The Sga-Authorizer and user activity logger module
("SgaAutho")

• Features
• Basic operation
• User interface
• User's list and password file
• Passwords
• Using of two SGA monitoring systems
• Authentication using Active Directory
• CDR Servers
• Configuration
• Login Answer Texts
• Built-in limitations
• Version history

• This module provides user authentication and activity logging

• Authenticates user who wants to use any SGA client module(s)
• Authentication can be done based on locally stored passwords and through an Active Directory
• Records date and time when the user logged in and the used username and the reason of usage
• Logs the client activities with the username, the client ID and the reason
• Logs also contain the result of the search
• Flexibly configurable user rights and roles
• Provides list of links (from SL.DAT file) for client modules

User interface

The main menu

Menu	Menu item	Shortcut(s)	Meaning
[Log]
	Find line containing...	(Ctrl-F)	Find text in log window
	Find next matching line	(F3)	Find next occurrence of text in log window
	Details		Detail level of logging (Off, Normal, Detailed or Debug)
	Recover from log file error		When the program could not write the log file it suspends its normal working. If the problem has been solved normal working can be achieved by this menu item.
[Connections]
	Allow clients to connect	(Ctrl-A, or )	Allows the users to connect to the Authorizer
	Disconnect *all* active ones now!		Interrupts the connections with all active users
	Allow remote password changing	(Ctrl-P, or )	Allows the user to change his password through the Change Password client
[Users]
	Re-enter Oracle passwords		Oracle passwords can be re-entered without restarting the module
[SL.DAT]
	Reload	(Ctrl-S)	Reload the SL.DAT file (when it is changed)
	Activate creating utility		When activated, it calls the SgaAutho.ini/[SL_DAT]/sCreateUtility program to create new SL.DAT file
	Re-enter creating utility's password		Values from SgaAutho.ini/[SL_DAT]/sCreateUtility, sCreatePassword, and dwMaxSendingChunkSize will get reloaded (and logged). If sCreatePassword is empty a pop-up window will appear to enter the password.
[Options]
	Auto scroll	()	Allows automatic scrolling of the log screen
	Show log	(Ctrl-Tab)	Shows the log window
	Show connections	(Ctrl-Tab)	Shows the connections window, where the active connections are listed
	Save settings		Saves current settings into the configuration (SgaAutho.ini) file

The bottom status-line

• Uptime: Time elapsed since module has been started up;
  • hovering over: Start date and time
  • left-click: Kernel and user time
• Number of users in the user list
• Number of connected users

Details of "Connections" view

• ID: Identifier of the connection (as a connection reference in the log)
• IP address : TCPport: IP address where the user logged in from
• On since: Timestamp of the connection establishment
• User name: Username
• Module: The module's application code that the user currently uses
• Last action: Timestamp of the last activity
• Actions: Number of logged actions that the user did since connected

The popup menu of the "Connections" view

User's list and password file (SgaAutho.pwd and SgaAutho.pwl)

What do they contain?

• SgaAutho.pwd file stores the rights of the users for the different applications.
• SgaAutho.pwl file stores the usernames and the MD5 encrypted passwords (current and previous ones, as well) used for the authentication and the date and time of the last log in.
• Overall administration of stored information in SgaAutho.pwd and SgaAutho.pwl files can be done through the SgaAutho Remote Admin module; manual modification is not allowed
• User can change his password by using the Change Password utility.
• If a user can use all client modules there can be only one line for him filled its ApplicationID field with ****.
• When a user can not use all client modules then as many rows should be created for this user as many clients he can use and each row should contain different ApplicationID. (Further information about clients and ApplicationID's can be found below.)

Details of a sample line of the SgaAutho.pwd file:

	+ username             7003 0123.....9 ; 

• +: Status of the user
  • +  Active
  • -  Inactive (for example to disable temporary users)
• username: Name of the user (maximum 20 character long, if the username is shorter than 20 character filled with spaces to 20 characters)
• 7003: The selected right defined by the ApplicationID of the client, it tells, what the user can do. The available ApplicationID values are:
  • 100: Sga-Authorizer [Remote]      (SgaAutho_RemoteClient)
  • 701: Sga-7N Database Loader [Remote]      (SgaDBLoader_RemoteClient)
  • 1999: Sga-Autho Remote Admin      (SgaAutho_RemoteAdmin)
  • 6001: SgcIMSIIMEI
  • 6699: Sga-CDR Viewer / Command Line_A (Single command line request)
  • 6700: Sga-CDR Viewer / Command Line_B (Multiple command line requests)
  • 6701: Sga-CDR Viewer / Power user not logging
  • 7011: Sga-7N Statistics Query (v1.13)
  • 7111: Sga-7N Statistics Query (v2.00 or newer)
  • 7012: Sga-7N Events Query (v1.10 or newer)
  • 7013: Sga-7N Remote Capture (v1.18 or newer)
  • 7023: Sga-7N Remote Capture (v2.00 or newer - for dual authentication)
  • 7033: Sga-7N Remote Capture (v2.11 or newer)
  • 7333: Sga-7N Kovi-Kali
  • 7014: Sga-7N CDR Query (v1.25 or newer)
  • 7114: Sga-7N CDR Query (v2.00 or newer)
  • 7015: Sga-7N Call Trace (v1.21 or newer)
  • 7025: Sga-7N Call Trace (v2.00 or newer - for dual authentication)
  • 8003: Sga-GPRS Remote Capture
  • 8005: Sga-GPRS Call Trace
  • 8934: Sga-CDR Viewer / BSSAP&RANAP CDR
  • 8935: Sga-XDR Viewer
  • 8942: Sga-CDR Viewer / SGsAP CDR
  • 8943: Sga-CDR Viewer / S1AP CDR
  • 8944: Sga-CDR Viewer / GTP CDR
  • 8945: Sga-CDR Viewer / SIP CDR
  • 8946: Sga-CDR Viewer / Diameter S6/S13 CDR
  • 8947: Sga-CDR Viewer / Diameter Accounting CDR
  • 8948: Sga-CDR Viewer / Diameter Cx CDR
  • 8949: Sga-CDR Viewer / Diameter Gx CDR
  • 8950: Sga-CDR Viewer / Diameter Rx CDR
  • 8951: Sga-CDR Viewer / Diameter VoWifi CDR
  • 8952: Sga-CDR Viewer / RTP CDR
  • 8953: Sga-CDR Viewer / MAP CDR
  • 8954: Sga-CDR Viewer / PFCP CDR
  • 8955: Sga-CDR Viewer / EDR CDR
  • 8956: Sga-CDR Viewer / SIPCall CDR
  • 8957: Sga-CDR Viewer / NGAP CDR
  • 8958: Sga-CDR Viewer / SBI CDR
  • 9500: Sga CLI Tester [Remote]
  • 9990: GyCWP-Remote
  • 99997: Sga 'Change Password' utility (v1.01 or newer)
  • 99998: Sga 'Change Password' utility (v1.00)
  • 99999: Sga 'Change Password' utility (obsolete)
  • ****: Allows all applications that have an ApplicationID above 1999, but denies all others
• 0123.....9: Role ID's defines which roles are available for the user. Every 10 places should be filled with a number (from 0 to 9) or a '.' (dot sign).
  The user must choose one of listed roles (if more than one are set) from a drop-down list when he/she is logging into a client module. The order of roles in the drop-down list is corresponding to the order of listed role ID's here. The role at the first place (in this case the '0') is the "default" one which is used by those modules which do not use multiple roles.
• ;: Line-end character

Details of the SgaAutho.pwl file:

• [username]: Each user has such section
• sPasswordMD5: This line contains the MD5 encrypted password of this user. The system stores old passwords, as well, to prevent users from frequent reuse.
• dwLastActionDate: Stores the date of the last action of the corresponding user.
• dwPasswordDate: Setting date and time of the current password.
• byBadLoginCount: Number of bad log in attempts.
• bADrequired: If True then user has to use Active Directory authentication parameters.
• bSuperUser: If True then user has access to raw data (captured from wire), as well, assembled messages.
• sLog2MailAddresses: List of mailing group names who will be informed about the activities of this user (refers to SgaAutho_Log2Mail.ini/[AddressGroup "Name"] sections).

Complexity

• A password must not be the same as the username.
• A password's length must be at least 6 characters.
• A password must hold at least one digit ([0..9]) between the first and the last characters.
• A password must hold at least one small alphabetic character ([a..z]) and one capital ([A..Z]) as well.
• A password must be different from the last five ones.

Validity

User can change his password for INI/[Passwords]/dwUserValiditySec. This value should be greater than INI/[Passwords]/dwActualPasswordValiditySec, so user can change the password for a while after its expiration.

User can not change the password too frequently. While the oldest password (five ones are stored) does not reach the age of INI/[Passwords]/dwPasswordListValiditySec, then user can not change the latest password.

Examples:

Settings	Comment	Meaning
dwActualPasswordValiditySec = 2592000	i.e., 30 days	A password can be used for 30 days.
dwUserValiditySec = 5184000	i.e., 60 days	User can change the password for further 30 days after its epxiration (and during its validity, as well).
dwPasswordListValiditySec = 604800	i.e., 7 days	User can change the password no more than five times within 7 days.

Password change

• if INI/[Active Directory Authentication]/bAllowOnlyCompatibleSW=FALSE
  • users with PWL/bADrequired=FALSE are authenticated through the original way by non-AD-capable and AD-capable clients, as well.
  • users with PWL/bADrequired=TRUE are authenticated through the original way by non-AD-capable and using ActiveDirectory by AD-capable clients.
• if INI/[Active Directory Authentication]/bAllowOnlyCompatibleSW=TRUE
  • users with PWL/bADrequired=FALSE can not use non-AD-capable clients and are authenticated through the original way by AD-capable clients.
  • users with PWL/bADrequired=TRUE can not use non-AD-capable clients and are authenticated using ActiveDirectory by AD-capable clients.

The following table shows examples for all server definitions. The bold part of the server name is the mandatory prefix and the other part can freely be used.
Port definition is an option for all types of CDRs, leaving it out means the default port is used.

Section	Server definition	Meaning
[SL_DAT+8934]
	CS_MSB1 = 10.111.112.33	CDR server for circuit switched BSSAP/RANAP traffic, listening on the default port
	PS_MSB1 [7099] = 10.111.112.34	CDR server for packet switched RANAP traffic, listening on the port 7099 (TCP)
[SL_DAT+8942]
	SGsAP_MSS1 = 10.111.112.35	CDR Server for SGsAP traffic
	SGsAP_MSS2 [7199] = 10.111.112.35	CDR Server for SGsAP traffic, listening on the port 7199 (TCP)
[SL_DAT+8943]
	S1AP_MME1 = 10.111.112.36	CDR server for S1AP traffic
[SL_DAT+8944]
	GTP_MME1 = 10.111.112.37	CDR server for GTP traffic
[SL_DAT+8945]
	SIP_IMS1 = 10.111.112.38	CDR server for SIP traffic
[SL_DAT+8946]
	DiamS6S13_MME1 = 10.111.112.39	CDR server for Diameter S6/S13 traffic
[SL_DAT+8947]
	DiamACC_IMS1 = 10.111.112.40	CDR server for Diameter Accounting traffic
[SL_DAT+8948]
	DiamCx_IMS1 = 10.111.112.41	CDR server for Diameter Cx/Sh traffic
[SL_DAT+8949]
	DiamGx_GW1 = 10.111.112.42	CDR server for Diameter Gx/Gy traffic
[SL_DAT+8950]
	DiamRx_CSCF1 = 10.111.112.43	CDR server for Diameter Rx traffic
[SL_DAT+8951]
	DiamVoWifi_SDC1 = 10.111.112.44	CDR server for Diameter SWm/SWx/S6b traffic
[SL_DAT+8952]
	RTP_MME1 = 10.111.112.45	CDR server for RTP statistics
[SL_DAT+8953]
	MAP_MSB1 = 10.111.112.46	CDR server for MAP D/E interface traffic
[SL_DAT+8954]
	PFCP_MME1 = 10.111.112.47	CDR server for Packet Forward Control Protocol traffic
[SL_DAT+8955]
	EDR_MME1 = 10.111.112.47	CDR server for EDR records
[SL_DAT+8956]
	SIPCall_IMS1 = 10.111.112.48	CDR server for SIPCall records
[SL_DAT+8957]
	NGAP_AMF1 = 10.111.112.49	CDR server for NGAP records
[SL_DAT+8958]
	SBI_1 = 10.111.112.50	CDR server for SBI records

Configuration (SgaAutho.ini) file settings

Login Answer Texts

-0	=	OK.
-1	=	No such username.
-2	=	Such task for this user is not allowed.
-3	=	Bad password.
-4	=	Password is not yet set.
-5	=	Your current password is too old. Please change it.
-6	=	New password cannot be the same as the current.
-7	=	New password cannot be any of the last 5.
-8	=	Passwords cannot be changed this often.
-9	=	Tried too many bad passwords. Login disabled.
-10	=	Use a more recent version of SgaChgPwd utility!
-11	=	Your password was *very* old. You are expelled.
-12	=	ActiveDirectory authentication required.
-13	=	ActiveDirectory authentication failed.

• 100 concurrent users (client connections)
• 1000 entries in "SgaAutho.pwd" file
• 1000000 SL.DAT length

Version history

v1.49
• (n) Can handle a total of 9000 signaling links (instead of the former limit of ~6000).

v1.43
• (n) Supports the query of the various QueryServer passwords, see INI / [Query Servers] for details.

v1.42
• (c) Maximum entry count in "SgaAutho.pwd" is increased from 1500 to 2500.

v1.41
• (n) Optionally use SSL with LDAP (i.e., LDAPS) in Active Directory access for authentication.
• (n) INI/[Active Directory Authentication]/bUseSSL (loaded on-the-fly; defaults to "False")

v1.40
• (c) Maximum number of entries in the special appcode sections (INI/[SL_DAT+nnnn]) is increased from 25 to 35.

v1.39
• (f) Sets the bADrequired field (as well as the bSuperUser field) explicitly when adding a new user via the remote interface.
• (n) INI/[Remote Control 2]/bNewUserDefaultValueForADrequired = True (default: False)
• (n) UpTime status window has some nice new features.

v1.38
• (f) Active Directory authentication used to fail for 31-character passwords.

v1.37
• (c) Limit for the number of lines in the PWD file was increased from 1000 to 1500.

v1.36
• (n) An entry in the "[Remote Control 2]" section with "*.*.*.*" on the left side and any value on the right side relaxes its station restriction.

v1.35
• (c) Limit for the number of "[SL_DAT+nnnn]" sections increased from 10 to 20.

v1.34
• (c) Much faster operation when logging tons of lines for the same user.
• (n) Hotkey: F12
• (c) More efficient scrolling of log window.

v1.33
• (n) SuperUser possibility to grant the right to access raw data ("Storage#1").
• (n) New PWL field: "bSuperUser". Default value is "False".

v1.32
• (c) Optionally handles more LDAP databases.
• (c) INI entry [Active Directory Authentication]/sDatabase is no longer used.
• (n) New INI entries ("N" in sDatabaseN can run from 0 to 9, and they are loaded on-the-fly):
  • [Active Directory Authentication]/sDatabaseN

v1.31
• (c) Now virtual links are also sent to GyCWP_Remote module.

v1.30
• (c) Increased log line size from 199 to 240 characters.

v1.29
• (n) Auto Lock Timing feature is added.
• (n) New INI section and entries (loaded on-the-fly, given in minutes):
  • [Autolock Timing]/byInactiveUserDimTime
  • [Autolock Timing]/wInactiveModuleLogoutTime

v1.28
• (n) Active Directory handling is introduced.
• (n) New INI section and entries:
  • [Active Directory Authentication]/bAllowOnlyCompatibleSW
  • [Active Directory Authentication]/sDatabase
• (c) New PWL field: "bADrequired". Default value is "False".
• (c) New error message in [Login Answer Texts] section:
  • -12 = ActiveDirectory authentication required.
  • -13 = ActiveDirectory authentication failed.

v1.27
• (c) INI/[BSSAP-CDR Servers] section is removed.
• (n) New INI section: [SL_DAT+NNNN], for applications that need additional query IP addresses. (NNNN is the application code.)

v1.26
• (c) [BSSAP-CDR Servers] - Can handle 100 BSSAP servers at most (instead of former limit 10).

v1.25
• (n) [BSSAP-CDR Servers] - IP addresses of BSSAP servers.

v1.24
• (n) New ApplicationCode for BSSAP-CDR/Query module: 8934.

v1.23
• (n) INI/[SL_DAT]/sSpecialSigLinkMarker - new INI configuration entry
• (n) Can handle two types of SL_DAT for handling virtual links, too.

v1.22
• (c) "Fresh actual password's date of user '...'." instead of "Clear actual password's date of user '...'.". Timestamp of the current password is the current time minus INI/[Passwords]/dwActualPasswordValiditySec value. It was 0 formerly.
• (c) In case of "Set a new (temporary) password for user '...'." timestamp of the current password is the current time minus INI/[Passwords]/dwActualPasswordValiditySec value. It was 0 formerly.
• (n) New "Introduce a similar application" remote possibility.
• (n) New "Withdraw an application completely" remote possibility.
• (c) "Clear ActualPassword and its date of user '...'." possibility is obsolete.
• (c) Content of PWD and PWL files is logged at module shut down.

v1.21
• (c) New INI entries
  • [Passwords]/dwUserValiditySec
  • [Login Answer Texts]
  • [Application-specific Warning Texts]

v1.20
• (n) Possibility of remote administration of users.
• (n) Co-operates SgaAutho_RemoteAdmin module.
• (c) SgaAutho_RemoteClient is not supported any more.

v1.12
• (c) New (v2.xx) password change utility can be used regardless of the value of bDualAuthenticationIsInUse.

v1.11
• (n) Option to bar using the old (v1.00) password change utility (by altering ApplicationCode from 99998 to 99997).
• (n) INI/[Connections]/bDualAuthenticationIsInUse (defaults to "False")
• (c) Error text (-10): "Use a more recent version of SgaChgPwd utility!".

v1.10
• (c) Maximum length of the line-be-line repeated Reason field is doubled (from 10 to 20 characters).
• (c) Shortening: "Client connection " ---> "Conn.".
• (n) Stores last access date (per user) in the corresponding section of the PWL configuration file.
• (n) PWL/[UserName]/dwLastActionDate

v1.09
• (c) Buffered logging to handle long (multi-line) log requests.

v1.08
• (n) ROLE field is indicated in each log line (where available).
• (n) REASON field is indicated in each log line (where known); only first 10 characters are repeated.
• (c) Entering passwords (either for the databases or for SL.DAT creation) is redesigned.

v1.07
• (n) Roles are introduced; remained compatible with preceding versions.
• (n) Placeholder for role names: INI/[Roles]/sDescription_N, where N corresponds to N in the entries of INI/[Oracle User Groups]/sUserName_N and /sPassword_N; loaded on-the-fly (in contrast with the INI/[Oracle User Groups] section).
• (c) PWD files: Nine more characters (digits) for roleID's; read (and shown) by the client modules in the given order, first (original) column is used by the legacy applications.
• (f) No crash for Clients if SL.DAT file is completely missing.

v1.06
• (n) A password (or optionally any command line parameters) can be given to the SL.DAT creating utility.
• (n) Menu item: "SL.DAT"/"Re-enter creating utility's password"; [SL_DAT]/sCreateUtility, sCreatePassword, and dwMaxSendingChunkSize will get reloaded (and logged).
• (n) INI/[SL_DAT]/sCreatePassword

v1.05
• (c) USER '(name)' is logged for all user actions.

v1.04
• (c) Some or all of INI/[Oracle User Groups]/sPassword_N entries may be omitted and will be asked on start-up one-by-one (and can also be reloaded later on).
• (n) Dialog box to enter [Oracle User Groups] passwords that are no longer stored in the corresponding INI entry.
• (n) Menu item: "Users"/"Re-enter Oracle passwords".
• (c) Fail to write the log file will cause connection(s) to be dropped.
• (n) Menu item: "Log"/"Recover from log file error".

v1.03
• (c) Using the old (v0.93) password change utility is explicitly barred.
• (n) Error text (-10): "Please use SgaChgPwd v1.00 or later.".

v1.02
• (n) Adjustable password validity to force users to change periodically.
• (n) Adjustable password list validity to prevent users to change too often.
• (n) Password list to store old passwords to prevent users from frequent reuse.
• (n) 5 successive login attempt failures disable user login.
• (c) INI/[Advanced]/sUserListFile is moved into the new [Passwords] section.
• (c) INI/[Passwords]/sUserListFile is loaded and logged at startup.
• (n) INI/[Passwords]/sPasswordListFile; loaded and logged at startup; defaults to ".\SgaAutho.pwl".
• (n) INI/[Passwords]/dwActualPasswordValiditySec; loaded and logged at startup; defaults to 1 week.
• (n) INI/[Passwords]/dwPasswordListValiditySec; loaded and logged at startup; defaults to 3 weeks.
• (c) SgaAutho.pwd no longer contains the MD5'ed password; its column is removed.
• (n) SgaAutho.pwl contains the actual and the previous 5 passwords along with the corresponding timestamps.
• (n) SgaAutho.pwl is the placeholder of the bad login count of each user.
• (c) ApplicationCode to change password is altered from 99999 to 99998.
• (c) SgaAutho.pwd is no longer changed from the software (while the new SgaAutho.pwl is).
• (c) SgaAutho.pwl should periodically be backed up (instead of the former SgaAutho.pwd).

v1.01
• (n) Each line in the log file is extended with an encrypted message digest (based on the contents of the previous and the current line).

v1.00
• (c) "****" allows all applications that have an ApplicationID above 1999, but denies all others.

v0.95
• (f) No error was indicated for password change request of a non-existing user.

v0.94
• Initial release

Known bugs

• No bug is known at present.