(4.1) IVG security guide

Use the following guides to enhance the security of your Interactive Voice Gateway (IVG) installation.

Generate new OpenSSL certificate

The Interactive Voice Gateway (IVG) installer initially creates an OpenSSL certificate with an expiration set to 365 days after the installation date. However, you must manually create a new certificate after the initial expiration date to ensure the continued functionality of the IVG system.

Creating a new OpenSSL certificate requires a three-step process:

  1. Generate a private key
  2. Create a self-signed certificate
  3. Update the owner, group, and permissions of the new files, then restart the Holly Voice Platform (HVP)

IMPORTANT

  • Use an account with sudo/root permissions for the following procedures.
  • /export/home/holly-ivg is used in the following examples as the default holly user home directory. If you have specified a different holly user/group or home directory during installation, update each command accordingly before execution.

Generate a private key

A private key is required in order to generate a self-signed certificate. Use the genrsa command to generate a private key named privatekey.pem.

openssl genrsa -out /export/home/holly-ivg/etc/privatekey.pem 4096

Create a self-signed certificate

Use the req command to create a self-signed certificate named certificate.pem using your private key. Note that the -days 365 flag sets the certificate expiration period to 365 days in the future, but this value can be changed as needed.

openssl req -new -x509 -nodes -sha512 -days 365 -key /export/home/holly-ivg/etc/privatekey.pem > /export/home/holly-ivg/etc/certificate.pem

Final steps

Use chmod and chown to provide read permissions and update the user/group for the private key and certificate.

chmod 400  /export/home/holly-ivg/etc/privatekey.pem /export/home/holly-ivg/etc/certificate.pem
chown holly-ivg:holly-ivg /export/home/holly-ivg/etc/privatekey.pem /export/home/holly-ivg/etc/certificate.pem

Restart the holly service. This can be done in one of two ways:

With sudo/root permissions:

service holly restart

As the holly-ivg user without sudo/root permissions:

hvpctl restart

Vulnerability reductions

The IVG installer process excludes installing the Tomcat examples/ and tomcat-docs/ directories in order to reduce security vulnerabilities.

Generating a certificate with Java keytool

Use the Java keytool application for OpenJDK 8 to add the Platform Toolkit (PTK) server certificate to each IVG ca Keystore. This allows the VXML Interaction Server (VIS) to communicate securely over HTTPS with each instance of the PTK.

  • Open a Linux shell script on the IVG server, and copy the PTKcertificate using the following command:
  • Verify you have the correct name of the certificate .pem file
  • Verify whether the CN is set to use the server short name or FQDN 
$ echo -n | openssl s_client -connect <ServerName>:443 |    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <CertificateName>.pem
  • Repeat Step 1 for each PTK instance.
  • Add the certificate to the java jm ca keystore using the following command:
/usr/lib/jvm/jre-1.8.0-openjdk/bin/keytool -import -trustcacerts -keystore /usr/lib/jvm/jre-1.8.0-openjdk/lib/security/cacerts -storepass changeit -noprompt -alias <ServerName> -file /export/home/holly/etc/<CertificateName>.pem

IVG Ports

The IVG installer process opens the following ports which are used by IVG voice platform:

ProcessPortDescription
browser4080MONAPI port
browser5080Outbound call request port
callcontrol4081MONAPI port
call control8040HTTP listen port
callcontrol8041HTTPS listen port
callredux4095Callredux listen port
configserver6399Listen port
ctimgr20000ICM listen port
foreman8333Trap port
foreman8400Supervise port
hinge7399Listen port
hlm9333Listen port
hlm9400Supervise port
hmspageserver2080Listen port
hmsweb2020HTTP listen port
hmsweb2021HTTPS listen port
hotts4088MONAPI port
hotts32330TTS interaction port
hvg8050HTTP listen port
hvg8051HTTPS listen port
hvg8062MRCP v2 ASR listen port
hvg9876Listen port
hvg9999Supervise port
hvss8030HTTP listen port
hvss8443HTTPS listen port
logmgr7333Listen port
SIP/RTP5060Primary SIP listen port
SIP/RTP5061Secondary SIP listen port
TLS/SSL5070Primary TLS port
TLS/SSL5071Secondary TLS port
SIP/RTP11000-15000RTP ports used for calls
SIP/RTP11000-15000RTP ports used for MRCP v2 interaction
subagent8161Listen port
SNMP Agent705Third-party software
tts_hum8066MRCP v2 TTS port
tts_hum32331Listen port for TTS (MRCP v2) interaction

Third party IVG ports

The IVG installer process opens the following ports for third party components in addition to the voice platform ports:

ProcessPortDescription
ICM CTI listen port5000

Port that runs the ICM CTI worker.

  • This port is only used for IVG Cisco UCCE integrations.
  • This port number can be designated during IVG installation.
Mountd892Port used by the NFS client in a multiple IVG environment.
NFS111Port used by the NFS server if NFS is enabled.
20143Port used by the NFS client if NFS is enabled.
PostgreSQL 5432

PostgreSQL port number.

This port number can be designated during IVG installation.

Tomcat8009Ports used by Tomcat (VIS and CCIS)
8005
8080

Disable HTTP and HTTPS ports

Use the following instructions to disable the following ports:

  • 2020 - HTTP
  • 2021 - HTTPS

Disabling port 2020 (HTTP)

  • Open a Linux shell script and log in as the holly user.
  • Change the directory to httpd/conf.
  • Look for the following entries in the httpd/conf directory:
# Secure (SSL/TLS) connectionsInclude conf/extra/httpd-ssl.conf
  • Comment out the line Include conf/extra/httpd-ssl.conf.
  • Save the file and restart the Holly processes.

Disabling port 2021 (HTTPS)

  • Open a Linux shell script and log in as the holly user.
  • Change the directory to httpd/conf.
  • Look for the following entry:
Listen 2020
  • Comment out the line Listen 2020.
  • Save the file and restart the Holly processes.

Genesys SSL/TLS Setup

Enable Secure Sockets Layer (SSL)/Transport Layer Security (TLS) in IVG through the voice platform UI. After enabling SSL/TLS, the SIP Secure (SIPS) and Secure RTP (SRTP) protocols can be configured.

After enabling SSL/TLS in the voice platform, you copy the Session Manager certificate to the voice platform, and copy the voice platform certificate to Session Manager. This facilitates the SSL/TLS handshake between the Session Manager and the voice platform.

Enabling SSL/TLS in the voice platform

  • Navigate to Configuration > Holly Configuration.
  • Select OpenSSL from the Component dropdown.
  • Select the Pool.
    • TIP: The default pool name is holly.
  • Determine the supported ciphers for the voice platform by running the following Linux command:
openssl ciphers -
  • In sslciphers, enter the list of SSL ciphers for openssl.
    • For example: "HIGH:DES:MD5:AES256-SHA256"
  • In ssloptions, enter the SSL options to exclude from the following list of options:
    • no_sslv2
    • no_sslv3
    • no_tlsv1
    • no_tlsv1_1
    • no_tlsv1_2

For example, to accept only tlsv1.2, the string would read: no_sslv2\, no_sslv3\, no_tlsv1\, notlsv1_1

IMPORANT

Escape the separator (,) when listing multiple ssloptions using a forward slash (\). For example:

  • no_sslv2\, no_sslv3\, no_tlsv1\, no_tlsv1_1\, no_tlsv1_2
  • Restart IVG for the changes to take effect.

IMPORTANT

Without restarting IVG, the TLS protocol is not enabled.

Configuring SIPS and SRTP in the voice platform

Enabling SIPS/SRTP for IVG Genesys requires:

  • Creating a certificate in Microsoft Management Console (mmc)
  • Enabling TLS on the Genesys SIP Server
  • Copying the IVG certificate to Genesys
  • Enabling SIPS/SRTP in the voice platform

Creating the self-signed certificate

Use the following instructions to generate the certificate on the Genesys SIP Server.

  • Open the mmc console by navigating to Run and typing mmc.
  • In the Windows mmc console, navigate to File > Add/Remove Snap-in.
  • Select Certificates from the Available snap-ins panel, and press Add.
  • On the Certificates snap-in screen, select the Computer account radio button and press Next.
  • On the Select computer radio button, keep the default Local computer radio button selected and press Finish.
  • The certificate displays in the Selected snap-ins column of the Add or Remove Snap-ins screen.
  • Press Okay.

Enrolling the certificate

  • Expand the Certificates folder.
  • Expand the Personal folder, right-click Certificates and select All Tasks > Advanced Options > Create Custom Request.
  • Click Next on the Before you begin screen.
  • On the Select Certificate Enrollment Policy screen, select Proceed without enrollment policy and press Next.
  • On the Custom request screen, keep the default values selected and press Next.
  • On the Certificate information screen, expand Details and press the Properties button.
  • Enter the following information for Certificate Properties:
TabFieldInstructions
GeneralFriendly nameEnter a friendly name to reflect server and purpose.
(Optional) DescriptionEnter a description of the certificate
SubjectSubject name > TypeSelect Common name from the dropdown.
Subject name > Value
  • Enter the IP address of the server
  • Press Add
Alternative name > TypeSelect DNS from the dropdown.
Alternative name > Value
  • Enter the server name.
  • Press Add.
ExtensionsExtended key usage
  • Select Server Authentication
  • Press Add.
  • Select Client Authentication.
  • Press Add.
Private KeyKey options
  • Select 1024 from the Key options dropdown.
  • Enable the Make private key exportable checkbox.
Select Hash AlgorithmSelect sha1 from the Select Hash Algorithm dropdown.
  • Press Apply and then press OK.
  • Press Next on the Certificate information screen.
  • Name the file with a .cer file extension, and verify the Base 64 radio button is selected.
  • Press Finish.

Verifying the certificate enrollment

  • Expand the Certificates folder.
  • Expand the Certificate Enrollment Requests folder.
  • Select Certificates.
  • Verify the certificate displays in the center panel.

Adding the certificate to Trusted Root Authority

  • Right-click on the certificate and select Copy.
  • Expand Trusted Root Certification Authorities.
  • Right-click Certificates and select Paste.
  • Expand Personal.
  • Right-click Certificates and select Paste.
  • Double-click the certificate.
  • Open the Certification Path tab and verify the Certificate Status is OK.

Enabling SIPS/SRTP on the Genesys SIP Server

  • Update the TLS port in Configuration Manager by navigating to SIP Server and opening Options > TServer.
    • Locate tls-mutual and verify it is set to False.
    • Locate sip-tls-certand enter the certificate thumbprint.
      • Locate the thumbprint in mmc under the Details tab of the certificate
    • Locate the sip-port-tls and update the value to the TLS port number. The IVG installer automatically opens port 5061. If another port is used, it will need to be opened manually.

NOTE

The sip-tls-cipher-list should be supplied by the client.

  • Locate the IVG Trunk in the Genesys strategy.
    • Navigate to Annex >TServer > Options
      • In the Contact field, add FQDN:Port:transport=tls

Copying the voice platform certificate to SIP Server

The IVG installer generates a self-signed certificate for IVG named certificate.pem and places it in the /home/holly/etc directory.

To copy the IVG certificate to the Genesys SIP Server:

  • Copy IVG certificate from home/holly/etc, and rename with the .crt file extension.
  • Import the certificate to the Genesys SIP Server using mmc.
  • Navigate to Certificates (Local Computer) > Trusted Root Certification Authorities > Vertificates.
  • Right-click Certificates and navigate to All tasks > Import.
  • Click Next to open the File to Import screen where you can browse for the location where the IVG certificat.crt was saved.
  • Finish the Certificate Import Wizard, and verify the certificate displays in the Trusted Root Authority > Certificates folder.

Enabling SIPS and SRTP in the voice platform

After adding a certificate file, enable SIPS and SRTP in the voice platform management system.

  • Navigate to Configuration > Holly Configuration.
  • Select Audio Provider SIP from the Component dropdown menu, and select the Pool for the IVG deployment.
  • Verify the poolPoolNametab is selected.
  • Locate the following components and update their values:
ComponentDescriptionUpdated value
siplistenportPrimary SIP port used for incoming SIP requests over UDP or TCP.

5060

The IVG installer process automatically configures port 5060. Using a different port requires the port to be manually configured.

siplistenport2Secondary SIP port used for incoming SIP requests of UDP or TCP.

5070

Port 5070 is a recommended port number, but any available port number can be used. The port used must be manually configured.

siptransport

List of transport protocols enabled by the voice platform.

The order of the protocols determines the protocol preference.

tls,tcp,udp
srtpsupport

Determines SRTP behavior for inbound and outbound calls.

VHT engineers recommend using the value of 2 in order to observe the following behavior:

  • Allows inbound calls using SRTP.
  • Enables SRTP on outbound calls using TLS.
2
tlslistenportPrimary TLS port used for incoming SIPS requests over TLS.

5061

The IVG installer process automatically configures port 5061. Using a different port requires the port to be manually configured.

tlslistenport2Secondary TLS port used for incoming SIPS requests over TLS.

5071

Port 5071 is a recommended port number, but any available port number can be used. The port used must be manually configured.

  • Select OpenSSL from the Component dropdown menu, and select the Pool for the IVG deployment.
  • Verify the poolPoolNametab is selected.
  • Locate the following components and update their values:
ComponentDescriptionUpdated value
sslcafileThe file path for the voice platform certificate. This file is read in when the voice platform processes start, and its contents are used in two-way mutual authentication.

/export/home/[hollyusername]/etc/VoicePlatformCertificate.pem

  • hollyusername - holly user name configured in the IVG installer.
  • VoicePlatformCertificate.pem - Name of the voice platform certificate file.
sslverifyUsed to verify the SSL peer. 1
  • Navigate to Configuration > Holly Configuration.
  • Select Holly Call Control from the dropdown menu, and select the Pool for the IVG deployment.
  • Locate the hvpendpoint parameter and enter the value !(sipbindhost.sip_ap).
  • Restart IVG for changes to take effect.

IMPORTANT

Without restarting IVG, the SIPS and SRTP protocols are not enabled

Generating the voice platform self-signed certificates

The IVG installer process generates a private key, self-signed certificates, and public key for the voice platform, and stores them in the /export/home/holly/etc directory.

The certificate and key file names are generated from /export/home/holly/httpd/conf. The following values generate the certificate.pem and privatekey.pem values:

ParameterKeyValue
httpscertificatefilenamecertificate.pemserver.cert
httpsprivatekeyfilenameprivatekey.pemserver.key

Copying and adding the SIP Server certificate file to the voice platform

Copy a certificate file created for the contact center environment to the voice platform

  • Open a Linux shell script navigate to the /etc folder.
  • Run the following command:
openssl s_client -connect ContactCenterServer:ContactCenterPortNumber
  • ContactCenterSIPServer - the IP address of the SIP Server
  • ContactCenterPortNumber - the port number of the contact center server
  • Copy the contents of certificate from BEGIN CERTIFICATE to END CERTIFICATE.
  • Paste the contents of the certificate in a text editor, and save the certificate with a .pem file extension. For example, platform-ca.pem.
  • Run the following command to verify the certificate file was created:
ls -l *.pem
  • Run the following command to log in as the holly user:
su - holly
  • Run the following command to access the holly user etc directory
cd etc
  • Run the following command to add the contact center certificate to the voice platform certificate file.
cat certificate.pem >> platform-ca.pem
  • certificate.pem - Name of the IVG voice platform certificate file.
  • platform-ca.pem - Name of the contact center certificate file from Step 4.

Avaya SSL/TLS Setup

Enable Secure Sockets Layer (SSL)/Transport Layer Security (TLS) in IVG through the voice platform UI. After enabling SSL/TLS, the SIP Secure (SIPS) and Secure RTP (SRTP) protocols can be configured.

After enabling SSL/TLS in the voice platform, you copy the Session Manager certificate to the voice platform, and copy the voice platform certificate to Session Manager. This facilitates the SSL/TLS handshake between the Session Manager and the voice platform.

Enabling SSL/TLS in the voice platform

  • Navigate to Configuration > Holly Configuration.
  • Select OpenSSL from the Component dropdown.
  • Select the Pool.
    • TIP: The default pool name is holly.
  • Determine the supported ciphers for the voice platform by running the following Linux command:
openssl ciphers -
  • In sslciphers, enter the list of SSL ciphers for openssl.
    • For example: "HIGH:DES:MD5:AES256-SHA256"
  • In ssloptions, enter the SSL options to exclude from the following list of options:
    • no_sslv2
    • no_sslv3
    • no_tlsv1
    • no_tlsv1_1
    • no_tlsv1_2

For example, to accept only tlsv1.2, the string would read: no_sslv2\, no_sslv3\, no_tlsv1\, notlsv1_1

NOTE

Escape the separator (,) when listing multiple ssloptions using a forward slash (\). For example:

  • no_sslv2\, no_sslv3\, no_tlsv1\, no_tlsv1_1\, no_tlsv1_2
  • Restart IVG for the changes to take effect.

IMPORTANT

Without restarting IVG, the TLS protocol is not enabled.

Configuring SIPS and SRTP in the voice platform

Enabling SIPS/SRTP for IVG Avaya requires:

  • Creating a certificate in Microsoft Management Console (mmc)
  • Copying the IVG certificate to Avaya Session Manager
  • Enabling SIPS/SRTP in the voice platform

Creating the self-signed certificate

Use the following instructions to generate the certificate on the Avaya Session Manager server.

  • Open the mmc console by navigating to Run and typing mmc.
  • In the Windows mmc console, navigate to File > Add/Remove Snap-in.
  • Select Certificates from the Available snap-ins panel, and press Add.
  • On the Certificates snap-in screen, select the Computer account radio button and press Next.
  • On the Select computer radio button, keep the default Local computer radio button selected and press Finish.
  • The certificate displays in the Selected snap-ins column of the Add or Remove Snap-ins screen.
  • Press Okay.

Enrolling the certificate

  • Expand the Certificates folder.
  • Expand the Personal folder, right-click Certificates and select All Tasks > Advanced Options > Create Custom Request.
  • Click Next on the Before you begin screen.
  • On the Select Certificate Enrollment Policy screen, select Proceed without enrollment policy and press Next.
  • On the Custom request screen, keep the default values selected and press Next.
  • On the Certificate information screen, expand Details and press the Properties button.
  • Enter the following information for Certificate Properties:
TabFieldInstructions
GeneralFriendly nameEnter a friendly name to reflect server and purpose.
(Optional) DescriptionEnter a description of the certificate
SubjectSubject name > TypeSelect Common name from the dropdown.
Subject name > Value
  • Enter the IP address of the server
  • Press Add
Alternative name > TypeSelect DNS from the dropdown.
Alternative name > Value
  • Enter the server name.
  • Press Add.
ExtensionsExtended key usage
  • Select Server Authentication
  • Press Add.
  • Select Client Authentication.
  • Press Add.
Private KeyKey options
  • Select 1024 from the Key options dropdown.
  • Enable the Make private key exportable checkbox.
Select Hash AlgorithmSelect sha1 from the Select Hash Algorithm dropdown.
  • Press Apply and then press OK.
  • Press Next on the Certificate information screen.
  • Name the file with a .cer file extension, and verify the Base 64 radio button is selected.
  • Press Finish.

Verifying the certificate enrollment

  • Expand the Certificates folder.
  • Expand the Certificate Enrollment Requests folder.
  • Select Certificates.
  • Verify the certificate displays in the center panel.

Adding the certificate to Trusted Root Authority

  • Right-click on the certificate and select Copy.
  • Expand Trusted Root Certification Authorities.
  • Right-click Certificates and select Paste.
  • Expand Personal.
  • Right-click Certificates and select Paste.
  • Double-click the certificate.
  • Open the Certification Path tab and verify the Certificate Status is OK.

Enabling SIPS/SRTP in Avaya Session Manager

Copying the voice platform certificate to Session Manager

  • On the home page of the System Manager web console, click Services > Inventory > Manage Elements.
  • Select a Session Manager instance.
  • Click More Actions > Managed Trusted Certificates.
  • On the Trusted Certificates page, click Add.
  • To import a certificate from a file:
    • Select the Import from file radio button.
    • Click Browse and locate the file.
    • Click Retrieve Certificate.
    • Click Commit.
  • To import a certificate in the PEM format:
    • Select the Import as PEM Certificate radio button.
    • Locate the PEM certificate.
    • Open the certificate using Notepad.
    • Copy the entire contents of the file. You must include the start and end tags: "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE----".
    • Paste the contents of the file in the box provided.
    • Click Commit.

Enabling SIPS and SRTP in the voice platform

Enable SIPS and SRTP in the voice platform management system.

  • Navigate to Configuration > Holly Configuration.
  • Select Audio Provider SIP from the Component dropdown menu, and select the Pool for the IVG deployment.
  • Verify the poolPoolNametab is selected.
  • Locate the following components and update their values:
ComponentDescriptionUpdated value
siplistenportPrimary SIP port used for incoming SIP requests over UDP or TCP.

5060

The IVG installer process automatically configures port 5060. Using a different port requires the port to be manually configured.

siplistenport2Secondary SIP port used for incoming SIP requests of UDP or TCP.

5070

Port 5070 is a recommended port number, but any available port number can be used. The port used must be manually configured.

siptransport

List of transport protocols enabled by the voice platform.

The order of the protocols determines the protocol preference.

tls,tcp,udp
srtpsupport

Determines SRTP behavior for inbound and outbound calls.

VHT engineers recommend using the value of 2 in order to observe the following behavior:

  • Allows inbound calls using SRTP.
  • Enables SRTP on outbound calls using TLS.
2
tlslistenportPrimary TLS port used for incoming SIPS requests over TLS.

5061

The IVG installer process automatically configures port 5061. Using a different port requires the port to be manually configured.

tlslistenport2Secondary TLS port used for incoming SIPS requests over TLS.

5071

Port 5071 is a recommended port number, but any available port number can be used. The port used must be manually configured.

  • Select OpenSSL from the Component dropdown menu, and select the Pool for the IVG deployment.
  • Verify the poolPoolNametab is selected.
  • Locate the following components and update their values:
ComponentDescriptionUpdated value
sslcafileThe file path for the voice platform certificate. This file is read in when the voice platform processes start, and its contents are used in two-way mutual authentication.

/export/home/[hollyusername]/etc/VoicePlatformCertificate.pem

  • hollyusername - holly user name configured in the IVG installer.
  • VoicePlatformCertificate.pem - Name of the voice platform certificate file.
sslverifyUsed to verify the SSL peer. 1
  • Navigate to Configuration > Holly Configuration.
  • Select Holly Call Control from the dropdown menu, and select the Pool for the IVG deployment.
  • Locate the hvpendpoint parameter and enter the value !(sipbindhost.sip_ap).
  • Restart IVG for changes to take effect.

IMPORTANT

Without restarting IVG, the SIPS and SRTP protocols are not enabled.

Generating the voice platform self-signed certificates

The IVG installer process generates a private key, self-signed certificates, and public key for the voice platform, and stores them in the /export/home/holly/etc directory.

The certificate and key file names are generated from /export/home/holly/httpd/conf. The following values generate the certificate.pem and privatekey.pem values:

ParameterKeyValue
httpscertificatefilenamecertificate.pemserver.cert
httpsprivatekeyfilenameprivatekey.pemserver.key

IMPORTANT

New IVG installations must add the newly generated voice platform certificate to Session Manager.

Copying and adding the Session Manager certificate file to the voice platform

Copy a certificate file created for the contact center environment to the voice platform

  • Open a Linux shell script navigate to the /etc folder.
  • Run the following command:
openssl s_client -connect ContactCenterServer:ContactCenterPortNumber
  • ContactCenterSIPServer - the IP address of the Session Manager server
  • ContactCenterPortNumber - the port number of the contact center server
  • Copy the contents of the certificate from BEGIN CERTIFICATE to END CERTIFICATE.
  • Paste the contents of the certificate in a text editor, and save the certificate with a .pem file extension. For example, platform-ca.pem.
  • Run the following command to verify the certificate file was created:
ls -l *.pem
  • Run the following command to log in as the holly user:
su - holly
  • Run the following command to access the holly user etc directory
cd etc
  • Run the following command to add the contact center certificate to the voice platform certificate file.
cat certificate.pem >> platform-ca.pem
  • certificate.pem - Name of the IVG voice platform certificate file.
  • platform-ca.pem - Name of the contact center certificate file from Step 4.

FIPS compliance

No additional configuration is needed in order to access the HMS user interface from FIPS-compliant workstations or networks. These connections will be accepted by default.

Virus scanning exclusions

To prevent file locks and other file access issues, exclude the following directories from virus scanning on all IVG servers. The default locations are listed, but they could be different depending on the configuration chosen when installing the system.

IVG directories to exclude

ExclusionDefault location
Holly installation directory/export/home/holly
PostgreSQL installation directory/export/home/postgres
CTI Event Consumer directory/export/home/VirtualHold

VIS directories to exclude

On IVG servers that also host VIS in Apache Tomcat, exclude the following directories, as well.

ExclusionDefault location
Tomcat installation directory/export/home/tomcat<version>
VIS backup and configuration files/etc/VirtualHold

IVG installer commands

The IVG installer process executes commands as both root and sudo user.

IVG installer commands

The following IVG installer commands require root access:

Run as Command
root /usr/bin/bash
root /usr/bin/cat
root /usr/bin/chgrp
root /usr/sbin/chkconfig
root /usr/bin/chmod
root /usr/bin/chown
root /usr/bin/cp
root /usr/bin/crontab
root /usr/bin/curl
root /usr/bin/cut
root /usr/bin/date
root /usr/bin/df
root /usr/bin/dos2unix
root /usr/bin/echo
root /usr/bin/egrep
root /usr/bin/expect
root /usr/sbin/exportfs
root /usr/bin/file
root /usr/bin/find
root /usr/bin/findmnt
root /usr/bin/firewall-cmd
root /usr/bin/free
root /usr/bin/getent
root /usr/bin/grep
root /usr/sbin/groupadd
root /usr/sbin/groupdel
root /usr/sbin/groupmod
root /usr/bin/head
root /usr/bin/hostname
root /usr/bin/id
root /usr/sbin/iptables
root /usr/bin/java
root /usr/bin/kill
root /usr/bin/ksh
root /usr/bin/logger
root /usr/bin/ls
root /usr/bin/mkdir
root /usr/bin/mount
root /usr/bin/mv
root /usr/sbin/nologin
root /usr/bin/openssl
root /usr/bin/passwd
root /usr/bin/pgrep
root /usr/sbin/postconf
root /usr/sbin/postmap
root /usr/bin/ps
root /usr/bin/psql
root /usr/bin/read
root /usr/bin/rev
root /usr/bin/rm
root /usr/bin/rmdir
root /usr/bin/rpm
root /usr/bin/sed
root /usr/sbin/service
root /usr/bin/sh
root /usr/sbin/showmount
root /usr/sbin/shutdown
root /usr/bin/sleep
root /usr/bin/sort
root /usr/bin/su
root /usr/bin/sudo
root /usr/bin/systemctl
root /usr/bin/tail
root /usr/bin/tar
root /usr/bin/tcsh
root /usr/bin/tee
root /usr/bin/touch
root /usr/bin/tr
root /usr/bin/umask
root /usr/bin/umount
root /usr/bin/uname
root /usr/sbin/update-alternatives
root /usr/sbin/useradd
root /usr/sbin/userdel
root /usr/sbin/usermod
root /usr/bin/wc
root /usr/bin/xargs
root /usr/bin/yum
root exit
root eval
root export
root return
root set
root source
root type

IVG installer sudo commands

The following IVG installer commands require sudo access:

Run as Command
sudo /usr/bin/echo
sudo /usr/bin/mkdir
sudo /usr/bin/cp