1 What is BSSUP?
In order for Bicom Systems support to access your system without the need to share the root password, we use a service called BSSUP. BSSUP is a secure and time-limited method of providing access through SSH certificates. It ensures that our support team can connect to your PBXware or SERVERware system safely, without exposing sensitive login credentials. This approach reduces security risks, gives you full control over when and for how long the access is enabled, and guarantees that only Bicom Systems support can use it.
2 How BSSUP Works in the Background
BSSUP was developed to allow Bicom Systems support secure and temporary access to your system, without the need to ever share your root password. While the process looks simple on your side (you just enable access in PBXware or SERVERware), in the background there is a complete security mechanism that protects your system and controls the duration of access.
1. Certificate Generation
Instead of using passwords, BSSUP relies on digital SSH certificates. These certificates are created and signed by Bicom Systems’ central server (the Certificate Authority). They are time-limited and can only be used by Bicom Systems support. This means there is no permanent password or key that could pose a security risk.
2. Distribution and Key Security
Once a certificate is created, it is securely distributed to your system. Your PBXware or SERVERware periodically downloads the latest public keys and certificates from Bicom Systems servers. Each certificate is valid only for a specific time window and automatically expires after that. This prevents any certificate from being reused indefinitely.
3. Verification Process
When a Bicom Systems engineer attempts to connect to your system, your server checks:
• whether the certificate is signed by the official Bicom Systems authority,
• whether the certificate is still valid (not expired),
• whether the certificate matches the key being used for login.
If any of these checks fail, access is automatically denied.
4. Limited Access Duration
As a customer, you decide how long the access remains open (for example, a few hours or up to one week). Once the time you set expires, access is automatically closed and Bicom Systems support can no longer connect. This gives you full control over the duration of access.
5. Restricted Entry Point
Access is only possible through port 2244 and exclusively from the official Bicom Systems support network (IP address 185.59.93.56). Even when BSSUP is enabled, any connection attempt outside this network will be rejected.
Summary
Behind the scenes, BSSUP combines several layers of security:
• temporary SSH certificates,
• automatic certificate generation and rotation,
• strict verification of certificate origin,
• time-limited access windows,
• restriction to a specific port and IP address.
In this way, BSSUP ensures that support can quickly assist with resolving issues, while you always maintain full control over the security of your system.
On PBXware
1. Log in to the Setup Wizard by navigating to https://<PBXwareIP>:81, where <PBXwareIP> is your system’s IP address or domain name.
2. Enter your root password, then go to the **Support Access** tab.
3. Set the port number to **2244** and choose a **timeout duration** matching how long you want the access to remain open.
4. Click **Open SSH Access**.
5. You should see the message: *“SSH Access: Opened.”*
On SERVERware
1. Log in to the SERVERware GUI.
2. Click the button in the top right corner, located just to the left of the date.
3. In the popup window, click **Advanced options**.
4. Enter port **2244** and set the desired timeout duration.
5. Confirm your settings — you will see the message: *“SSH access has been permanently opened for the support team only via port 2244.”*
Figure 1: Click the top-right button on the SERVERware controller to open advanced options.
Figure 2: Advanced options window where SSH access is enabled.
3 Error During BSSUP Activation
Sometimes, when trying to activate BSSUP, you may encounter the following message:
[root@MT11 run]# ls
[root@MT11 run]#
6. Return to the home directory. It’s good practice to return to a standard working directory.
[root@MT11 run]# cd
[root@MT11 ˜]#
7. Restart the HTTPD service. After removing the stale PID file, the service can start normally.
[root@MT11 ˜]# /opt/httpd/sh/start
httpd started successfully.
[root@MT11 ˜]#
Following these steps ensures that any leftover BSSUP session is cleared and allows BSSUP to activate correctly.