default format of CONFIG_YYYY_MM_DD_HHMM.tar.gz.
   (3) is the username of the SSH account on the RMCARD.
   (4) Ensure to add “:” after the IP address.
   For example: scp CONFIG_YYYY_MM_DD_HHMM . tar .gz cyber@192.168 .1 .100: Note: CON F IG_YYYY_MM_DD_HHMM . tar. .gz is the configuration file to be restored.

4. After executing the command, a message may appear asking if you trust the host. To continue type “y” for yes within 10 seconds.

5. On the next screen enter the RMCARD password. Please wait until the progress indicator displays 100%. The system will automatically log out and reboot after the transfer is complete.

Appendix 4 Example of upload SSH Host key with Secure Copy (SCP) command

A SSH HOST Key can be uploaded to RMCARD with Secure Copy commands. Please make sure the uploaded filename contains the start string of “sshhostkey” . Some examples of acceptable file name are as following: ssh_hostkey_sample1.pem
ssh_hostkey_1024.pem
ssh_hostkey_type100.***
Example of Upload Process

1. Download Putty Secure Copy client (PSCP) utility.
2. Have the SSH Host key file and the PSCP Utility in the same folder
3. Open the Command Prompt and change the path to SSH Host key file and the PSCP Utility are saved.
4. Enter the following command pscp -scp @: Ex :pscp -scp ssh_hostkey_xxx.xxx cybera192168.203.66:
5. After executing the command, a message may appear asking if you trust the host. Please type “y” for yes within 10 seconds.
6. On the next screen enter the admin password. The file transfer may take a couple minutes to complete. Please wait until the progress indicator displays 100%. The system will automatically log out and reboot after the transfer is complete.

Host-Key Requirement

SSH that are created with 2048-bit or 4096-bit RSA keys.

Cyber Power Systems, Inc.
www.cyberpowersystems.com
For USA and Canada:
4241 12th Ave East, Suite 400
Shakopee, MN 55379
Toll-free: 877-297-6937
For all other regions:
Please visit our website for local contact information. K01-E000095-00

References

• CyberPower UPS Systems, Battery Backup, PDUs, USB Surge Protectors
• CyberPower UPS Systems, Battery Backup, PDUs, USB Surge Protectors

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>