Cisco CISCOWORKS COMMON SERVICES 3.0 User Manual Download Page 268 | Manualshive

Page: 268 / 286

background image

Appendix A Understanding CiscoWorks Security

Server Security

A-6

User Guide for CiscoWorks Common Services

78-16571-01

Access to Systems Other Than the CiscoWorks Server

The access details for Solaris and Windows are:

•

UNIX Systems—Systems used by the CiscoWorks Server as remote sources
of device information for importing into the Resource Manager Essentials
Inventory Manager application must allow the user casuser to perform remote
shell operations on the user who owns the device information.

•

Windows Systems—Systems used by the CiscoWorks Server as remote
sources of device information for importing into the Resource Manager
Essentials Inventory Manager application, must allow the user casuser to
perform remote shell operations on the user who owns the device information.

Access Control

The access control details are:

•

UNIX Systems—The UNIX user casuser is a user ID that is not typically
enabled for login.

Using this user ID as the user ID under which to install the CiscoWorks
Server software simplifies the installation process and ensures limited access
to the CiscoWorks Server. This is because casuser is not a valid login ID as
there is no password assigned to it.

However, the casuser user on UNIX systems is capable of performing system
and possibly network-wide operations that could be harmful to the system or
the network.

•

Windows Systems—The user casuser, created as part of the install process,
has no special permissions or considerations on a system so it is a “safe” user
ID under which to execute the CiscoWorks Server and application code. The
localsystem user can perform harmful system operations.

Therefore, consider that by using the localsystem user ID to run some of the
backend processes, the localsystem user ID cannot perform network
operations.

Note

The system administrator should review and adopt the security recommendations
in

“System Administrator-Imposed Security” section on page A-7

.

«
...
266
267
268
269
270
...
»

Summary of Contents for CISCOWORKS COMMON SERVICES 3.0

Page 1: ...c 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 User Guide for CiscoWorks Common Services 3 0 CiscoWorks Customer Order Number DOC 7816571 Text Part Number 78 16571 01 ...

Page 2: ... INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES User Guide for CiscoWorks Common Services Copyright 1998 2005 Cisco Systems Inc All rights reserved CCSP the Cisco Square Bridge logo Follow Me Browsing and StackWise are tr...

Page 3: ...cumentation xvi Cisco com xvii Ordering Documentation xvii Documentation Feedback xviii Obtaining Technical Assistance xviii Cisco Technical Support Website xviii Submitting a Service Request xix Definitions of Service Request Severity xx Obtaining Additional Publications and Information xx C H A P T E R 1 Overview 1 1 New Features 1 2 Understanding Time Zone Settings 1 3 Learning More About the C...

Page 4: ... Traditional Applications With New Navigation 2 7 Device Troubleshooting Panel 2 7 Resources Panel 2 7 CiscoWorks Product Updates Panel 2 7 Tool Bar Items 2 8 Configuring CWHP 2 8 Registering Applications With CWHP 2 8 Registering a New Application 2 9 Importing from other servers 2 10 Unregistering an Application 2 11 Registering Links With CWHP 2 11 Unregistering a Link 2 12 Setting Up CiscoWork...

Page 5: ...in Multi Server Mode 3 10 Setting up Peer Server Account 3 11 Setting up System Identity Account 3 13 Setting up Peer Server Certificate 3 14 Deleting Peer Certificates 3 15 Enabling Single Sign On 3 15 Navigating Through the SSO Domain 3 16 Registering Server Links 3 17 Launching a new Browser Instance 3 17 Changing the Single Sign On Mode 3 18 Setting up the AAA Mode 3 20 About Common Services A...

Page 6: ... in ACS 3 38 Creating and Modifying Roles in ACS 3 39 Resetting Login Module 3 42 Understanding Fallback Options for ACS Mode 3 43 Managing Cisco com Connection 3 44 Setting up Cisco com User Account 3 44 Setting Up the Proxy Server 3 44 Generating Reports 3 45 Log File Status Report 3 45 Permissions Report 3 46 Users Logged In Report 3 47 Process Status Report 3 48 Viewing Audit Log Report 3 49 A...

Page 7: ...n DCR 3 63 Master Slave Configuration Prerequisites and Restore Operations 3 66 Effects of Backup Restore on Groups 3 67 Licensing CiscoWorks Applications 3 68 Obtaining a License for CiscoWorks Applications 3 68 Licensing the Application 3 69 Viewing License Information 3 70 Updating Licenses 3 70 Collecting Server Information 3 71 Collecting Self Test Information 3 72 Messaging Online Users 3 72...

Page 8: ... 9 Auto Update Type 4 10 Cluster Managed Type 4 11 Deleting Devices 4 12 Editing Device Credentials 4 13 Importing Devices and Credentials 4 14 Import Using DCA Interface 4 15 Exporting Devices and Credentials 4 18 Export Using DCA Interface 4 19 Excluding Devices 4 21 A Sample CSV Exclude File 4 21 Viewing Devices List 4 22 Generating Reports in DCA 4 23 Managing Auto Update Servers 4 24 Adding A...

Page 9: ... 3 0 File 4 32 Sample CSV 3 0 File for Auto Update Server Managed Devices 4 33 Sample CSV 3 0 File for Cluster Managed Devices 4 34 Mapping CSV 2 0 to CSV 3 0 Fields 4 35 Sample XML File 4 36 Sample XML File Standard 4 36 Sample XML File for Auto Update Server Managed Devices 4 37 Sample XML File for Cluster Managed Devices 4 38 Using DCR Features Through CLI 4 39 Adding Devices Using dcrcli 4 39 ...

Page 10: ...oups 5 3 Common Groups and Shared Groups 5 4 Secure Views 5 6 Groups in a Single Server Setup 5 7 Groups in Multi Server Setup 5 7 DCR Mode Changes and Group behavior 5 10 Unregistering a Slave 5 13 Group Administration 5 14 Creating Groups 5 14 Specifying Group Properties 5 15 Defining Group Rules 5 17 Assigning Group Membership 5 18 Removing Devices 5 19 Viewing Group Details 5 19 Modifying Grou...

Page 11: ...ing Tools 6 5 Checking Device Connectivity 6 6 Using Ping 6 8 Using Traceroute 6 9 Using SNMP Walk 6 9 Using SNMP Set 6 11 Using Packet Capture 6 12 Creating a New Packet Capture File 6 13 Editing Device Credentials 6 15 Displaying Reports 6 15 Performing Management Tasks 6 15 C H A P T E R 7 Working With Software Center 7 1 Performing Software Updates 7 2 Performing Device Update 7 4 Deleting Pac...

Page 12: ...Questions 8 6 Troubleshooting Suggestions 8 33 A P P E N D I X A Understanding CiscoWorks Security A 1 General Security A 2 Server Security A 2 Server Imposed Security A 2 Files File Ownership and Permissions A 3 Runtime A 4 Remote Connectivity A 5 Access to Systems Other Than the CiscoWorks Server A 6 Access Control A 6 System Administrator Imposed Security A 7 Connection Security A 7 Security Ce...

Page 13: ... configure and maintain CiscoWorks Common Services Most of the tools and applications described are available only to systems administrators Conventions This document uses the following conventions Item Convention Commands and keywords boldface font Variables for which you supply values italic font Displayed session and system information screen font Information you enter boldface screen font Vari...

Page 14: ...ght do something that could result in equipment damage or loss of data Product Documentation Note We sometimes update the printed and electronic documentation after original publication Therefore you should also review the documentation on Cisco com for any updates Table 1 describes the product documentation that is available Selecting a menu item in paragraphs Option Network Preferences Selecting...

Page 15: ...Printed document available by order part number DOC 7816497 1 1 See the Obtaining Documentation section on page xvi Installation Guide for CiscoWorks Common Services 3 0 on Solaris PDF on the product CD ROM On Cisco com at http www cisco com univercd cc td doc product rtrmgmt cw2000 cw2000_d comser30 ig_sol index htm Printed document available by order part number DOC 7815885 1 User Guide for Cisc...

Page 16: ...ur CiscoWorks Server select Common Services Software Center Applications and Versions You can also obtain any published patches from the download site Obtaining Documentation Cisco documentation and additional literature are available on Cisco com Cisco also provides several ways to obtain technical assistance and other technical resources These sections explain how to obtain technical information...

Page 17: ...ring Documentation You can find instructions for ordering documentation at this URL http www cisco com univercd cc td doc es_inpck pdi htm You can order Cisco documentation in these ways Registered Cisco com users Cisco direct customers can order Cisco product documentation from the Ordering tool http www cisco com en US partner ordering index shtml Nonregistered Cisco com users can order document...

Page 18: ...d winning technical assistance The Cisco Technical Support Website on Cisco com features extensive online support resources In addition Cisco Technical Assistance Center TAC engineers provide telephone support If you do not hold a valid Cisco service contract contact your reseller Cisco Technical Support Website The Cisco Technical Support Website provides online documents and tools for troublesho...

Page 19: ...he online TAC Service Request Tool is the fastest way to open S3 and S4 service requests S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information After you describe your situation the TAC Service Request Tool provides recommended solutions If your issue is not resolved using the recommended resources your service request is assig...

Page 20: ...ources during normal business hours to restore service to satisfactory levels Severity 4 S4 You require information or assistance with Cisco product capabilities installation or configuration There is little or no effect on your business operations Obtaining Additional Publications and Information Information about Cisco products technologies and network solutions is available from various online ...

Page 21: ...Cisco Systems designed to help growing companies learn how they can use technology to increase revenue streamline their business and expand services The publication identifies the challenges facing these companies and the technologies to help solve them using real world case studies and business strategies to help readers make sound technology investment decisions You can access iQ Magazine at thi...

Page 22: ...Preface Obtaining Additional Publications and Information xxii User Guide for CiscoWorks Common Services 78 16571 01 ...

Page 23: ...otocols as well as navigation It creates a standard user experience for all management functions It also provides the common framework for all basic system level operations such as installation data management including backup restore and import export event and message handling and job and process management Common Services 3 0 provides a set of new features required to drive the CiscoWorks appli...

Page 24: ...h troubleshooting tools management tasks and reports for the selected device Groups Provides a mechanism for applications to create shared device groups Provides grouping facility based on various attributes in Device and Credential Repository DCR Software Center Allows you to download and deploy device packages and software patches Enhanced security to support SNMPv3 authNoPriv Provides packet le...

Page 25: ...ent time zones and are not synchronized For detailed information see the Release Notes included with your CiscoWorks applications Learning More About the Common Services You can find detailed information on the features and functions of CiscoWorks Common Services in the following sections Interacting With CiscoWorks Homepage Setting up Security Generating Reports Administering Common Services Mana...

Page 26: ...de for CiscoWorks Common Services 78 16571 01 For tips about accessing Online help see Using Online Help You can check the version details and licensing information about Common Services by clicking the About button on top of the right hand side of the CiscoWorks Homepage ...

Page 27: ...n the same or a different server After you install the applications you can see the application panels on CWHP CWHP supports application oriented and device oriented navigation paradigms When you select any of the application functions on CWHP it launches the application homepage and the selected function is launched in application homepage content area CWHP is completely based on HTML and provide...

Page 28: ...nter the URL for your CiscoWorks Server in your web browser http server_name port_number where server name is the name of the CiscoWorks Server and port number is the TCP port used by the CiscoWorks Server in the normal mode If you enter http server_name port_number login html in your browser the CiscoWorks Server will not launch Also do not bookmark the URL with the login html In normal mode HTTP...

Page 29: ...ot launch Also do not bookmark the URL with the login html When SSL is enabled HTTPS the default TCP port for CiscoWorks Server is 443 On Windows CiscoWorks Server always uses the default port numbers in secure and normal modes On Solaris if the default TCP ports 1741 and 443 are used by other applications you can select different ports for secure and normal modes during CiscoWorks Server installa...

Page 30: ...ttps server_name 443 Logging Into CiscoWorks If you have installed CiscoWorks Server and logging in for the first time use the reserved admin user name and password To log in Step 1 Enter admin in the User ID field and the password for admin in the Password field of the Login Page The CiscoWorks Server administrator can set the passwords to admin and guest users during installation Contact the Cis...

Page 31: ... consists of Common Services Panel Application Panels Device Troubleshooting Panel Resources Panel CiscoWorks Product Updates Panel Tool Bar Items Common Services 3 0 and CiscoWorks applications use popup dialog boxes at many places If you have a popup blocker enabled in your browser none of these popups would appear Therefore you have to disable the popup blocker if you have installed any Common ...

Page 32: ...ponding application homepage already exists for some other task the window for this task is focussed instead of creating a new window To launch the URL associated with the item in the popup window click on the label Supporting Applications on Another Server CiscoWorks applications from other servers can be made to display in the same way as CiscoWorks applications from the local server For this yo...

Page 33: ...sing Device Center for details Resources Panel Resources panel is on the top of the right hand side of the CWHP It also serves as a top level launch point for CiscoWorks resources Cisco com resources third party application links and web based custom tool links This panel shows the types of resources as first level and details in the next level Note CWHP provides an Admin UI to turn off this infor...

Page 34: ...e help in a separate browser window See Using Online Help for details About Displays the general information about the software The window displays license information version and patch level installation date and copyright information Configuring CWHP The Application Registration Link Registration and Settings links under Homepage help you configure your CiscoWorks Homepage They help you in Regis...

Page 35: ... View the list of registered applications in the Registered Applications dialog box Registering a New Application To register a new application Step 1 Click Registration in the Registered Applications dialog box The Choose Location for Registration page appears A wizard guides you through the process Step 2 Choose the location for registration You can choose to Register from Templates or Import fr...

Page 36: ...ed certificates for the local and remote servers if not already done Add remote server s certificate to the local server See Setting up Peer Server Certificate for details Restart the local server Create a Peer Server user on the remote server Configure this user a System Identity user in the local server See Setting up Peer Server Account and Setting up System Identity Account for details To impo...

Page 37: ...tions to be Unregistered window appears with the details of the Application unregistered Step 3 Click Confirm Registering Links With CWHP You can add additional links to CiscoWorks Homepage for Custom tools and home grown tools and third party applications such as HPOV The links appear under the Third Party or Custom Tools as you specify To register links with CiscoWorks Homepage Step 1 Select Com...

Page 38: ...ct Common Services HomePage Settings The Homepage Settings page displays the Homepage Settings dialog box Step 2 Enter a name for the CiscoWorks Server in the Change Homepage Server Name field You can use this name in the Provider Group name in the Common Services Groups UI See System defined and User defined Groups section on page 5 3 for details on Provider Group Step 3 Select the Hide External ...

Page 39: ...ore about the Notify Users feature see Messaging Online Users section on page 3 72 Step 7 Click Update You can update any one of the above settings by clicking update If you have changed the Homepage Server Name a popup window appears prompting you to confirm whether you want to use this name in Provider Group name Click OK if you want the name to be suffixed to the Provider Group name You need to...

Page 40: ...o change the port numbers you must login as CiscoWorks Server administrator and run the following command at the prompt opt CSCOpx MDC Apache bin changeport If you run this command without any command line parameter CiscoWorks displays CiscoWorks Webserver port change utility Usage changeport port number s f where port number The new port number that should be used s Changes the SSL port instead o...

Page 41: ...any of the webservers that webserver process is started as root This is because ports lower than 1026 are allowed to be used only by root in Solaris However according to Apache behavior only the main webserver process run as root and all the child processes run as casuser casusers Only the child processes serve the external requests The main process which runs as root monitors the child processes ...

Page 42: ...rootapps conf CiscoWorks daemons using privileged ports services The system etc services file ssl properties CiscoWorks config elements for SSL mode vms_web xml Common Services application config file Note All the above files and the unique directories are stored with read only permission to casuser casusers To ensure the security of the backup files only the CiscoWorks Server administrator has wr...

Page 43: ...ommand line parameter CiscoWorks displays the following usage text Common Services Webserver port change utility Usage changeport port number s f where port number The new port number that should be used s Change the SSL port instead of the default HTTP port f Force port change even if Daemon Manager detection fails Note Do not use this option by default Use it only when CiscoWorks instructs you t...

Page 44: ...ing and actively listening on a port it can be easily detected However if the service is currently stopped there is no way that the utility can determine what port it uses This is because on Windows there is no common port registry equivalent to etc services as in UNIX The port number must be a numeric value in the range 1026 65000 Values outside this range and non numeric values are not allowed W...

Page 45: ...ey file regdaemon xml Common Services config registry data file ssl properties CiscoWorks config elements for SSL mode vms_web xml Common Services application config file Note All the above files and the unique directories are stored with read only permissions Only the administrator and casuser have write permissions to ensure the security of the backup files The change port utility displays messa...

Page 46: ...Chapter 2 Interacting With CiscoWorks Homepage Changing Web Server Port Numbers 2 20 User Guide for CiscoWorks Common Services 78 16571 01 ...

Page 47: ...mechanisms that help to prevent unauthenticated access to the CiscoWorks Server CiscoWorks applications and data Common Services provides features for managing security when operating in single server and multi server modes You can specify the user authentication mode using the AAA Mode Setup You can create user accounts on Cisco com using the Cisco com Connection Management UI Managing Security i...

Page 48: ...n application level protocol that enables secure transactions of data through privacy authentication and data integrity It relies upon certificates public keys and private keys You can enable or disable SSL depending on the need to use secure access between the client browser and the management server CiscoWorks Server uses certificates for authenticating secure access between the client browser a...

Page 49: ...er enabling SSL you must enter the URL with the following changes The URL should begin with https instead of http to indicate secure connection CiscoWorks will automatically redirect you to HTTPS mode if SSL is enabled Change the port number suffix from 1741 to 443 If you do not make the above changes CiscoWorks Server will automatically redirect you to HTTPS mode with port number 443 The port num...

Page 50: ...rk or to the applications themselves and must be protected To prevent such operations from being used accidentally or maliciously CiscoWorks uses a multi level security system that only allows access to certain features to users who can authenticate themselves at the appropriate level Common Services provides two predefined login IDs guest Specify a password during installation User role is Help D...

Page 51: ...y are assigned one or more roles A role is a collection of privileges that dictate the type of system access you have A privilege is a task or operation defined within the application The set of privileges assigned to you defines your role and dictates how much and what type of system access you have The user role or combination of roles dictates which tasks are presented to the users Table 3 1 sh...

Page 52: ...that can be performed with each role see the Permissions Report section on page 3 46 Modifying Your Profile To edit your profile Step 1 In the CiscoWorks Homepage select Common Services Server Security Local User Setup The Local User Setup page appears Step 2 Click Modify me to modify the logged in user credentials Step 3 Enter the password in the Password field Step 4 Re enter the password in the...

Page 53: ...n dialog box appears Step 3 Enter the username in the Username field Step 4 Enter the password in the Password field Step 5 Re enter the password in the Verify field Step 6 Enter the e mail ID in the E mail field Step 7 In the Roles pane select the check box corresponding to the role to specify the roles to be assigned to the user The following roles are available Help Desk available by default Ap...

Page 54: ...ars Step 3 Enter the username in the Username field Step 4 Enter the password in the Password field Step 5 Re enter the password in the Verify field Step 6 Enter the E mail ID in the E mail field In the Roles pane select or deselect the check box corresponding to the role to change the role to be assigned to the user Deleting a User To delete a user Step 1 In the CiscoWorks Homepage select Common ...

Page 55: ... when you are in multi server mode any existing peer relation might break The peers need to re import the certificate in this scenario To create a certificate Step 1 In the CiscoWorks Homepage select Common Services Server Security Certificate Setup The Certificate page appears Step 2 Enter the values required for the fields described in the following table Field Usage Notes Country Name Two chara...

Page 56: ...of a multi server domain has to be secure In multi server mode the server is configured as DCR Master Slave or SSO Master Slave In a multi server scenario secure communication between peer CiscoWorks Servers is enabled using certificates and shared secrets You have to copy certificates between the CiscoWorks Servers In addition you have to generate a shared secret on one server and configure it on...

Page 57: ...n multiple CiscoWorks Servers Users created using Peer Server Account Setup can authenticate processes running on remote CiscoWorks Servers In ACS mode the user created with Peer Server Account Setup needs to be configured in ACS with all the privileges that user has in CiscoWorks See Master Slave Configuration Prerequisites section on page 4 27 to know more about the usage of this feature You can...

Page 58: ...e Peer Server Account Setup page appears Step 3 Enter the password in the Password field Step 4 Re enter the password in the Verify field Step 5 Click OK To delete a User Step 1 In the CiscoWorks Homepage select Common Services Server Security Peer Server Account Setup The Peer Server Account Setup page appears Step 2 Select the check box corresponding to the user you want to delete Step 3 Click D...

Page 59: ...hat are part of the domain while Installing CiscoWorks on the machines part of that domain If this is done the user admin serves the purpose of System Identity user See Installation Guide for Common Services 3 0 for details However you can create a System Identity User from the Common Services UI too Common Services Server Security System Identity Setup UI If you create a System Identity User the ...

Page 60: ...ep 5 Click Apply Setting up Peer Server Certificate You can add the certificate of another CiscoWorks Server into it s trusted store This will allow one CiscoWorks Server to communicate to another If a CiscoWorks Server needs to communicate to another CiscoWorks Server it must possess the Certificate of the other server You can add Certificates of any number of peer CiscoWorks Servers to the trust...

Page 61: ...ransparently navigate to multiple CiscoWorks Servers without authenticating to each of them Communication between multiple CiscoWorks Servers is enabled by a trust model addressed by Certificates and shared secrets The following tasks need to be done initially One of the CiscoWorks Servers should be set up as the authentication server Trust should be built between the CiscoWorks Servers using self...

Page 62: ...ity between Master and Slave It is sufficient to have the same System Identity User passwords in Master and Slave without having the same user name We recommend that you have the same user name and password across Master and Slave To configure Master s Self Signed Certificate in the Slave select Common Services Server Security Peer Server Certificate Setup Add The CN present in the certificate sho...

Page 63: ...ing the server link For example let ABC and XYZ be part of the same SSO domain You can register the link for ABC on XYZ While registering server ABC in XYZ you have to specify the URL as http ABC 1741 cwhp cwhp applications do If ABC is running in HTTPS mode you have to specify the URL as https ABC 443 cwhp cwhp applications do In the above example clicking on the registered link will launch the C...

Page 64: ...e without SSO When the server is configured for SSO it can either be in Master mode The SSO Authentication Server does the authentication and sends the result to the Regular Server Change the SSO mode to Master if log in is required for all SSO regular servers Login requests for all the SSO regular servers will be served from the Master Slave mode SSO Regular server for which authentication is don...

Page 65: ...y Single Sign On The Single Sign On Configuration page shows the current Single Sign On mode Step 2 Click Change Mode Step 3 Select the Master SSO Authentication Server radio button Step 4 Click Apply To change the SSO mode to Slave Step 1 In the CiscoWorks Homepage select Common Services Server Security Single Sign On The Single Sign On Configuration page shows the current Single Sign On mode Ste...

Page 66: ...Works Local login module You can use Cisco Secure ACS services for this purpose see Setting the Login Module to ACS However many network managers already have a means of authenticating users To use your current authentication database for CiscoWorks authentication you can select a login module NT UNIX TACACS Radius and others After you select and configure a login module all authentication transac...

Page 67: ...secure cs acs shtml Click Download CiscoSecure ACS Software Windows link You can find the link to the Admin HTTPS PSIRT patch in the table See Setting the Login Module to Non ACS section on page 3 24 and Setting the Login Module to ACS section on page 3 35 for details on usage of the login modules About Common Services Authentication By default CiscoWorks Common Services uses CiscoWorks Server aut...

Page 68: ... Network Operators tasks Can do tasks that result in a network configuration change System Administrator Can perform all CiscoWorks system administration tasks If you configure Common Services to use Non ACS for authentication authorization services are provided by CiscoWorks Server In Non ACS mode you cannot change the roles or the privileges assigned to these roles However a user can be assigned...

Page 69: ... with a valid administrator name and password When a client application initially communicates with Cisco Secure ACS these requirements ensure the validity of the communication Additionally the administrator used by the client application must have the Create New Device Command Set Type privilege enabled When a client application initially communicates with Cisco Secure ACS it makes the Cisco Secu...

Page 70: ...module to Non ACS mode Step 1 In the CiscoWorks Homepage select Common Services Server Security AAA Mode Setup Step 2 Select the Non ACS radio button The Login Module window displays the current login module and the available login modules The available login modules are CiscoWorks Local IBM SecureWay Directory KerberosLogin Local UNIX System Local NT System MS Active Directory Netscape Directory ...

Page 71: ...y Directory The IBM SecureWay Directory login module implements Lightweight Directory Access Protocol LDAP Before a user can log in a user s account is set up in the LDAP server The user s account has two fields Distinguished name and password A Distinguished name is made up of three parts Prefix User login and Usersroot Userroot is queried for the username during login and the Distinguished name ...

Page 72: ...with the following details Step 3 Click OK Field Description Selected Login Module IBM SecureWay Directory Description CiscoWorks IBM LDAP module Server Default set to ldap ldap company com Userroot Default set to ou active ou employees ou people o company Prefix Default set to cn Debug Set to false Set to true for debugging purposes when requested by your customer service representative Login fal...

Page 73: ...s with the following details Step 3 Click OK Field Description Selected Login Module KerberosLogin Kerberos login module Description Kerberos login module Debug Set to False Set to True for debugging purposes when requested by your customer service representative Realm The Kerberos realm name Although the realm can be any ASCII string the convention is to make it the same as your domain name in up...

Page 74: ...lect the Local Unix System radio button Step 2 Click Change The Login Module Options popup window appears with the following details Step 3 Click OK Field Description Selected Login Module Local UNIX System Description CiscoWorks native Solaris module Debug Set to False Set to True for debugging purposes when requested by your customer service representative Login fallback options Set the option f...

Page 75: ...eight Directory Access Protocol LDAP Before a user can log in a user s account is set up in the LDAP server The user s account has two fields Distinguished name and password A Distinguished name is made up of three parts Prefix User login and Usersroot The user login is appended when the user logs in so the Distinguished name is Prefix login name Usersroot Field Description Selected Login Module L...

Page 76: ... 3 Click OK Field Description Selected Login Module MS Active Directory Description CiscoWorks MS Active Directory module Server Default set to ldap ldap company com Usersroot Default set to cn users dc servername dc company dc com If you are using Windows 2003 Active Directory you have to provide the complete Usersroot information This is because Windows 2003 Active Directory implementation has d...

Page 77: ...ix login name Usersroot For example a Distinguished name could be represented as uid John ou embu o cisco com where the Prefix is uid the login name is John and the Usersroot ou embu o cisco com To change login module to Netscape Directory Step 1 Select Netscape Directory radio button Step 2 Click Change The Login Module Options popup window appears with the following details Step 3 Click OK Field...

Page 78: ...s Step 3 Click OK Field Description Selected Login Module Radius Description CiscoWorks Radius module Server Set to module type servername radius company com Port Set to 1645 Attempt to override it only if your authentication server was configured with a non default port Key Enter the secret key Debug Set to False Set to True for debugging purposes when requested by your customer service represent...

Page 79: ... is the default for this protocol Attempt to override it only if your authentication server was configured with a non default port Secondary Server Set to module type tacacs company com This is the secondary fallback server Secondary Port Set to 49 The listed port number is the default for this protocol Attempt to override it only if your authentication server was configured with a non default por...

Page 80: ...lick OK After you change the login module you do not have to restart CiscoWorks The user who logs in after the change automatically uses the new module Changes to the login module are logged in the following directory NMSROOT MDC Tomcat logs stdout log Debug Set to False Set to True for debugging purposes when requested by your customer service representative Login fallback options Set the option ...

Page 81: ...erver is added as an AAA client in the ACS server For the first time it can be done at the Network Configuration UI in ACS server You can add the host with IP Address and configure the secret key there The same secret key should be entered in the AAA Mode Setup dialog box The username you enter while logging in to CiscoWorks is a valid ACS user name In ACS mode authentication takes place from the ...

Page 82: ...t numbers The default port is 49 Secondary and Tertiary IP address hostname details are optional The values true and false will not be accepted in the Primary Secondary and Tertiary IP Address Hostname fields Step 4 In the login panel enter ACS Admin Name ACS Admin Password ACS Shared Secret Key Also re enter the ACS admin password and ACS shared secret key in the Verify fields The values true and...

Page 83: ... and Tertiary servers should use the same protocol All of them should either operate in HTTP mode or HTTPS mode The Primary Secondary and Tertiary servers must have the same configuration For Primary Secondary and Tertiary servers the ACS Admin Name the ACS Admin Password and the ACS Shared Secret Key should be the same AAA clients Network Device Groups NDGs users groups registered applications an...

Page 84: ...y task Assign a Ciscoworks for any network device Select the desired role from the drop down list The user can execute the tasks that are assigned to the chosen role on every device Assign a Ciscoworks on a per Network Device Group Basis Select the device group from the Device Group drop down list Choose the role you want to associate with the group The user can execute the tasks that are assigned...

Page 85: ...e Assign a Ciscoworks on a per Network Device Group Basis Select the device group from the Device Group drop down list Choose the role you want to associate with the group The user can execute the tasks that are assigned to the chosen roles on the chosen device groups Step 4 Select any of the options based on the required security level Creating and Modifying Roles in ACS In ACS you can create new...

Page 86: ...lect the first check box in the checklist tree all check boxes in the checklist tree are selected Step 6 Click Submit To edit an existing role Step 1 Go to Cisco Secure ACS Step 2 Select Shared Profile Components CiscoWorks Common Services The Shared Profile Components page appears Step 3 Select the role you need The Shared Profile Components page displays the Edit dialog box Step 4 Select the Com...

Page 87: ...r if the user is not configured in the ACS server authorization will fail In case of users other than Admin even authentication will not happen If you add or change device information in the Network Device Group the change will not be immediately propagated to Common Services For the changes to get updated in Common Services when in ACS mode you have to re login to Common Services You can assign o...

Page 88: ...it d dmgtd stop For Solaris Step 2 Run the following script NMSROOT bin perl ResetLoginModule pl For Windows or opt CSCOpx bin perl ResetLoginModule pl For Solaris Step 3 Start the Daemon Manager using net start crmdmgtd For Windows or etc init d dmgtd start For Solaris This reset the login module to CiscoWorks local mode Multiple instances of same application using same ACS server will share sett...

Page 89: ...entication fails in CiscoWorks local mode If you log in using fallback mode you will be presented with a dialog box with instructions to change the login mode to CiscoWorks local To change the login mode Step 1 Go to Common Services Server Security AAA Mode Setup CiscoWorks Local Step 2 Click Change You need to have proper permission to change the login mode Otherwise the Change button will be dis...

Page 90: ...the CiscoWorks Homepage select Common Services Server Security Cisco com User Account Setup The Cisco com Login dialog box appears Step 2 Enter the Username and Password Step 3 Re enter Password in the Verify Password field Step 4 Click Apply Setting Up the Proxy Server You can update the proxy server configuration using the Proxy Server set up option To update your proxy server configuration Step...

Page 91: ...ports are available Log File Status Report Permissions Report Users Logged In Report Process Status Report Viewing Audit Log Report The following sections describe how to launch these reports and explain each report Log File Status Report The Log File Status Report provides information on log file size and file system utilization To generate the log file status report Step 1 In the CiscoWorks Home...

Page 92: ...plication The set of privileges assigned to you defines your role and dictates how much and what type of system access you have To generate the Permissions Report Step 1 In the CiscoWorks Homepage select Common Services Server Reports The Reports page appears Step 2 From the Available Reports pane select Permissions Report Item Description Log File Name of the log file Location Location of the log...

Page 93: ...ices To generate the Report Step 1 In the CiscoWorks Homepage select Common Services Server Reports The Reports page appears Step 2 In the Available Reports pane select Who is Logged On Item Description Last Run Time Last time the report was run Duration Duration for which the report was run Device Scanned Devices that were scanned Average Scan Time Average time taken to scan each device Device wi...

Page 94: ...status of the processes running on the CiscoWorks Server To generate the Process Status Report Step 1 In the CiscoWorks Homepage select Common Services Server Reports The Reports page appears Step 2 In the Available Reports pane select Process Status Item Descriptions Status Whether the user is online or offline User Name User name Roles Shows the roles of the user IP address IP address Last Activ...

Page 95: ...entication the files are stored on the local server If you are using ACS authentication the files are stored on the ACS server and you can view them from within both ACS and CiscoWorks Common Services To view Audit Log Report Step 1 Select Common Services Server Reports Audit Log in the CiscoWorks Common Services navigation tree Step 2 Click Generate Report The Audit Log Data Viewer appears with a...

Page 96: ...s performed For example Logout Reason A description of the activity For example User admin logged out of cwhp Item Description Date Date on which the activity is carried out Time Time at which the activity is carried out User_Name The user who performed the activity Group_Name The group to which the user belongs Cmd The activity that was performed For example Logout Priv_Lv1 The privilege level of...

Page 97: ... Click Reports and Activity in the ACS Navigation bar A list of report types appears Step 2 Click TACACS Administration A list of Audit Logs appears The Audit Logs are listed in chronological order with the most recent logs appearing at the top of the list The logs are named and listed by the date on which they were created for example an Audit Log created on 14 October 2004 is named TACACS Admini...

Page 98: ...equence and to start transient jobs Restarting Daemon Manager on Solaris To restart Daemon Manager on Solaris Step 1 Log in as root Step 2 To stop the Daemon Manager enter etc init d dmgtd stop Step 3 To start the Daemon Manager enter etc init d dmgtd start Note Do not start the Daemon Manager immediately after you stop it The ports used by Daemon Manager will be in use for some more time even aft...

Page 99: ... stop it The ports used by Daemon Manager will be in use for some more time even after the Daemon Manager is stopped Wait for at least one minute before you start the Daemon Manager If the System resources are less than the required resources to install the application Daemon Manager restart displays warning messages that are logged into syslog log Managing Processes CiscoWorks applications use ba...

Page 100: ...ices Server Admin Process The Process page appears Step 2 Click the Process link The Process Details popup window appears The window provides information on the path flags startup and dependencies Starting a Process To start a Process Step 1 In the CiscoWorks Homepage select Common Services Server Admin Process The process page appears Step 2 Select the check box corresponding to the process Step ...

Page 101: ... the process Step 3 Click Stop Backing Up Data You should back up the database regularly so that you have a safe copy of the database You can schedule immediate daily weekly or monthly automatic database backups You cannot back up the database while restoring the database Common Services uses multiple databases to store client application data These databases are backed up whenever you perform a b...

Page 102: ...y Location of the backup directory We recommend that your target location be on a different partition than the CiscoWorks installation location Runtype Select the desired check box You have options to schedule immediate daily weekly or monthly backups Time From the drop down lists select the time and date If you schedule a weekly backup select the day of the week from the drop down list If you sch...

Page 103: ...ons Maximum backup generations to be kept in the backup directory Data Backed up During CS 3 0 Backup The following data is backed up CiscoWorks User information Single Sign on configuration Device and Credential Repository DCR configuration Peer Certificates and Self Signed certificates Peer Server Account information Login Module settings Software Center map files Licence data Core client Regist...

Page 104: ... from the command line While restoring data CiscoWorks is shut down and restarted In all backup restore scenarios a back up is taken from a machine A and the backed up data say Ab is restored on the same machine A or on a different machine B Ensure that you do not run any critical tasks during data restoration Otherwise you may lose the data for such tasks Note If you restore the database when Cis...

Page 105: ...irectory is created under NMSROOT as NMROOT tempBackupData You can customize this by using this t option where you can specify your own temp directory This is to avoid overloading NMSROOT gen generationNumber Optional By default it is the latest generation If generations 1 through 5 exist then 5 will be the latest d backup directory Required Which backup directory to use h Provides help When used ...

Page 106: ...ectory See the previous section for command option descriptions Step 3 To restore the most recent version enter the following command NMSROOT bin restorebackup pl d backup directory For example d drive var backup Step 4 Examine the log file in the following location to verify that the database was restored by entering NMSROOT log restorebackup log Step 5 Restart the system by entering net start cr...

Page 107: ...rtificates Self Signed certificate based on your confirmation Peer Server Account information Login Module settings Software Center map files Will not overwrite existing data Application and Link registrations Log backup configuration Licence data Will not be restored But will compare and display a warning and ask for confirmation to continue if licenses are different ACS credentials System Identi...

Page 108: ...abase Jobs data and other data stored in database Though Common Services 2 2 supports ACS login module restoring from a Common Services 2 2 backup archive will not restore the ACS login module After restore the login module of the machine will be non ACS TACACS Data Restored from CD One 5th Edition Backup Archive The following data will be restored from CiscoWorks2000 Server CD One 5th edition bac...

Page 109: ...anged to use Master B and the Slave reset to use Master B When the restore is performed the Slave will attempt to use Master A For detailed information on DCR see Chapter 4 Managing Device and Credentials The following scenarios helps you understand the implications of Restore operations on DCR Restoring data from a DCR Standalone If you restore the data backed up from a machine in Standalone mode...

Page 110: ... you take a backup from S1 and restore the backed up data say S1b on M1 M1 will switch to Standalone mode because after backup it will not be able to find a Master S1 will also switch to Standalone mode At the time of backup if there were 1000 devices in M1 the Slave S1 would also have 1000 devices Say more devices are added to M1 after the Backup S1 will have the up to date device list But after ...

Page 111: ... to ensure that the data backed up from M1 is more recent than the data backed up from S1 and S2 Step 3 Stop Daemon Manager on all three machines Step 4 Restore data on the Master M1 Step 5 Restart Daemon Manager on M1 Step 6 After the Master is up and stable restore data on S1 and S2 Step 7 Restart Daemon Manager on S1 and S2 This ensures that Master has more recent data than the Slaves Note To a...

Page 112: ...tion X will get the certificate of M1 However if peer certificate of X is not present on M1 X will not be able to have M1 as its Master So you have to ensure that the certificates of the peer machines are in place before you do a restore Other Master Slave configuration prerequisites such as System Identity user configuration and Peer Server Account user configuration might get affected by restore...

Page 113: ... Standalone machine A to a Master M The Master will switch to Standalone mode The provider group name will be updated accordingly The Slave groups will be removed from the Master Only the groups pertaining to Common Services and the applications installed in the Standalone machine will be visible All dependent Slaves of M will become Standalone Restore data from a Standalone machine A to a Slave S...

Page 114: ...w switch to Standalone mode Restoring Data from M1 on M2 Slaves of M2 that is S3 and S4 will switch to Standalone mode Groups pertaining to S3 and S4 will be deleted from M2 In all the cases the System Defined Groups and the User Defined Groups are carried over and updated in the target machine Licensing CiscoWorks Applications You must register your software and obtain a product license before yo...

Page 115: ...the product license perform these steps to license your software Step 1 Copy the new license file to the CiscoWorks Server with read permission for casuser casusers Step 2 Select Common Services Server Admin Licensing The License Information dialog box appears The License Information page displays the name version device limit status and expiration date of the license Step 3 Click Update Step 4 En...

Page 116: ...ew details of your current software license or update to a new license from the License page To update to a new license from the Licensing page Step 1 In the CiscoWorks Homepage select Common Services Server Admin Licensing The License Information page displays the license name license version status of the license and the expiration date of the license Step 2 Click Update Step 3 Enter the path to...

Page 117: ...rmation The Collect Server Information pop up dialog box appears with a list of options Step 3 Select the check boxes corresponding to the options you need and click OK By default all the check boxes are selected Step 4 Click Server Information at the date time link The pop up window displays the server information collected Step 5 View server information by clicking the corresponding link in the ...

Page 118: ...rt To delete a Self Test Information report select the check box and click Delete Messaging Online Users You can use the Notify User feature in Common Services to broadcast messages to online users You can post messages to users with active CiscoWorks browsers The message will be received within 60 seconds To send a broadcast message Step 1 Select Common Services Server Admin Notify Users The Logg...

Page 119: ...and Network Operator roles are not allowed to stop and delete jobs All users including Help Desk can access the Job browser page The Refresh button in Job browser is available for all users Note When you are using the ACS login module the System Identity User you configure should have all the Job management related tasks enabled The job_browser job_stop and job_delete tasks should be enabled To vi...

Page 120: ...not maintain a history For Example 1001 JobID Instance ID Here in addition to the task the instance of the task can also be identified For Example 1001 1 1001 2 Type String that identifies the job type SWIM Config etc and job subtypes For example SWIM update Run Status Job states including Running Removed Waiting for approval Scheduled pending Rescheduled Completed succeeded Failed Crashed Cancell...

Page 121: ...e Job Browser page click Job ID The Job Details popup displays the job details Sched Type How often this job will run This can be Run immediately Run once Run on a calendar basis periodic Run on a time start basis Run on a time stop basis For time zone abbreviations and GMT offsets see your Release Notes Description Text string that describes the job Run Schedule Date and time the job was schedule...

Page 122: ...tances as well You can stop only one job at a time To delete a job click Delete after selecting the desired check box You can delete multiple jobs at a time You cannot delete a running job All users except Help Desk can perform Stop and Delete operations in the job browser Managing Resources Common Services provides a Resource Browser for managing resources You can free locked resources when neces...

Page 123: ...er Admin Resource Browser The Resource Browser page appears Step 2 Select the check box corresponding to the Job ID Step 3 Click Free Resources All users except those with only Help Desk role can perform the Free Resource operation in the Resource browser To view updated resources click Refresh Item Description Resource Name of the resource currently locked Job ID Owner Number assigned to this tas...

Page 124: ...ms this directory is var adm CSCOpx log and on Windows it is NMSROOT log Caution As part of the file back up procedure CiscoWorks Daemon Manager is shut down and restarted To prevent loss of data make sure you are not running any critical tasks The following section provides information on maintaining log files n Unix and Windows Maintaining Log Files on UNIX Maintaining Log Files on Windows Maint...

Page 125: ...user and group casusers The user must have read write and execute permissions and the group must have at least read permission Otherwise the program will terminate with an error message and the log files will not be updated Without any options the script backs up the log files to the default directory PX_LOGDIR backup Step 5 Verify the procedure was successful by examining the contents of the log ...

Page 126: ...r destination directory where NMSROOT is the CiscoWorks installation directory force allows backup regardless of log file size and dir destination directory specifies the full path of the destination directory If there is a problem the program will terminate with an error message and the log files will not be updated Step 5 Verify the procedure was successful by examining the contents of the log f...

Page 127: ...Run opt CSCOpx bin logrot pl c On UNIX The logrot configuration menu appears You have the following options 1 Edit variables 2 Edit log files 3 Quit and save changes 4 Quit without saving change Step 2 Select Edit variables option to set your Backup Directory If you do not set a backup directory each log will be rotated in its current directory Step 3 Select Edit log files option to add log files ...

Page 128: ...iles you can choose to delete an individual file a list of files or a all files matching a certain pattern For example 1 3 means delete files numbered 1 through 3 a list of comma separated file numbers for example 1 21 means delete files numbered 1 and 21 A pattern string log means delete all files that match the pattern log You can also specify the special pattern which means delete all logfiles ...

Page 129: ...ferences You can configure system wide information on the CiscoWorks Server using the System Preferences option It is a way to centrally locate information that is used by CiscoWorks applications Field Description SMTP Server System wide name of the SMTP server used by CiscoWorks applications to deliver reports The default server name is localhost CiscoWorks E mail ID The CiscoWorks E mail ID from...

Page 130: ...nces dialog box appears Step 2 Select one of the following tabs to enter information or to verify that the configured information is correct HTTP Proxy SMTP Server CiscoWorks E mail ID RCP User Set this information carefully If you introduce errors users may not be able to log in Step 3 Click Apply after making the changes To apply the defaults already configured in the system click Defaults To ca...

Page 131: ...ts and credentials using a client server mechanism with secured storage and communications The applications can read or retrieve the information The applications can also update the information in DCR so that the updated information could be shared with other applications DCR provides A central place where you can add or import new devices Easier and faster access to device and credential data Sec...

Page 132: ...nly by secured channel and client authentication Supports IPv6 and SNMP v3 Credentials are values that are used by applications to access and operate on devices It is typically an SNMP community string or a user ID and password pair A device credential is used to access a managed device such as a switch or router Device attributes are unique to each device and they identify a device The following ...

Page 133: ... described in Cisco s Meta Data Framework MDF database Each device type has a unique normative name defined in MDF DCR Device ID Internally generated unique sequential number that identifies the device record in the DCR database The DCR clients should remember the value to access device details from the repository User Defined Fields DCA by default provides four user defined fields These fields ar...

Page 134: ...http_username Device s HTTP interface user ID http_password Device s HTTP interface password Additional Credentials for Cluster Managed Devices dsbu_member_number Number of the Cluster member This number represents the order in which the device was added to the cluster parent_dsbu_id DCR Device ID of the parent Cluster device Auto Update Server Specific Credentials aus_url URL for the AUS device a...

Page 135: ...ed into the cluster Device ID of the parent Cluster record Auto Update Server The Auto Update Server has the following attributes and credentials URN Username Password Auto Update Server managed devices Apart from having its own attributes and credentials like normal DCR devices in DCR each Auto Update Server managed device has the following additional attributes Device Identity The string value t...

Page 136: ...e repository data occurs first in the Master and those changes are propagated to multiple Slaves There can be more than one Slave in a management domain The Slave Maintains an exact replica of the data managed by the Master for the management domain Has a mechanism to keep itself in sync with the Master Will first update Master and then update its own repository data This is in case of repository ...

Page 137: ...Update Servers Administering Device and Credential Repository Managing Devices The Device Management option in DCA helps you manage the list of devices and their credentials Device Management helps you in Adding Devices Deleting Devices Editing Device Credentials Importing Devices and Credentials Exporting Devices and Credentials Excluding Devices Viewing Devices List To perform any of these manag...

Page 138: ...vice and Credentials Device Management The Device Management page appears The Device Management UI helps you perform operations on Standard Devices Cluster Managed devices and Auto Update devices Operations on Auto Update Servers can be performed only at the Auto Update Server Management UI The Device Summary window displays the devices and groups in DCA Step 2 Click Add The Device Properties page...

Page 139: ... can be added in the Standard Management option by selecting the Device Type field as Cisco Cluster Management Suite DSBU Clusters added this way can then be selected in Cluster Managed Type for the field Cluster Step 3 Click Add to List The device is added to the Added Device List in the window To remove the device from the Device List select the device and click Remove from List Step 4 Click Nex...

Page 140: ... Update Server managed device has its own attributes and credentials just like normal devices in DCR In addition it will have the following attributes Device Identity The string value that uniquely identifies the device in parent Auto Update Server The DCR Device ID of the parent Auto Update Server record To add devices and credentials using Auto Update type Step 1 Select the Auto Update radio but...

Page 141: ...ce The attribute fields that appear here can be changed at Device and Credentials Admin User Defined Fields Cluster Managed Type DCR supports Cisco Clusters and their member devices using a mix of standard and additional attributes and credentials To add devices and credentials using Cluster Managed type Step 1 Select the Cluster Managed radio button Step 2 Enter Device Type Display Name Device IP...

Page 142: ...nish You can define four attribute fields for a device These fields are used to store additional user defined data for the device The attribute fields that appear here can be changed at Device and Credentials Admin User Defined Fields Deleting Devices You can delete device information from DCR using this feature When a device is deleted it will also get deleted in all the applications that use DCR...

Page 143: ... be edited and make the required changes Step 3 Select the device for which you want to edit the device information from the device list The current attributes are automatically populated in the device information fields Step 4 Edit the device information on the right pane If you are done with your editing and do not want to proceed click Finish Step 5 Click Next if you want to edit device credent...

Page 144: ...rs Make the required changes in the user defined fields and click Finish The changes made here will apply to all devices selected in Step 2 irrespective of the device management type Auto Update Servers cannot be edited here Even if they are selected in Step 2 they will not be affected See Editing Auto Update Server section on page 4 25 for details on editing Auto Update Server information Also yo...

Page 145: ...g File Local NMS Network Management Station Remote NMS Importing From a File To import from a file Step 1 Enter the file name Or Browse the file system and select the file using the Browse tab Step 2 Select CSV or XML file formats as required Only CSV2 0 and CSV3 0 file formats are supported Step 3 Select either Use data from Import source or Use data from DCR to resolve conflicts during import If...

Page 146: ... From Local NMS To import from Local NMS Step 1 Select the Network Management System type from the NMS type drop down list HPOV6 x and Netview7 x are supported Step 2 Enter the install location in the Install Location field Step 3 Select either Use data from Import source or Use data from DCR to resolve conflicts during import Step 4 Schedule the task To do this a Select the RunType from the drop ...

Page 147: ...ame field ACS admin user name in the User Name field ACS admin user password in the Password field Port number default is 2002 in the Port field Step 2 Select the Operating System type from the OS type drop down list Step 3 Enter the Host name User name and Install location in the corresponding fields Step 4 Select either Use data from Import source or Use data from DCR to resolve conflicts during...

Page 148: ...xport Format file located at NMSROOT objects dcrimpexp conf Export_Format_CSV xml or Export_Format_XML xml to specify the credentials you need to export To see the list of attributes that can be exported Step 1 At the command prompt enter NMSROOT bin dcrcli u username Step 2 Enter the password corresponding to the user name Step 3 Enter lsattr The list of attributes and their description is displa...

Page 149: ...You can select the required devices from the Device Selector pane of the Device Export dialog box Get Device List from File Select this option if you want to export devices from a CSV file that is already present in the server to the file you specify in the Output File Information field You can use this option when the CSV file contains only partial device credentials and you want to get the full ...

Page 150: ... from file Step 1 In the Input File Selection panel enter the input file name or select the input file in CSV format to get device list from using the Browse tab Step 2 In the Output File Information panel enter the location for the output file or click Browse to select the file you require Step 3 Select CSV or XML file formats radio buttons as required Step 4 Schedule the task To do this a Select...

Page 151: ...nd Credentials Device Management The Device Management page appears Step 2 Click Exclude The Upload Exclude Devices File dialog box appears Step 3 Enter the file name or click Browse to browse the file system and select the file The file that needs to be uploaded must be in CSV format Step 4 Click Apply to upload the file A Sample CSV Exclude File This file is generated by DCR Export utility Cisco...

Page 152: ...ile Viewing Devices List You can view the devices in the Device List Report using this feature To view devices in the Device List Report Step 1 In the CiscoWorks Homepage select Common Services Device and Credentials Device Management The Device Management page appears Step 2 Select the devices you want from the Device Summary list and Click View The Device List Report dialog box appears Step 3 Se...

Page 153: ... complete device list in DCA DCA Audit Report Displays the complete device list in DCA within a specified period of time Excluded Devices Report Displays the excluded devices list Import Status Report Displays the last imported device list DCA devices that are not configured in ACS report Displays the list of DCA devices that need to be configured in ACS Step 3 Select the report link in the Availa...

Page 154: ...ate Server Step 1 In the CiscoWorks Homepage select Common Services Device and Credentials Auto Update Server Management The Auto Update Server Management page appears Step 2 Click Add The Auto Update Server dialog box appears Step 3 Enter the Display Name IP address Host Port URN User name and password in the corresponding fields Re enter the password in the Verify field DCR uses a device record ...

Page 155: ...anagement page appears Step 2 Select the device you want to edit from the list and click Edit The Auto Update Server dialog box appears Step 3 Edit Display Name IP address Port URN User name and Password fields Step 4 Click OK Deleting Auto Update Server To delete Auto Update Servers Step 1 In the CiscoWorks Homepage select Common Services Device and Credentials Auto Update Server Management The A...

Page 156: ...e and Credentials Admin The Admin page appears with the current DCA settings You can change the Mode Settings or modify User Defined fields Changing DCR Mode To change Mode Settings Step 1 In the CiscoWorks Homepage select Common Services Device and Credentials Admin The Admin page appears with the current DCA settings Step 2 Click the Mode Settings link The Mode Settings window appears Step 3 Cli...

Page 157: ...age 3 11 for details Step 2 In S add a System Identity user and password This should be same as the Peer Server User set up in M See Setting up System Identity Account section on page 3 13 for details Step 3 Copy the Self Signed Certificate of S to M Also copy the Self Signed Certificate of M to S See Creating Self Signed Certificate section on page 3 9 for details on creating Self Signed Certific...

Page 158: ... 1 Select the Slave radio button Step 2 Enter the hostname of the Master in the Master field Note This hostname should exactly match the Hostname field in the Master s Self Signed Certificate Step 3 Specify the SSL port of the master Default is 443 If the mode is changed from Master to Slave select the Inform Current slave s of new Master Hostname check box If you select this check box all the sla...

Page 159: ... of the current Master you need to change the Slave s mode to Standalone and then re register the machine as a Slave by providing the new Master hostname However when the machine is re configured as Slave the applications will clean up the device list Let us say we have a Master M and Slave S If M s hostname is changed the Slave S has to be made standalone Then it has to be re configured as Slave ...

Page 160: ...lds To rename a user defined field Step 1 In the CiscoWorks Homepage select Common Services Device and Credentials Admin The Admin page appears with the current DCA settings Step 2 Click User defined Fields link The User defined Field dialog box appears Step 3 Select the radio button corresponding to the User defined Field you want to rename Step 4 Click Rename The User defined Field dialog box ap...

Page 161: ...ed Field then click Delete Sample CSV File CSV 2 0 or CSV 3 0 file formats are supported for import A Sample CSV 2 0 File This file is generated by the export utility If you edit this file be sure you know what you are doing Cisco Systems NM data import source export utility Version 2 0 Type Csv Here are the columns of the table Columns 1 and 2 are required Columns 3 through 19 are optional Col 1 ...

Page 162: ...sic Credentials HEADER management_ip_address host_name domain_name device_identity display_na me sysObjectID dcr_device_type mdf_type snmp_v2_ro_comm_string snmp_v2 _rw_comm_string user_defined_field_0 user_defined_field_1 10 77 202 40 Switch6009 cisco com Switch2 1 3 6 1 4 1 9 1 281 0 26843 8100 public private field0 field1 10 77 202 10 Router7000 cisco com Router1 1 3 6 1 4 1 9 1 8 0 2784644 93 ...

Page 163: ...sword snmp_v3_engine_id snmp_v3_auth_algorithm primary_username primary_password primary_enabl e_password 1 1 1 1 ons_host1 cisco com AUS_ID ONS1 1 3 6 1 4 1 9 1 406 0 27361289 2 10 10 10 1 aus_server cisco com AUS_SERV1 UNKNOWN 3 UNKNOWN Start of section 1 AUS proxy HEADER management_ip_address host_name domain_name device_identity display_na me aus_username aus_password aus_url 1 1 1 1 ons_host1...

Page 164: ...dentity display_na me sysObjectID dcr_device_type mdf_type snmp_v2_ro_comm_string snmp_v2_rw _comm_string snmp_v3_user_id snmp_v3_password snmp_v3_engine_id snmp_v3_auth_algori thm primary_username primary_password primary_enable_password 1 1 1 1 ons_dev_1 cisco com ONS1 1 3 6 1 4 1 9 1 406 0 273612892 10 10 10 1 host1 cisco com cluster1 Unknown 1 278283831 Start of section 3 DSBU managed HEADER m...

Page 165: ... IP host_name and display_name RO community string snmp_v2_ro_comm_string RW community string snmp_v2_rw_comm_string Serial Number Not used in CSV 3 0 User Field 1 user_defined_field_0 User Field 2 user_defined_field_1 User Field 3 user_defined_field_2 User Field 4 user_defined_field_3 Telnet password primary_password Enable password primary_enable_password Enable secret primary_enable_password Ta...

Page 166: ...password and primary_enable_password for both Enable Password and Enable Secret Sample XML File Sample XML File Standard xml version 1 0 DEVICES DEVICE SET Name Basic Credentials DEVATTRIB Name management_ip_address 10 77 202 40 DEVATTRIB DEVATTRIB Name host_name Switch6009 DEVATTRIB DEVATTRIB Name domain_name cisco com DEVATTRIB DEVATTRIB Name display_name Switch2 DEVATTRIB DEVATTRIB Name sysObje...

Page 167: ... Name display_name ONS1 DEVATTRIB DEVATTRIB Name sysObjectID 1 3 6 1 4 1 9 1 406 DEVATTRIB DEVATTRIB Name dcr_device_type 0 DEVATTRIB DEVATTRIB Name mdf_type 273612892 DEVATTRIB SET SET Name AUS proxy DEVATTRIB Name aus_username admin DEVATTRIB DEVATTRIB Name aus_password admin DEVATTRIB SET SET Name AUS managed DEVATTRIB Name device_identity AUS_ID DEVATTRIB DEVATTRIB Name parent_aus_id display_n...

Page 168: ...B Name display_name ONS1 DEVATTRIB DEVATTRIB Name sysObjectID 1 3 6 1 4 1 9 1 406 DEVATTRIB DEVATTRIB Name dcr_device_type 0 DEVATTRIB DEVATTRIB Name mdf_type 273612892 DEVATTRIB SET SET Name DSBU managed DEVATTRIB Name dsbu_member_number 1 DEVATTRIB DEVATTRIB Name parent_dsbu_id display_name cluster1 DEVATTRIB SET DEVICE DEVICE SET Name Basic Credentials DEVATTRIB Name management_ip_address 10 10...

Page 169: ...sing dcrcli Step 1 Enter NMSROOT bin dcrcli u username Step 2 Enter the password corresponding to the username Step 3 Enter add ip value hn value di value dn value a attname value Enter either the IP address ip Hostname hn or Device Identity di Enter the Display Name dn and the Attribute name a attname The attribute sysObjectID is mandatory You can add multiple attributes For example add ip 1 1 1 ...

Page 170: ...ddress ip Hostname hn or Device Identity di Enter the Display Name dn and the Attribute name a attname You can add multiple attributes For example mod id 54341 ip 2 2 2 2 dn cisco com a display_name new_name Listing the Attributes To view the list of all attributes Step 1 Enter NMSROOT bin dcrcli u username Step 2 Enter the password corresponding to the username Step 3 Enter lsattr This lists Attr...

Page 171: ...onding to the username Step 3 Enter lsmode It lists the DCR ID the DCR Group ID the current DCR mode and the associated Master Slaves Viewing Device Details To view device details using dcrcli Step 1 Enter NMSROOT bin dcrcli u username Step 2 Enter the password corresponding to the username Step 3 Enter details id DeviceID This lists all the details about the device with the ID you have specified ...

Page 172: ... The DCR mode gets changed to Master To change mode to Standalone Step 1 Enter NMSROOT bin dcrcli u username Step 2 Enter the password corresponding to the username Step 3 Enter setstand The DCR mode gets changed to Standalone To change mode to Slave Step 1 Enter NMSROOT bin dcrcli u username Step 2 Enter the password corresponding to the username Step 3 Enter setslave master value You have to spe...

Page 173: ...alues Example impFile fn opt CSCOpx test csv ft csv To Import from Local NMS Enter impNms nt NMS type il Installation location nt NMS type Valid values are HPOV6 x and Netview7 x il Installation location of the NMS Example impNms nt HPOV6 x il opt OV To import from Remote NMS Enter ImpRNms nt NMS type hn hostname un Remote User Name il Installation location ot OS Type nt NMS type Valid values are ...

Page 174: ... 2002 Export Using CLI You have the option to export using Command Line Interface Step 1 Enter NMSROOT bin dcrcli u username Step 2 Enter the password corresponding to the user name Step 3 Enter exp fn filename ft filetype For filetype CSV or XML are valid values You can edit the Export Format file located at NMSROOT objects dcrimpexp conf Export_Format_CSV xml Or Export_Format_XML xml to specify ...

Page 175: ...s View Devices task assigned in ACS When performing operations in DCR evensong you select some devices and click the appropriate button the operation will not be performed on all selected devices unlike in CiscoWorks local mode This is because the operation will be done only on those devices for which the you has been assigned required privilege For example a user U2 is assigned Helpdesk role for ...

Page 176: ...ned for all tasks which require device selection Add View Devices task is necessary for seeing AUS or Cisco Cluster in Add wizard Edit View Devices task is necessary to see a device s details in Edit wizard Bulk import Add and Update tasks are necessary Export View Devices task is necessary Delete None Reports None Change Mode None Add User Defined Fields in DCR None Modify User Defined Fields in ...

Page 177: ...eature Group Server Manages groups of devices It helps you to create edit delete and refresh groups It interfaces with an application service adapter ASA to evaluate group rules and retrieve devices of a particular group Application Service Adapters ASAs Application specific information repository that serves as source of the devices and attributes that are grouped by the Groups Server For Common ...

Page 178: ...ject to access control restrictions The membership of a group is determined by a rule Group Rule Consists of one or more rule expressions combined by operators which can be AND OR or EXCLUDE Group Concept A group is a named set of devices The group is characterized by a set of properties such as an associated rule name description type and access permission The rule determines the membership of a ...

Page 179: ...up rule was evaluated Container Groups Container groups are groups without a rule The group membership is the union of the membership of its sub groups If a container group does not have sub groups the membership list will be blank System defined and User defined Groups After you install Common Services you get two predefined groups They are System Defined Groups System Defined Groups are automati...

Page 180: ...rations on the members of the group JIT groups are created based on the device types that are currently available in DCR If all devices belonging to a single MDF type are deleted the corresponding JIT group also gets deleted Common Groups and Shared Groups Common group is the Common Services CS groups that are seen in the Groups UIs of Applications Shared groups are the application groups other th...

Page 181: ...ame Here RME hostname is the local group CS hostname is the common group and Campus hostname is a shared group Similarly in the Groups UI in Campus Manager Campus hostname is the local group RME hostname is a shared group and CS hostname is the common group Figure 5 1 a screen shot taken from the Group Administration UI in Common Services on a machine machine name bundle pc3 that has Common Servic...

Page 182: ...n which a request is made Filtering will be performed only when operating in ACS mode While operating in Non ACS mode no filtering will be performed and evaluating a group results in all devices of that group being returned For example if there are two users A and B configured in ACS with different set of privileges such that A can operate on devices D1 D2 D3 and B can operate on D4 and D5 If B tr...

Page 183: ... any operation on the group Routers from the Groups UI in Common Services However if you perform any operation on the subgroup Routers from the Groups UI in RME you may not see all the 100 devices you have added to the group from Common Services Instead only those devices that RME manages are displayed Say you create a subgroup in Campus Manager based on subnets and add 30 devices When you perform...

Page 184: ...u cannot create groups in Common Services if it is in Slave mode But for applications you can create groups even if the server on which they are installed is in Slave mode For example say we have two servers M and S where M is in Master mode and S is in Slave mode Let both the machines have Common Services and RME installed In M you can see the following groups CS master hostname RME master hostna...

Page 185: ...of the Master RME bundle pc12 Application group pertaining to the Master RME bundle sun280r1 Application group pertaining to the Slave Similarly in S you can see the following groups CS slave hostname RME master hostname RME slave hostname Figure 5 3 Groups Window in Application in a Multi server Setup In Figure 5 3 you can see the groups displayed in the Application RME Groups UI in a multi serve...

Page 186: ...e versa DCR Mode Changes and Group behavior The DCR modes have a bearing on how groups are displayed in the Groups UI Also the DCR mode decides whether you can perform any operation on the groups In Standalone mode the groups you create in the CS Groups UI is propagated to the application Group instances of the applications installed in the same machine To perform operations on application groups ...

Page 187: ...or Mode Changed to The initial mode Standalone Slave Master Standalone Not applicable Master will get all the Slave groups That is if Slave has App 1 installed Master will have all the groups that belong to App 1 on Slave All these groups appear under the root group App 1 Slave Also Slave will get Master s groups Group UI gets disabled No change in the Group hierarchy ...

Page 188: ...switch to Standalone mode All groups pertaining to other machines will be removed Groups UI will be enabled on all machines in the cluster If you select the Inform current Slaves of new Master Hostname check box when you change the mode to Slave all the Slaves in the domain switch to the new Master In this case application groups of all the Slaves in the domain and the groups in the Master will be...

Page 189: ...he Slave s mode change when it comes up The Master will not receive any data from the Slave but the Slave information will still be present in the its registry A redundant group such as CS Slave will still appear in the Master s Groups UI In the case of DCR any device operation on Master will update the Slave list But the same does not happen in the case of Groups You can run the UnregisterSlave u...

Page 190: ...de information on how to perform group administrative tasks in Common Services Creating Groups Modifying Group Details Viewing Group Details Refreshing Groups Deleting Groups Creating Groups To create a new device group Step 1 In the CiscoWorks Homepage select Common Services Groups Group Admin The Groups Administration page appears The Group Administration and Configuration dialog box in the Grou...

Page 191: ...be performed 1 Specifying Group Properties 2 Defining Group Rules 3 Assigning Group Membership While creating a new group you must complete all the three tasks in this sequence to create a group If you exit the wizard at any stage by clicking Cancel the details you have specified will be lost and the group will not be created Specifying Group Properties While specifying group properties you can en...

Page 192: ...inistration wizard changes the parent group to the one you selected and returns to the Properties Create window Step 8 Enter a description for the group Typically you can enter a detailed description of the group identifying its characteristics in this field Step 9 Select the Membership Update mode for the group The modes of membership updates available are Automatic The membership of the group is...

Page 193: ...Create dialog box allows you to check the syntax in the Rules Text field You can use this facility to validate the rules you have created If you leave the rule blank it creates a Container group Click View Parent Rules to display the rules defined for its ancestor groups You can select the parameters from Rule Expression fields to create a new set of rules If you do not want to use the rules curre...

Page 194: ...r the parent groups click View Parent Rules Step 4 Click Next The wizard takes you to the Membership Create dialog box where you can further refine the group definition by adding or deleting specific devices from the group Assigning Group Membership To decide the devices available to the group you have created the wizard uses the details of the parent members and rules you have already specified T...

Page 195: ... window appears It displays the group name the parent group description the membership update type group rules and the visibility scope of the group you created If you want to change the parameters click Back to go back to the previous windows and make changes Step 4 Click Finish to create the group based on the parameters specified Viewing Group Details To view the details of a group Step 1 In th...

Page 196: ...elect the number of rows to be displayed in the table To do this select the desired number of rows in Rows per page Click Property Details to return to the Property Details window Step 4 Click Cancel to return to the Group Administration and Configuration page Modifying Group Details You can modify some of the details for a group using this feature To modify the details of a group Step 1 In the Ci...

Page 197: ...ow Step 8 Add or remove devices from the list of objects in Objects Matching Membership Criteria as required For details on creating the rules see Assigning Group Membership section on page 5 18 Step 9 Click Next The wizard takes you to the Summary window If you want to change the parameters specified click Back to go back to the previous windows and make changes to the properties or rules Step 10...

Page 198: ... Group Administration and Configuration dialog box select the group from Group Selector The Group Info fields on the right pane displays details of the selected group Step 3 Click Refresh The Group Administration pop up window prompts you for confirmation Step 4 Click Yes The selected group is recomputed and the window refreshed Deleting Groups You can delete a group from the Group Selector When y...

Page 199: ...on DisplayName Device name as you want it to be represented in reports or graphical displays Can be derived from Host Name Management IP address or Device Identity ManagementIpAddress IP address used to access the device Both IPv4 and IPv6 address types are supported HostName Device Host name DomainName Domain name of the device DeviceIdentity Identifies pre provisioning devices The value would be...

Page 200: ...Note You should not create a User Defined fields in the format System Defined Field_UDF where System Defined Field stands for any attribute listed in the above table By default four user defined fields are available You can create 12 user defined fields in DCR The maximum number of user defined fields that can be added in the Variable drop down list is 16 Series Series to which the device belong T...

Page 201: ... Device Center Window You can also launch Element Management tools reports and management tasks Since all this information and reports for a single device are available from a single location Device Center helps you in troubleshooting devices Device Center caters to a broad variety of device centric features from a single location After launching Device Center you can invoke many tools on the sele...

Page 202: ...options From CiscoWorks Homepage Launch the Device Center main page from the CWHP and select a device To launch device center from CWHP select CiscoWorks Homepage Device Troubleshooting Device Center Bookmark the Device Center URL and launch directly from the browser window Launch Device Center for a device from one of the application functions such as reports For example you can launch Device Cen...

Page 203: ... Selector field The Device Summary and Functions Available panes appear Step 3 Click any of the links under the Functions Available pane to launch the corresponding application function The links are launched in a separate window If you enter the device name or IP address of a device not managed by any of the applications installed on the Common Services server the Functions Available pane display...

Page 204: ... can view and select devices using the device selector Note After you select a device using Device Selector you will get information on the applications that manage the device Device Selector allows you to Change device selection to see related information for the selected device Troubleshoot or manage the device selected Select a device from the list tree or by entering in the IP address or devic...

Page 205: ...s or device name in the text box provided and clicking the button Passing device context as parameters Passing device context as parameter is meant for applications only Management Functions helps you perform these tasks Enabling Debugging Tools Displaying Reports Performing Management Tasks Note You must have the required privileges to use some of the functions Enabling Debugging Tools The Tools ...

Page 206: ...find out the address The test will fail if it cannot find an address You can test UDP echo test port 7 Sends an echo request to UDP port 7 TCP echo test port 7 Sends an echo request to TCP port 7 HTTP availability test port 80 Sends an HTTP request to the HTTP port 80 of the destination device TFTP availability test port 69 device must be configured as a TFTP server Sends a TFTP request to the TFT...

Page 207: ...dential fetching fails and the fields of read write community strings of SNMP v1 v2c read write SNMPv3 credentials are set to default values You have to manually enter SNMP v1 v2c v3 credentials To invoke Management Station to Device tool Step 1 Select Device Troubleshooting Device Center Step 2 Enter the name or IP address fully qualified domain name or hostname of the device you want to check in...

Page 208: ...interfaces tested and the test results for each option Using Ping Use the Ping tool to test whether the device is reachable A ping tests an ICMP echo message and its reply Since ping is the simplest test for a device use it first You can view the packets transmitted and received percentage of packet loss and round trip time in milliseconds If ping fails try using traceroute Step 1 Select Device Tr...

Page 209: ...ce you want to check in the Device Selector field and click GO Or Select the device from the list tree The Summary and Functions Available panes appear Step 3 From the Functions Available pane click Traceroute The results of the trace appear in the Traceroute window Using SNMP Walk SNMP Walk allows you to trace the MIB tree of a device starting from a given OID for purposes of troubleshooting or g...

Page 210: ...ord Specify the SNMP v3 Auth Protocol Select either the MD5 radio button or the SHA radio button Enter the starting OID optional If this field is left blank the tool will start from 1 Enter the SNMP Timeout The default is 10 seconds Select the check box to get output OIDs numerically The fields are case sensitive Step 6 Click OK to get the results The results will be based on the parameters you en...

Page 211: ...anes appear Step 3 From the Functions Available pane click SNMP Set The SNMP set dialog box appears Step 4 Enter the IP address or the DNS name Step 5 For SNMP Version 1 and 2c if it is a 64 bit counter use SNMP v2 Enter the ReadWrite community string Enter the object ID that you are trying to set along with the instance ID or number Select the Object Type from the drop down list The values vary w...

Page 212: ...MP Set feature with Network Operator Help Desk privilege device credential fetching fails and the fields of read write community strings of SNMP v1 v2c read write SNMPv3 credentials are set to default values You have to manually enter SNMP v1 v2c v3 credentials Using Packet Capture The Packet Capture tool can be used to capture live data from the CiscoWorks machine to aid in troubleshooting You sh...

Page 213: ... appears If you click OK with the default values without setting any of the parameters the screen will try to capture for the next 60 seconds Then it terminates and displays the Packet Capture dialog box with the new packet capture file added to the list of the archived capture files Click on the new packet capture file link to get a sniffer output of packets received by the CiscoWorks Server Step...

Page 214: ...es stop after 60 seconds Step 4 Click OK The Packet Capture dialog box with the new packet capture file added to the list of the archived capture files is displayed after the capture is performed Step 5 Click on the new packet capture file link to get the result While the capture is being performed if you click OK Packet Capture status popup appears with the current status of the capture If you cl...

Page 215: ...em Administrator or Network Administrator privileges to use this feature If the IP address or the device name you enter is not present in Device and Credential Repository DCR the Edit Credential link will not be displayed Displaying Reports The Report pane in the Device Center page displays the list of the reports that can be launched for a device The reports displayed in the Report pane depends o...

Page 216: ...Chapter 6 Using Device Center Performing Management Tasks 6 16 User Guide for CiscoWorks Common Services 78 16571 01 ...

Page 217: ...le the device support packages such as IDU have to be installed based on the installation instructions documented in the respective readme files You may also uninstall a device support package Software Center does not support uninstallation of software updates To backup what is installed on the server Software Center maintains a package and device map in the installed packages directory of the res...

Page 218: ... and the date on which the software was installed To sort the table by version or date of installation click on the Version Installed Date link You can click the product name links to view the Applications and Packages Installed with the Product page that gives the details of the installed applications patches and packages of the product The Software Updates page provides options to download updat...

Page 219: ...dates Step 1 In the CiscoWorks Homepage select Common Services Software Center Software Updates The Software Updates page appears Step 2 In the Products Installed dialog box select the check box corresponding to the product for which you want to select update Step 3 Click Select Updates Step 4 Select the product you need to update then click Next Step 5 Select a destination location then click Nex...

Page 220: ...ad policy Package map is a snap shot of the currently installed device packages for a Product The backup restore framework uses Package map during data backup Click on the device type count link to view the Device Map that lists the SysObjectID Device Name Package Name and Version To check for updates Step 1 In the CiscoWorks Homepage select Common Services Software Center Device Updates The Devic...

Page 221: ... Readme Details Links to the Readme files associated with the update Posted date Date on which the update was posted on Cisco com Size Size of the update Step 5 Select the check box corresponding to the package that you wish to update then click Next The Device Update page appears You can either install device packages or download device packages To install device packages select the Install Devic...

Page 222: ...nfirm If you select Install Device Packages a Click Next A summary of your inputs is displayed b Click OK to confirm A warning appears informing you that the daemons are restarted c Click OK to continue with installation Deleting Packages You can also delete packages that are outdated or you no longer use To delete a package Step 1 In the CiscoWorks Homepage select Common Services Software Center ...

Page 223: ...he downloads You can also specify download policies Software Center supports the following download policies Download all latest device packages of products installed in the machine Download newer versions of currently installed packages Download the specified packages comma separated You have to provide your Cisco com credentials and the location to which the packages should be downloaded To sche...

Page 224: ...own list The options are Immediate Once Daily Weekly Monthly If you select any of the options other than Immediate a Select the date from the date picker b Specify the time from the drop down lists Step 5 In the Job Description field enter a description for the download job This is mandatory Step 6 Enter the E mail ID in the E mail field Step 7 Click Apply Step 8 Click Accept in the confirmation p...

Page 225: ...he software center To view Scheduled Job Details click Scheduled Job Details in the TOC The Scheduled Job Details page appears with the following information Job Job ID Date Time and the date on which the job was executed Applicable Products Products to which the download is applicable To view the Event Log click Event Log in the TOC The Event Log page appears with the following information Produc...

Page 226: ...Chapter 7 Working With Software Center Viewing Activity Logs 7 10 User Guide for CiscoWorks Common Services 78 16571 01 ...

Page 227: ...us Testing Device Connectivity Troubleshooting the CiscoWorks Server Troubleshooting Suggestions Verifying Server Status There are several tools that enable you to gather and analyze information about your CiscoWorks Server See Table 8 1 and Table 8 2 Table 8 1 Server Status Task Purpose Action Administrative Tasks Perform self test Runs self tests and generates a report with the results Select Se...

Page 228: ...in Processes Collect server information Provides system information environment configuration logs and web server information Select Server Admin Collect Server Information or Enter the following command On Windows NMSROOT bin collect info On Solaris NMSROOT bin collect info where NMSROOT and NMSROOT are the directories where you installed CiscoWorks in Windows and Solaris respectively Table 8 1 S...

Page 229: ...any other support utilities registered and run them Other MDCs need to register their own support utilities that will collect their relevant data For Windows go to NMSROOT MDC bin and execute the command MDCSupport exe The utility creates a tar file in NMSROOT MDC etc directory If etc directory is full or if you want to preserve the data collected previously by not over writing the tar file you ma...

Page 230: ...inued If etc directory is full or if you want to preserve the data collected previously by not over writing the tar file you may create another directory by running the following command mdcsupport Directory Before you close the command window ensure that the MDC Support utility has completed its action If you close the window prematurely the subsequent instances of MDCSupport Utility will not fun...

Page 231: ...ctivity between the CiscoWorks Server and a device Select Device Center Tools Management Station to Device See Checking Device Connectivity section on page 6 6 for details Packet Capture Captures live data from the CiscoWorks machine to aid in troubleshooting Select Device Center Tools Packet Capture See Using Packet Capture section on page 6 12 for details To set an SNMPobject on a device Sets an...

Page 232: ... are too many dialog boxes This makes the process tedious Is there a way to reduce the number of dialog boxes and steps When I invoke CiscoWorks I m unable to get to the login page directly Instead I m facing a security alert related to the site s security certificate It asks for my input to proceed further Why My server certificate for CiscoWorks has expired What should I do I installed CD One an...

Page 233: ...ge the Hostname of the CiscoWorks Server after installing it or after running it for a while How do I find out which devices are supported by a particular application How do I verify if SSH is enabled or disabled on my device using CiscoWorks Server How do I verify if SSH is enabled or disabled on my device using CiscoWorks Server How to verify which version of SSH is running on my system Is it po...

Page 234: ...nning in secure mode HTTPS is often caused by configured certificates in the client computer Q When I invoke CiscoWorks in the secure mode HTTPS there are too many dialog boxes This makes the process tedious Is there a way to reduce the number of dialog boxes and steps A Yes You have the following options If you are using self signed certificates In Netscape Navigator select the option Accept the ...

Page 235: ...be issued by trusted Certificate Authority The date of the certificate must be valid Each certificate is assigned a validity period It can range from 21 days to 5 years The name of the certificate and name of the page or the name typed in the address bar of the browser are the same To view the certificate information Click View Certificate in the alert box for Internet Explorer Click Examine Certi...

Page 236: ...lar and keep them in a safe location Q I installed CD One and got an error message that EDS was not registered with the daemon manager Did I do anything wrong A EDS is part of the CD One deliverable but is not enabled without Campus Manager or Resource Manager Essentials If you are going to install either of these application suites EDS will be automatically enabled after installation Q Which vers...

Page 237: ...t my CiscoWorks application A If you cannot start your CiscoWorks application and get error messages complaining that the WebServer might not be running This may occur although pdshow indicates that those processes are up and running You might need to check how your machine is resolving its server name and IP address The CiscoWorks CORBA applications require name resolution to work properly Domain...

Page 238: ...rom SSL mode to non SSL mode Change from non SSL mode to SSL mode Log out from any other CiscoWorks application Visit other sites and then return to CiscoWorks Do not alter the existing technologies in the default configuration file If all of the parameters listed are correct see the Troubleshooting Suggestions section on page 8 33 tmp 1 cmf filebacku p tar CiscoWorks Server application tar files ...

Page 239: ...tus link to get detailed database status Step 6 Contact the Cisco TAC or your customer support to get the information you need to access the database and find out details about the problem After you have the required information perform the following tasks for detecting and fixing database errors Depending upon the degree of corruption the database engine may or may not start For certain corruptio...

Page 240: ...casusers Step 5 Run the command cd NMSROOT objects db conf NMSROOT bin perl configureDb pl action validate dsn cmf The dbvalid command displays a list of tables being validated The Validation utility scans the entire table and looks up each record in every index and key defined on the table If there are errors the utility displays something like Validating DBA xxxx run time SQL error Foreign key p...

Page 241: ...e while accessing the UIs Q How do I change the port for osagent in Windows A To change the port for osagent in Windows Step 1 Backup your Windows registry Step 2 In the Registry Editor navigate to HKEY_LOCAL_MACHINE SOFTWARE Cisco Resource Manager Current Version Daemon RmeOrb Step 3 Change the value of Args from p 42342 to an unused port number for example p 44444 Step 4 Navigate to HKEY_LOCAL_M...

Page 242: ...o 44444 Step 10 Reboot the server NMSROOT is the installation directory for CiscoWorks Server Q How do I change port for osagent in Solaris A To do this Step 1 Stop daemons Step 2 Make sure that no CSCO processes are running Step 3 Make sure all ports used by CiscoWorks are free To do this enter netstat na grep 423 netstat na grep 174 If these ports are free you will not see any output Step 4 Veri...

Page 243: ... 44444 Step 7 Open the file etc services in a plain text editor such as vi Step 8 Comment out the entry for CSCOsa port and add the following entry cscoosa 44444 udp CSCO NM osagent Note The change is for the port number only Step 9 Open var sadm pkg CSCOmd pkginfo in a plain text editor such as vi Change the entry from OSAGENT_PORT 42342 to OSAGENT_PORT 44444 Change the entry from PX_OSA_PORT 423...

Page 244: ...p 2 Change the port numbers as required Step 3 Reboot the system Q How do I change ESS port in Windows A To do this Step 1 Back up your Windows registry Step 2 In the Registry Editor navigate to HKEY_LOCAL_MACHINE SOFTWARE Cisco Resource Manager Current Version Daemon ESS Step 3 Change the value of Args from store NMSROOT objects ess conf rvrd conf logfile NMSROOT log ess log listen 42351 no http ...

Page 245: ...click on Finish This enables the Debug option Enabling debug mode allows the login module to add the detailed progress and failure information to log files The log files are located at CSCOpx MDC Tomcatlogs stdout log For all failed login attempts the log files contain LDAP error messages which specify the reason for the failure For example if the Usersroot configuration is incorrect then the logi...

Page 246: ...rotocol TCP IP and click Properties The Internet Protocol TCP IP Properties dialog box appears Step 4 Select the radio button Use the following IP address Step 5 Change the IP address as required in the IP Address field For the subnet mask and default gateway values use the command ipconfig at the command prompt The subnet mask and default gateway values appear Step 6 Enter these values in the sub...

Page 247: ... pertaining to the Solaris system not the LMS or SMS software and guides you through the server renaming process You also do this when you change the hostname in the hosts hostname hme0 and nodename files in the etc directory Step 3 Change the hostname in registry entries in the CurrentControlSet Step 4 Change the hostname in regdaemon xml NMSROOT MDC etc regdaemon xml Step 5 Create a file NMSROOT...

Page 248: ... are supported by a particular application A Select Common Services Software Center Software Updates Under Applications Installed click the application name to see a list of the supported devices Q How do I verify if SSH is enabled or disabled on my device using CiscoWorks Server A To verify whether SSH is enabled or disabled using the CiscoWorks Server Step 1 Log on to the CiscoWorks Step 2 Selec...

Page 249: ...AA client in it for CiscoWorks to avail AAA service At the same time ACS does not allow itself to be configured as an AAA client which is required when ACS and CiscoWorks coexists Hence the configuration required for ACS integration will fail Q How do I change the casuser password A You can change the casuser password using resetCasuser exe It can be executed only by an administrator or casuser To...

Page 250: ...y To change the user password on Solaris Step 1 Enter etc init d dmgtd stop to stop the Daemon Manager At the command prompt enter NMSROOT bin resetpasswd username Step 2 A message appears Enter new password for username Step 3 Enter the new password Step 4 Enter etc init d dmgtd start to start the Daemon Manager To change the user password on Windows Step 1 Enter net stop crmdmgtd to stop the Dae...

Page 251: ...communication on HTTPS Enter NMSROOT bin perl NMSROOT bin camssl pl disable Step 2 Restart the Daemon Manager On Windows Enter net stop crmdmgtd Enter net start crmdmgtd On Solaris Enter etc init d dmgtd stop Enter etc init d dmgtd start Q How do I change web server port numbers A To change the web server port numbers you must execute separate commands for both Windows and Solaris On Solaris You c...

Page 252: ...ied port number The restrictions that apply to the specified port number are Port numbers less than 1025 are not allowed except 80 HTTP and 443 HTTPS Also port 80 is not allowed for SSL port and port 443 is not allowed for HTTP port The specified port should not be used by any other service or daemon The utility checks for active listening ports and ports listed in etc services If any conflict is ...

Page 253: ...information about the changed port and a list of all the files that are backed up and their actual location in the CiscoWorks directory A sample backup maybe similar to opt CSCOpx conf backup README txt Note the purpose of this directory as it is initially empty AAAtpaG03_Ciscobak Autogenerated unique backup directory index txt The backup file list httpd conf Webserver config file md properties Ci...

Page 254: ...n Windows You can change the web server port numbers for the Common Services Webserver You can also change both the HTTP and HTTPS port numbers To change the port numbers you must have administrative privileges Run the following command at the prompt CSCOpx MDC Apache changeport exe If you execute this utility without any command line parameter CiscoWorks displays the following usage text Common S...

Page 255: ...ts and if any conflict is found the utility rejects the specified port There is no reliable way to determine whether any other service or application is using a specified port If the service or application is running and actively listening on a port it can be easily detected However if the service is currently stopped there is no way that the utility can determine what port it uses This is because...

Page 256: ...file regdaemon xml Common Services config registry data file ssl properties CiscoWorks config elements for SSL mode vms_web xml Common Services application config file Note All the above files and the unique directories are stored with read only permissions Only the administrator and casuser have write permissions to ensure the security of the backup files The change port utility displays messages...

Page 257: ...tep 1 Stop Daemon Manager On Solaris Run etc init d dmgtd stop On Windows Run net stop CRMdmgtd Step 2 Run NMSROOT bin perl NMSROOT bin ModifyTomcatHeap pl max heap in MB Step 3 Start Daemon Manager On Solaris Run etc init d dmgtd stop On Windows Run net start CRMdmgtd If Tomcat is already configured for higher memory than what you specify when you run the command it displays message stating this ...

Page 258: ...l You have to edit the following section of the file context param param name DEBUG param name param value false param value description mice debug enabling description context param Step 2 Change param value false param value to param value true param value Q What does cmf stand for A The cmf acronym stands for Common Management Foundation This phrase describes the set of management services prov...

Page 259: ...d the port Make sure all CiscoWorks processes are terminated usr ucb ps auxww grep CSCO Wait five to ten minutes then try to restart the Daemon Manager User has forgotten his password Common Services cannot recover forgotten passwords A system administrator level user must either change the password or delete and then add the user again You are logged out of the CiscoWorks Server Changes in the lo...

Page 260: ...to the device with a commercial SSH client If you are able to connect go to step 3 If you are not able to connect check whether the device is running SSH enabled K2 or K9 image If it is not the correct image download the appropriate image to the device If you have the correct image then see whether you have created RSA key pairs in the device Creating RSA keys will enable SSH in the device 3 Check...

Page 261: ...Daemon Manager Solaris only Found Non SSL compliant products that do not function in SSL enabled mode Disable SSL from CLI and then start the daemon manager After installation while starting the daemon manager the following error message is displayed Service Not responded in a timely fashion Found Non SSL compliant products that do not function in SSL enabled mode Disable SSL from CLI and then sta...

Page 262: ...Chapter 8 Diagnosing Problems With CiscoWorks Server Troubleshooting Suggestions 8 36 User Guide for CiscoWorks Common Services 78 16571 01 ...

Page 263: ...Server provides and requires three levels of security to be implemented to ensure a secure environment General Security Partially implemented by the client components of CiscoWorks and by the system administrator Server Security Partially implemented by the server components of CiscoWorks and by the system administrator Application Security Implemented by the client and server components of the Ci...

Page 264: ...pplications and data However CiscoWorks applications can change the behavior and security of your network devices Therefore it is critical to limit access to applications and servers as follows Limit access to personnel who need access to applications or the data that the applications provide Limit CiscoWorks Server logins to just the systems administrator Limit connectivity access to the CiscoWor...

Page 265: ...he log files created by the CiscoWorks web server and diskwatcher The CiscoWorks web server and diskwatcher must be started as root Therefore their log files are owned by the user root with group casusers Windows Systems CiscoWorks must be installed by the administrator and must be installed as the user casuser If it is a new installation the system displays a Yes No message prompting you to eithe...

Page 266: ...root permissions the daemon manager will execute only a limited set of CiscoWorks programs that need root privilege This list is not documented to preclude any user from trying to impersonate these programs All back end processes are executed with a umask value of 027 This means that all files created by these programs are created with permissions equal to rwxr x with an owner and group of the use...

Page 267: ...local system but does not have network permissions CiscoWorks provides several services for RCP TFTP communication with devices These services are targeted for use by CiscoWorks applications but can be used for purposes other than network management The CiscoWorks Server uses the at command to run software update jobs for the Resource Manager Essentials Software Image Manager application Jobs run ...

Page 268: ...user is a user ID that is not typically enabled for login Using this user ID as the user ID under which to install the CiscoWorks Server software simplifies the installation process and ensures limited access to the CiscoWorks Server This is because casuser is not a valid login ID as there is no password assigned to it However the casuser user on UNIX systems is capable of performing system and po...

Page 269: ...s security policies Back up the security certificates in a safe location if you are using SSL in CiscoWorks Server Connection Security CiscoWorks Server uses Secure Socket Layer SSL encryption to provide secure connection between the client browser and management server and Secure Shell SSH to provide secure access between the management server and devices Security Certificates Security certificat...

Page 270: ...hat a specific public key belongs to this server Certificates can be issued for a variety of functions such as web user authentication web server authentication secure e mail S MIME IP Security Transaction Layer Security TLS and code signing CiscoWorks Server supports security certificates for authenticating secure access between client browser and management server CiscoWorks supports the followi...

Page 271: ... The protocol secures the sessions using standard cryptographic mechanisms and the application can be used similarly to the Berkeley rexec and rsh tools Two versions of SSH are currently available SSH Version 1 and SSH Version 2 Common Services 3 0 supports SSH Version 1 PKCS 8 Public Key Cryptography Standards PKCS are a set of standards for public key cryptography developed by RSA Laboratories i...

Page 272: ...an ASCII text document that looks like the following BEGIN CERTIFICATE MIIC4jCCAkugAwIBAgIEA0E1UDANBgkqhkiG9w0BAQBhMC VVMxCzAJBgNVBAgTAkNBMREwDwYDVQQHEwhTYNQ2lz Y28gU3lzdGVtczENMAsGA1UECxMERU1CVTEqMCgG0ZXN0 MiBDZXJ0aWZpY2F0ZSBNYW5hZ2VyMB4XDTAyMDas3DA4 NTgwOVowgYIxCzAJBgNVBAYTAklOMQswCQYDVQQIQ2hl bm5haTEMMAoGA1UEChMDSENMMQ0wCwYDVQQLEtzZGlu YWthci1wYzEhMB8GCSqGSIb3DQEJARYSc2RpbmFrYXfMA0G CSqGSIb3DQE...

Page 273: ... encryption As part of a public key infrastructure PKI a CA checks with a registration authority RA to verify information provided by the requestor of a digital certificate If the RA verifies the requestor s information the CA then issues a certificate CiscoWorks TrustStore or KeyStore CiscoWorks TrustStore or KeyStore is the location where CiscoWorks maintains the list of Certificates that it tru...

Page 274: ...Appendix A Understanding CiscoWorks Security Server Security A 12 User Guide for CiscoWorks Common Services 78 16571 01 ...

Page 275: ...g 3 55 DCA 4 26 Master Slave configuration prerequisites 4 27 mode changing 4 26 user defined fields adding 4 29 user defined fields deleting 4 31 user defined fields renaming 4 30 applications Application panels in CWHP 2 6 applications on another server 2 6 traditional applications 2 7 licensing 3 68 licensing information viewing 3 70 licensing procedure 3 69 obtaining a license 3 68 updating li...

Page 276: ...ms and definitions in A 8 Base64 encoded X 509 certificate format A 10 CA certificate authority A 11 CiscoWorks TrustStore or KeyStore A 11 PKCS 8 A 9 public key private key A 9 SSH A 9 SSL A 9 understanding A 7 Cisco com connection managing 3 44 CiscoWorks Homepage see CWHP 2 1 CiscoWorks Server troubleshooting 8 1 collecting information on 8 2 FAQs 8 6 locked out of 8 12 MDC support 8 3 process ...

Page 277: ...Updates panel 2 7 Common Services panel 2 5 Device Troubleshooting panel 2 7 Resources panel 2 7 toolbar buttons 2 8 web server port numbers changing 2 14 D Daemon Manager using 3 52 restarting on Solaris 3 52 restarting on Windows 3 53 database inaccessible troubleshooting 8 13 path includes cmf explanation 8 12 DCA Device and Credential Admin 4 1 administering 4 26 Master Slave configuration pre...

Page 278: ...oups 5 19 from the device list using dcrcli 4 39 peer server certificates 3 15 user defined fields from DCA 4 31 users 3 8 Device and Credential Admin see DCA 4 1 Device Center 6 1 debugging tools enabling 6 5 device connectivity checking 6 6 packet capture 6 12 Ping using 6 8 SNMP Set 6 11 SNMP Walk using 6 9 Traceroute using 6 9 invoking 6 3 launching 6 2 management functions management tasks 6 ...

Page 279: ...evice credentials in DCA 4 13 device group details 5 20 devices in the device list using dcrcli 4 40 local user profile 3 6 user profiles 3 8 EDS Event Distribution Service troubleshooting 8 10 ESS Event Service Software changing the port for in Solaris 8 17 in Windows 8 18 excluding devices from the device list 4 21 expired server certificate how to handle 8 10 exporting devices and credentials 4...

Page 280: ...H help CiscoWorks Product Updates panel of CWHP 2 7 online using 2 13 online documentation xvi I IBM SecureWay Directory changing login module to 3 25 importing devices and credentials 4 14 using CLI 4 43 using DCA user interface 4 15 J Java Plug in version to use 8 10 jobs managing 3 73 jrm checking 8 15 K KerberosLogin changing login module to 3 27 L licensing CiscoWorks applications 3 68 licens...

Page 281: ...tem changing to 3 28 MS Active Directory changing to 3 29 Netscape Directory changing to 3 30 Radius changing to 3 32 TACACS changing to 3 33 logrot utility configuring 3 81 running 3 82 using 3 81 M managing Common Services jobs 3 73 Common Services resources 3 76 messaging online users 3 72 MS Active Directory changing login module to 3 29 multi server mode and security 3 10 N Netscape Directory...

Page 282: ...48 Users Logged In report 3 47 DCA reports generating 4 23 Device Center reports 6 15 resources managing in Common Services 3 76 Resources panel of CWHP 2 7 restoring backed up data 3 58 runtime security understanding A 4 S Secure Shell SSH definition A 9 security access control and A 6 certificates understanding A 7 understanding A 1 general A 2 server A 2 security setting up 3 1 AAA mode setting...

Page 283: ... Services administering 3 51 backing up data 3 55 Daemon Manager using 3 52 jobs managing 3 73 processes managing 3 53 resources managing 3 76 restoring data 3 58 server information collecting 3 71 Common Services authentication about 3 21 log files maintaining 3 78 on UNIX 3 78 on Windows 3 80 login module setting to ACS 3 35 setting to non ACS 3 24 login module fallback options understanding for...

Page 284: ... 11 SNMP Walk using 6 9 Software Center 7 1 activity logs viewing 7 9 device downloads scheduling 7 7 device updates performing 7 4 packages deleting 7 6 software updates performing 7 2 Solaris changing ports in for ESS 8 17 for osagent 8 16 SSL enabling on the server 3 2 from the CiscoWorks Server 3 2 from the CLI 3 4 SSL definition A 9 SSO Single Sign On mode changing 3 18 enabling 3 15 starting...

Page 285: ...with daemon manager 8 10 ESS port change Solaris 8 17 Windows 8 18 FAQs list 8 6 Java Plug in which version to use 8 10 jrm 8 15 Netscape Navigator on a UNIX system 8 10 osagent port change Solaris 8 16 Windows 8 15 suggestions 8 33 UNIX systems and Netscape Navigator 8 10 typographical conventions in this document xiii U UNIX systems changing login module to local UNIX system 3 28 invoking Netsca...

Page 286: ...mon Services 78 16571 01 W web server port numbers changing 2 14 what s new in this release 1 2 Windows 2000 or Windows NT systems changing the port for ESS 8 18 for osagent 8 15 ensuring that jrm is running 8 15 log files maintaining on 3 80 ...

Reviews:

No comments

Related manuals for CISCOWORKS COMMON SERVICES 3.0

Brand: Radio Shack Pages: 64

OpenScape CP400

Brand: Unify Pages: 2

Brand: TCL Pages: 20

Brand: Spice Pages: 26

Brand: OneTouch Pages: 40

Brand: HTC Pages: 16

Brand: Ericsson Pages: 71

Brand: Polycom Pages: 2

Brand: Energizer Pages: 403

Brand: Palm Pages: 54

Brand: NEO Pages: 61

Brand: Majestic Pages: 41

PLUS Zultys 23G

Brand: DataComm Pages: 8

Brand: XONTEL Pages: 13

Brand: Hi-Tech Pages: 12

Brand: NEC Pages: 210

Brand: Lava Pages: 21

Brand: OKAPI Pages: 14

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands