background image

C

HAPTER 

5:

 ADDING DEVICES AND DEVICE 

G

ROUPS

 53 

 

 

 

 

Figure 56 Add Device Screen for IPMI Server (v 1.5) 

 

Figure 57 Add Device Screen for Generic Device 

5.

 

Type the new device name in the 

Device name 

field. 

6.

 

Type the IP Address or Hostname of the new device in the 

Device IP or Hostname 

field. For 

hostname rules, see 

Terminology/Acronyms

 in 

Chapter 1: Introduction

.  

7.

 

The TCP/UDP port number value will be populated automatically based on the device type. 
For example, the default UDP port for an IPMI device is 

623

8.

 

Type a description (or location) of the new device in the 

Description 

field. 

9.

 

Type the name used to log onto this device in the 

Username 

field. 

10.

 

Type the password needed to access this device in the 

Password 

field. 

11.

 

If applicable, type the time (in seconds) that should elapse before timeout between the new 
device and CC-SG in the 

Heartbeat timeout (sec) 

field. 

12.

 

For IPMI Servers, enter an 

Interval

 that is used to check for availability and an 

Authentication Method

, which needs to match what has been configured on the IPMI Server. 

Note: You will not see a TCP port number or Heartbeat timeout field for HP iLO/RILOE devices, 
older Dominion SX units (version 2.4 or earlier), IPMI Servers, and Generic devices.  

13.

 

Click 

OK

 to add the device or 

Cancel

 to exit without saving. 

14.

 

For Raritan devices, if the firmware version of the device is not compatible with CC-SG, a 
message will alert you and ask if you want to proceed (please see 

Chapter 2: Accessing CC-

SG

 for additional information). Click 

Yes 

to add the device to CC-SG, or 

No

 to cancel the 

operation. You can easily upgrade the device firmware after adding it to CC-SG (see section 

Upgrade Device

 later in this chapter). 

15.

 

Device Created Successfully

 message confirms that device has been added. 

16.

 

Repeat steps 1 through 12 to add other devices. 

 

Summary of Contents for Command Center CC-SG

Page 1: ...CommandCenter Secure Gateway CC SG Administrator Guide Release 3 0 Copyright 2006 Raritan Inc CCA 0B E May 2006 255 80 5140 00...

Page 2: ...This page intentionally left blank...

Page 3: ...e FCC Rules These limits are designed to provide reasonable protection against harmful interference in a commercial installation This equipment generates uses and can radiate radio frequency energy an...

Page 4: ...In Raritan products which require Rack Mounting please follow these precautions Operation temperature in a closed rack environment may be greater than room temperature Do not exceed the rated maximum...

Page 5: ...Add Devices 22 Configure Ports 24 Serial Port 24 KVM Port 26 Add Users to System Administrators Group 27 Control User Access 28 Create User Groups 28 Create Edit Port Groups 30 Create Edit Policies 3...

Page 6: ...73 Disconnect Users 74 Chapter 6 Configuring Ports and Port Groups 75 Port Manager 75 Port Icons 77 Configure Port 78 Edit Port 88 Port Group Manager 91 Chapter 7 Adding Users and User Groups 93 Add U...

Page 7: ...gned Certificate Request 133 IP ACL 134 Chapter 10 Generating Reports 135 Active Users Report 135 Active Ports Report 136 Asset Management Report 137 Audit Trail Report 138 Error Log Report 140 Ping R...

Page 8: ...sk Details of a Task and Task History 195 Notification Manager 197 SSH Access to CC SG 198 Command Tips 200 Create a SSH Connection to an SX Device 201 Connect to a Serial Port 202 Exit a Session 203...

Page 9: ...ty and Open Port Scans 235 Appendix C Initial Setup Process Overview 237 Appendix D User Group Privileges 239 Appendix E SNMP Traps 243 Appendix F Troubleshooting 245 Client Browser Requirements 245 I...

Page 10: ...iguration Ports 24 Figure 24 Configure Serial Ports 25 Figure 25 Configure Ports 26 Figure 26 Configure KVM Port 26 Figure 27 Add User Screen 27 Figure 28 Add User Group Screen 29 Figure 29 Port Group...

Page 11: ...ow 64 Figure 76 Remote User Station Admin Option 65 Figure 77 IP Reach Administration Screen 65 Figure 78 Device Power Manager Screen 66 Figure 79 Discover Devices Screen 67 Figure 80 Discovered Devic...

Page 12: ...licy Manager Screen 110 Figure 133 Add Appliance Policy Window 110 Figure 134 Update Policy Window 111 Figure 135 Edit Appliance Policy Window 111 Figure 136 Update Policy Window 111 Figure 137 Delete...

Page 13: ...183 Browse to Upload a Backup of CC SG 155 Figure 184 Refresh Shortcut Button 156 Figure 185 Upgrade CC SG Screen 157 Figure 186 Restart Screen 157 Figure 187 Info Window 158 Figure 188 Shutdown CC S...

Page 14: ...Figure 234 Cluster Configuration Set Secondary CC SG 189 Figure 235 Recovering a node from Waiting status 190 Figure 236 Cluster Configuration Advanced Settings 191 Figure 237 Task Manager 193 Figure...

Page 15: ...og File 216 Figure 277 Getting Help F1 217 Figure 278 Selecting CC SG Restart in Diagnostic Console 217 Figure 279 Restarting CC SG in Diagnostic Console 218 Figure 280 Selecting CC SG System Reboot i...

Page 16: ......

Page 17: ...he IP network and presenting the serial console and KVM ports of all the target devices within the managed network Prerequisites Before configuring a CC SG according to the procedures in this document...

Page 18: ...basis Supports primary and secondary servers Fallback authentication through local database Single IP Address Access Reduces the complexities of managing multiple IP addresses with associated user nam...

Page 19: ...bility Ease of Use Administrator Presentation Enhanced system setup entirely through graphical user interface state of the art UI standards with professional look and feel Designed for High Availabili...

Page 20: ...s enabled see section Network Configuration in Chapter 12 Advanced Administration for additional information The hostname and its Fully Qualified Domain Name FQDN Hostname Suffix cannot exceed 257 cha...

Page 21: ...ine interface to CC SG Only a subset of CC SG commands is provided via SSH to administer devices and CC SG itself please see Chapter 12 Advanced Administration for additional information Target Userna...

Page 22: ...ic Ports Page 78 81 83 Disconnect Users from Port Page 74 Search for Users Page 104 Active Directory Enhancements Page 115 Query Port Report Enhancements Page 148 View Stored Report Page 149 Locked Ou...

Page 23: ...s exactly like the downloaded applet Through SSH Please note that remote devices connected via the serial port can be accessed using this approach Please see Chapter 12 Advanced Administration for add...

Page 24: ...on and click OK The Login window appears Figure 4 Login Window 3 Type your Username and Password and click Login 4 Upon valid login the CC SG application window appears The menu bar and tool bar which...

Page 25: ...hine Once you have connected to a CC SG server its IP address is automatically saved in the client s History file and can be selected from the drop down menu in the future 4 After the standalone clien...

Page 26: ...u select About Raritan CommandCenter 3 If the version is not current you must upgrade your firmware by following the next few steps 4 On the Setup menu click Upgrade CommandCenter Figure 8 Upgrade CC...

Page 27: ...hment to a specific port 7 Edit the version field to reflect the new version uploaded and then click Update 8 Click Close to close the Application Manager screen Connection to Console and KVM Manageme...

Page 28: ...ritanConsole Application Warning The security warning display appearing in IE only appears the first time the user connects to a serial port Click Yes when this display appears if you click No the con...

Page 29: ...ill receive a short broadcast message Users logged into CC SG via the GUI or SSH will not receive a message 3 If removing the AC power cord let the power down process completely finish before removing...

Page 30: ...as screens and screens may be broken down into panels 7 User ID Identification of current logged in user 8 Language Information Indication of which language version of CC SG you are currently using 9...

Page 31: ...n arrange listed ports by name or status by right clicking on the tree and selecting the desired Port Sorting Option Administrators must configure Ports Users and Devices in the CC SG system upon setu...

Page 32: ...lay the information under the all tabs Create and define users with appropriate privileges and devices they can manage please see Chapter 7 Adding Users and User Groups for additional information Esta...

Page 33: ...ity Matrix on the Devices menu click Compatibility Matrix Figure 14 Compatibility Matrix CC SG checks against this data whenever you add a device upgrade device firmware or select an application for u...

Page 34: ...18 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE...

Page 35: ...tion Wizard guides you through steps to create categories and their associated elements The Wizard then automatically creates a port group for each element and a policy for each port group 1 On the As...

Page 36: ...lements Screen 3 Type the name of a category you wish to organize your ports by for example Location in the Category field 4 Type the name of each element in that category in the Elements fields below...

Page 37: ...to cycle through them Figure 17 Adding Another Category 6 When you are done creating categories click Next at the bottom of the screen The Confirm Choices screen of the Wizard appears Figure 18 Associ...

Page 38: ...izard from the Associations menu click Association Manager To make changes to any of the policies click Policy Manager from the Associations menu By default the Association Wizard sets the policy for...

Page 39: ...ice Name field Do not use spaces 6 Type the device description in the Description field 7 Type the Device IP address when you prepared the device and use the previously created CC SG Username and Pass...

Page 40: ...rts for each device you just added The port is the connection to the actual target system or server After adding ports you can change the configuration of individual ports by clicking the Ports tab ri...

Page 41: ...sole RC is used to manage the target system 6 Click on the Baud Rate drop down arrow and select a rate 7 Click on the Parity Data Bits drop down arrow and select a parity value 8 Click on the Flow Con...

Page 42: ...orts Alternatively you can right click on the device and select Configure Ports The Configure Ports screen appears Figure 25 Configure Ports 3 Click Configure next to the KVM port line item you wish t...

Page 43: ...and policies to control user access If you do not put users in the default System Administrators group you will need to complete the additional sections that follow this one After adding a user they...

Page 44: ...istrator s user group Control User Access You can control user access to devices ports and CC SG administration through user groups and policies User groups define a user s privileges and polices spec...

Page 45: ...description for example based on department region or assignment in the Description field 5 In the Select Privileges section check the corresponding boxes in the Has it column to add those privileges...

Page 46: ...ate Associations earlier in this chapter for additional information These port groups contain general rules so you may want to edit these port groups and add more specific rules 1 On the Associations...

Page 47: ...and grant full access to the ports Once created you will then apply the policy to a user group 1 On the Associations menu click Policy Manager The Policy Manager screen appears Figure 31 Policy Manag...

Page 48: ...accessed by the group and a policy does Therefore you need to apply a policy to a user group 1 Click on the Users tab and select a group 2 On the User menu click Edit User Group Policies Alternatively...

Page 49: ...mote Authentication check box only if the user should be authenticated by TACACS RADIUS LDAP or AD Note Checking the Remote Authentication box implies that a remote server is being used for authentica...

Page 50: ...this user in the Email Address field if desired 13 Click OK to add this user to the system A User Created successfully message indicates the user has been added to the system 14 Drag the new user ico...

Page 51: ...es and Elements An important concept in CC SG is categories and elements Categories and elements are defined with the Association Wizard or Association Manager Raritan devices and ports are organized...

Page 52: ...w you want to control user access to the ports As you add devices and ports you link them to your predefined categories and elements When you create port and device groups to include in a policy you w...

Page 53: ...iations with the Association Manager This will require you to manually create policies Association Manager Association Manager commands allow you to add modify or delete Categories and Elements In CC...

Page 54: ...Add Category Window 3 Type a category name in the Category Name field Maximum length is 31 characters 4 Click on the Value Type drop down arrow to select a value type of String or Integer 5 Click on t...

Page 55: ...or Cancel to exit without editing The updated category name appears in the Category Name field 7 Click Close to close the Association Manager screen 8 Repeat steps 1 through 7 to edit other categorie...

Page 56: ...dd in the Element for Category panel to add a new element The Add Element window appears Figure 41 Add Element Window 3 Type the new element name in the Enter Value for Element field 4 Click OK to add...

Page 57: ...through 5 to edit other elements Delete Element Deleting an element removes that element from all Port associations leaving association fields blank 1 On the Associations menu click Association Manage...

Page 58: ...tion Wizard Overview 2 After reading the overview click Next The Category and Elements screen of the Wizard appears Figure 45 Association Wizard Category And Elements Screen 3 Type the name of a categ...

Page 59: ...Category 6 When you are done creating categories click Next at the bottom of the screen The Confirm Choices screen of the Wizard appears Figure 47 Association Wizard Confirm Choices 7 Review the list...

Page 60: ...w created a port group for each element and a policy for each port group If the element names were not unique the default port groups and policies cannot be created see Appendix F Troubleshooting for...

Page 61: ...e file The devices specified in the CSV file must have been added to CC SG prior to importing please see Add Device in Chapter 5 Adding Devices and Device Groups Also the ports specified in the CSV fi...

Page 62: ...Number Port Name Category Name Element Name For each port and for each category that applies to it For iLO RILOE PowerStrip and IPMI device the port number will be used for all other devices the Rari...

Page 63: ...CHAPTER 4 CREATING ASSOCIATIONS 47 Once successfully imported you should see something like Figure 50 Analysis Report Screen If necessary refer to Appendix F Troubleshooting for problem resolution...

Page 64: ...48 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE...

Page 65: ...on a port by port basis in order to easily access remote target devices When you click on the Devices tab and select a device from the Devices tree the View Device screen will automatically appear dis...

Page 66: ...t connected Serial port connected in current user session Serial port busy other user connected to port Serial port unavailable device is down and unavailable Serial port paused because device is paus...

Page 67: ...Device Type drop down arrow and select a type of device from the list 4 Click Next to proceed The Add Device description screen appears Depending on the type of device you selected you will see a dev...

Page 68: ...52 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Figure 54 Add Device Screen for Raritan Devices Figure 55 Add Device Screen for iLO RILOE...

Page 69: ...tween the new device and CC SG in the Heartbeat timeout sec field 12 For IPMI Servers enter an Interval that is used to check for availability and an Authentication Method which needs to match what ha...

Page 70: ...Use this command to rename a device and or modify its properties 1 Click on the Devices tab and select a device from Devices tree 2 On the Devices menu click Device Manager and then click Edit Device...

Page 71: ...Please note that categories and elements are the only properties copied in this process 1 Click on the Devices tab and select a device from Devices tree 2 On the Devices menu click Device Manager and...

Page 72: ...sage confirms that device configuration has been backed up 4 Repeat steps 1 through 3 to back up other device configurations Restore Device Configuration This command allows you to restore a previousl...

Page 73: ...and click the right arrow to move them to the Copy Configuration To column The left arrow moves selected devices out of the Copy Configuration To column 5 Click OK to copy the configuration to the de...

Page 74: ...ermine if the device is available in your network 1 Click on the Devices tab and select a device from the Devices tree 2 On the Devices menu click Device Manager and then click Ping Device The Ping De...

Page 75: ...evice Manager and then click Resume Management The device icon changes from the red paused state to a grey active state View Devices Regular View Select this command to view devices in the Devices tre...

Page 76: ...w click on the Name drop down arrow and select a custom view that has already been saved in the database Details of the View categories appear in the Custom View Details field 4 Click Set Current to a...

Page 77: ...User Details panel select a detail and use the Up and Down buttons to arrange details in the order you want devices sorted To remove a detail from the list select the detail and click the Delete butt...

Page 78: ...ustom view A Custom View Updated Successfully message confirms that the custom view has been updated 8 Click Set Current to arrange the Devices tree to reflect the selected custom view 9 Click Close t...

Page 79: ...ck on the Devices tab and select a device from the Devices tree 2 On the Devices menu click Topological View The Topological View for the selected device appears Figure 73 Topological View Screen 3 Na...

Page 80: ...Admin please see Raritan s Paragon II System Controller User Guide After adding your Paragon System device the Paragon System includes the P2 SC device connected UMT units and connected IP Reach units...

Page 81: ...C SG it appears in the Devices tree Right click on the device icon in the Devices tree and select Remote User Station Admin The Remote User Station Admin screen appears listing all connected IP Reach...

Page 82: ...ices menu click Device Power Manager The Device Power Manager screen appears Figure 78 Device Power Manager Screen 2 The outlets will be listed in the Outlets Status panel You may have to scroll to vi...

Page 83: ...the range of IP addresses where you expect to find the devices in the From Address and To Address fields The To Address should be larger than the From Address Specify a mask to apply to the range If...

Page 84: ...vice in the Username and Password fields to allow CC SG to authenticate the device when communicating with it in the future Select a Category or Element to apply to the device 9 Click OK to add the ne...

Page 85: ...click Groups Manager and then click Device Group Manager The Device Group Manager screen appears Figure 82 Device Groups Manager Screen 2 Click Add in the Groups panel The Add Device Group window app...

Page 86: ...drop down arrow and select the group to be edited from the list Click Edit and the Edit Device Group window appears Figure 85 Edit Device Group Window 3 Type the new name for the device group in the...

Page 87: ...screen 5 Repeat steps 1 through 4 to delete other devices Add Device Rule After adding a device group apply one or more rules to the group so that devices can be grouped by matching parameters and you...

Page 88: ...al expression of the rule in the lower field of the screen 2 Click Update to update the device group The new rule is associated with this device group from now on and any new devices will also comply...

Page 89: ...press ENTER Navigation Tips When a device has been found and is highlighted in the Devices tree use the and keys to navigate to the next device When a device is highlighted in the Devices tree press t...

Page 90: ...grading the firmware of a device The administrator however will remain logged into CC SG Note Firmware upgrades and device configuration backups and restores are allowed to complete before the user s...

Page 91: ...PMI servers and KVM devices in your CC SG Once configured CC SG provides centralized access to the target devices s attached to Dominion and IP Reach units CC SG supports Raritan products as listed in...

Page 92: ...the View Port screen to appear Ports are arranged alphabetically by name or grouped by availability status Ports arranged by status are sorted alphabetically within their availability grouping To swi...

Page 93: ...a record of it remains KVM port connected in current user session Port paused because device is paused Port unavailable because device is unavailable Port busy other user connected to port Serial port...

Page 94: ...ce from the Devices tree 1 On the Devices menu click Port Manager and then click Configure Ports The Configure Ports screen appears Figure 94 Configure Ports Screen 2 To make ports easier to find clic...

Page 95: ...t an application name 6 Click on the Baud Rate drop down arrow and select a rate 7 Click on the Parity Data Bits drop down arrow and select a parity value 8 Click on the Flow Control drop down arrow a...

Page 96: ...band application in Target TCP Port and type a username that is used to login to the in band application in the Target Username field Click OK to save the In band parameter settings or Cancel to exit...

Page 97: ...The Configure Ports screen appears Figure 98 Configure Ports Screen 3 To make ports easier to find click on a column header to sort the ports by that attribute in ascending order Click on the header...

Page 98: ...lication drop down arrow and select either RemoteDesktop Viewer SSH Client VNC Viewer Type the IP address of the target associated with this port in the Target IP Address field type the port used by t...

Page 99: ...ure Ports The Configure Ports screen appears Figure 102 Configure Ports Screen 3 Click the Configure button that corresponds to the Generic port line item you wish to configure The Configure Generic P...

Page 100: ...exit with configuring A Port Configured Successfully message confirms that port has been created 10 Repeat steps 1 through 9 to configure other Generic ports Configure an Outlet Port Outlet ports can...

Page 101: ...ame the port after the server that is connected to the port 5 If you want to associate this port with another port click on the Associated Port drop down arrow and select a port name For example an ou...

Page 102: ...vice 1 Click on the Ports tab and select a port to be deleted 2 On the Devices menu click Port Manager and then click Delete Port The Delete Port screen appears Figure 107 Delete Port Screen 3 Click O...

Page 103: ...3 In the All Ports list select the port name s that will be adopting the profile of the port listed in the Port Name field above 4 Click to move a port name to the Selected Ports list 5 To remove a po...

Page 104: ...and select a new rate 6 Click on the Parity Data Bits drop down arrow and select a new value 7 Click on the Parity Check checkbox to enable or disable 8 Click on the Recv Xmit Pace check box to enabl...

Page 105: ...it KVM Port Screen 3 Type a new port name in the Port Name field 4 Click on the Application Name drop down arrow and select an application from the list 5 Select a new category and element from the Po...

Page 106: ...he Port Name field 4 Click on the In band application name drop down arrow and select an application from the list 5 Type a new port number in the TCP port number field 6 Type a new username in the Ta...

Page 107: ...rs Figure 112 Port Groups Manager Screen 2 Click Add in the Group panel to add a new group The Add Port Group window appears Figure 113 Add Port Group Window 3 Type the name for the new Port Group in...

Page 108: ...the change or Cancel to close the window 5 Click Close to close the Port Groups Manager screen 6 Repeat steps 1 through 5 to edit other port groups Delete Port Group 1 On the Associations menu click...

Page 109: ...alphanumeric characters or underscores no spaces for locally authenticated users and no length restriction for users authenticated remotely 3 Check the Remote Authentication check box only if the user...

Page 110: ...eckbox which will add the user to the Users Not in Group user group The user can then be moved to the desired user group 13 Click OK to add this user to the system or Cancel to exit without saving A U...

Page 111: ...ge any user s password 1 Click on the Users tab and select a user from the Users tree 2 On the User menu click Change User Password The Change User Password screen appears Figure 118 Change User Passw...

Page 112: ...swords minimum length is 6 characters For non strong passwords minimum length is 4 characters See section Configure Security in Chapter 12 Advanced Administration for additional information Delete Use...

Page 113: ...the Users tree Note To select more than one user hold the CTRL key and click on additional users 2 On the Users menu click Logoff User s The Logoff Users screen appears Figure 121 Logoff Users Screen...

Page 114: ...rs Figure 122 Bulk Copy Screen 3 In the All Users list select the user name s that will be adopting the profile of the user listed in the Username field 4 Click to move a user name to the Selected Use...

Page 115: ...ic category shown at the base of the Users tree 1 Click on the Users tab and select a user to be deleted 2 On the Users menu click Delete User From Group The Delete User From Group screen appears Figu...

Page 116: ...oup has to be assigned the Device and Port Management feature To view other events that occur in the system those privileges must be selected upon Adding or Editing a User Group This chapter explains...

Page 117: ...On the Users menu click Edit User Group The Edit User Group screen appears Figure 126 Edit User Group Screen 3 Type a new group name in the User Group Name field 4 Type a new description in the Descri...

Page 118: ...olicies screen appears Figure 127 Edit User Group Policies Screen 3 Click on a line item in the Policies list under the All Policies panel that you wish to assign to the group Scroll up or down to vie...

Page 119: ...rms that group has been deleted 4 Repeat steps 1 through 3 to delete other groups Assign Users to Group Use this command to assign users who are members of one group to a different group Users can be...

Page 120: ...in the search box Searches are case insensitive 1 Click on the Users tab Figure 130 Search for Users 2 At the bottom of the window enter a search string in Search For User 3 Click Go or press ENTER Na...

Page 121: ...are supported WILDCARD DESCRIPTION Indicates any character Indicates a character in range Indicates zero or more characters Example EXAMPLE DESCRIPTION root Locates root1 and rootN but not root1N ccro...

Page 122: ...106 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE...

Page 123: ...oint you can add individual users to the user group so they are governed by the policies This method allows you to choose a policy you created as opposed to using the default policy created in the Ass...

Page 124: ...u link them to your predefined categories and elements When you create a port group you will use your categories and elements to define which ports go in each group You could create a port group of al...

Page 125: ...er that polices do not specify the user group Therefore you need to apply the policies to a user group Apply Policies to User Group By applying a policy to a user group you have specified which users...

Page 126: ...ck OK to add the new policy or Cancel to close the window If you clicked OK the new policy name appears in the Name field 5 Click on the Device Group drop down arrow and select a device group 6 Click...

Page 127: ...pears 2 Click on the Name drop down arrow to select a policy to edit Click Edit to edit the policy The Edit Policy screen appears Figure 135 Edit Appliance Policy Window 3 Type a new name for the poli...

Page 128: ...w to select a policy to be deleted Click Delete to delete the policy The Delete Policy window appears Figure 137 Delete Appliance Policy Window 3 Click Yes to delete the policy or No to close the wind...

Page 129: ...d matches a group or users not in group and grants privileges per the assigned policy In the case of Active Directory authorization the server returns a list of group names that were assigned a policy...

Page 130: ...to use that module for user authorization as well 5 Click Update to update the changes 6 Click Close to close the Security Manager screen Distinguished Names for LDAP and Active Directory Configuratio...

Page 131: ...administer their networked resources Active Directory is a directory server that is LDAP compliant and may be used for both authentication and authorization If your configuration uses both there is no...

Page 132: ...e of joe raritan can be different from the CC SG login user name for example jraritan Figure 140 Active Directory Users 3 On the Active Directory server assign CC SG users to a group such as CC Users...

Page 133: ...the Add Module screen select AD from the Module Type pulldown menu Figure 142 Specifying a Name for Active Directory Server 3 Specify a name for the Active Directory server in Module name The name is...

Page 134: ...sed on the permissions of each object 3 If not using anonymous binding type a User name The user name needs to be a valid user entry in the Active Directory directory structure and should have permiss...

Page 135: ...ontroller it will have a single realm whose name is the same as that of the domain controller For example if the Domain Controller is dc raritan dc com then the default realm will be raritan com If a...

Page 136: ...d password supplied in the applet However if a username pattern is specified in Bind username pattern the pattern will be merged with the username supplied in the applet and the merged username will b...

Page 137: ...com The search query for the user in the group will be made over the whole directory structure cn Administrators cn Users dc raritan dc com The search query for the user in the group will be performed...

Page 138: ...roups you want to import you can manually add the user groups in CC SG instead as long as the name and case of the user group is the same see Chapter 7 Adding Users and User Groups for details Then as...

Page 139: ...Policies Look under Selected Policies to confirm the policy that the correct policy was assigned to the group Figure 148 Viewing Policy of Imported Group 11 When the user such as jraritan logs in they...

Page 140: ...G or directly to the LDAP server If the username and password match those in the LDAP directory the user is authenticated The user will then be authorized against the local user groups on the LDAP ser...

Page 141: ...vers do allow certain anonymous operations whose query results are based on the permissions of each object 7 If not using anonymous binding type a User name and Password Enter a Distinguished Name DN...

Page 142: ...tion of user passwords 15 Type the user attribute and group membership attribute parameters in the User Attribute and Group Membership Attribute fields These values should be obtained from your LDAP d...

Page 143: ...Passwords Advanced Screen Plain Text Password Default Digest Advanced SHA Use Bind unchecked Use Bind After Search Checked OpenLDAP eDirectory Configuration Settings If using an OpenLDAP server for re...

Page 144: ...on the TACACS server and on CC SG must be the same although the passwords may be different Please see Chapter 7 Adding Users and User Groups for additional information on adding users who will be remo...

Page 145: ...a TACACS Server 3 Type the IP address or hostname of the TACACS server in the IP Address Hostname Name field For hostname rules see Terminology Acronyms in Chapter 1 Introduction 4 Type the port numbe...

Page 146: ...s may be different Please see Chapter 7 Adding Users and User Groups for additional information on adding users who will be remotely authenticated 1 On the Setup menu click Security Manager When the S...

Page 147: ...y to apply for a digital identity certificate Before creating a CSR the applicant first generates a key pair keeping the private key secret The CSR contains information identifying the applicant such...

Page 148: ...creen Figure 159 Certificate Request Generated 4 Using an ASCII editor for example Notepad copy and paste the CSR into a file and save it with a cer extension 5 Using an ASCII editor for example Notep...

Page 149: ...e this copy and paste both root and subroot certificate into one file and then import it Generate Self Signed Certificate Request Click on the Generate Self Signed Certificate option button and click...

Page 150: ...line item and click Up or Down Connecting users will be allowed or denied according to the first rule that applies from top to bottom 3 To add a new item to the list specify a range to apply the rule...

Page 151: ...ader row until it becomes a double headed arrow Click and drag the arrow to the left or right to adjust column width The sorting value and column width you use becomes the default report view the next...

Page 152: ...rt displays ports that are currently in use You can view or disconnect ports from this report 1 On the Reports menu click Active Ports The Active Ports report is generated Figure 164 Active Ports Repo...

Page 153: ...Select one and click Apply to run the report 3 Press Refresh to update the query and generate a new report Please note that the report may take several minutes based on the size of your system configu...

Page 154: ...creen appears Figure 166 Audit Trail Screen 2 Select the date range for the report by either typing the date and time in the Start Date and End Date fields using the format yyyy mm dd hh mm ss or by u...

Page 155: ...or print the report Click Save to save the records that are displayed to a CSV file or click Save All to save all records Click Print to print the records that are displayed or Print All to print all...

Page 156: ...r Log screen appears Figure 168 Error Log Screen 2 Select the date range for the report by either typing the date and time in the Start Date and End Date fields using the format yyyy mm dd hh mm ss or...

Page 157: ...r print the report Click Save to save the records that are displayed to a CSV file or click Save All to save all records Click Print to print the records that are displayed or Print All to print all r...

Page 158: ...ll devices on your system and will supply information that could be useful in case troubleshooting is necessary 1 On the Reports menu click Ping Report The Ping Report is generated Figure 170 Ping Rep...

Page 159: ...s screen appears Figure 171 Accessed Devices Screen 2 Select the date range for the report by either typing the date and time in the Start Date and End Date fields using the format yyyy mm dd hh mm ss...

Page 160: ...ge Report Data to save or print the report Click Save to save the records that are displayed to a CSV file or click Save All to save all records Click Print to print the records that are displayed or...

Page 161: ...ough the lists and view all entries Figure 173 Groups Report 2 Click on the button next to a line entry to display either the policies associated with the user group or the list of ports that satisfy...

Page 162: ...bled field you can see information if check box Login is enabled From Password Expiration you can see password expiration period in days 1 On the Reports menu click User Data The All Users Data report...

Page 163: ...sers In Groups The Users In Groups report is generated Use the scroll bar to scroll through the list and view all entries Figure 175 Users In Groups Report 2 Click Manage Report Data to save or print...

Page 164: ...lable Available Port has been configured and connection to port is possible Unavailable Connection to port is not possible since the device is down and unavailable Busy A user is connected to this por...

Page 165: ...ayed you can select a particular Report Type such as Active Ports Report or Report Owner or alter the start and end dates in Reports generated between by highlighting the month date year or time field...

Page 166: ...rom this report 1 On the Reports menu click Locked Out Users Figure 178 Locked Out Users Report 2 Highlight the user you want to unlock and click Unlock User An email notification is sent to the email...

Page 167: ...ts from the CC SG database from this report 1 On the Reports menu click CC NOC Synchronization Figure 179 CC NOC Synchronization Report 2 Select a Last Discovered Date and click Get Targets The target...

Page 168: ...152 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE...

Page 169: ...A success message will appear to confirm the reset Important Using the Reset command will flush the database of CC SG All Devices Ports and Users will be removed from the CC SG Authentication is also...

Page 170: ...appears check Do not restore logs if you do not want the log files restored Check Restore Data only if you only want the configuration data devices ports users restored Check Restore Firmware binaries...

Page 171: ...d 2 Specify a location to save your CC SG backup file 3 To upload a backup to a CC SG unit click Upload on the Restore CommandCenter screen and browse your system for the backup of your CC SG configur...

Page 172: ...are not reflected in the system until the database is updated If you are logged in while another user is updating the database you will not see these changes unless you refresh your screen or log out...

Page 173: ...der CC SG click Browse and navigate to the current location of your CC files 3 Click OK Restart CC SG 1 On the Setup menu click Restart CommandCenter The Restart CommandCenter screen appears Figure 18...

Page 174: ...period to finish their tasks in CC SG and tell them when they can expect the system to be functional again All users will be disconnected when you shutdown CC SG 4 Type how much time in minutes shoul...

Page 175: ...Yes to exit CC SG or No to close the Exit window and continue working Maintenance Mode This mode restricts access to CC SG so that an administrator can perform various operations without disruption Op...

Page 176: ...Entering Maintenance Mode To enter Maintenance Mode 1 On the Setup menu click Maintenance Mode 2 Click Enter Maintenance Mode Figure 191 Enter Maintenance Mode 3 Type a broadcast message or accept th...

Page 177: ...eflect the Fully Qualified Domain Name FQDN if a domain server and domain suffix has been configured 3 Click either Primary Backup Mode or Active Active Mode A standard CC SG provides two Network Inte...

Page 178: ...assigned possibly by DHCP IP address to LAN2 LAN2 will be used until LAN1 is repaired and returned to service When this happens CC SG reverts to using LAN1 As long as one interface is viable a PC clie...

Page 179: ...n using Active Active mode 4 Click on the Configuration drop down arrow and select either DHCP or Static from the list If you choose DHCP and your DHCP server has been configured correctly then type a...

Page 180: ...the Configuration Manager screen Inactivity Timer Configuration Use this screen to time out inactive user sessions 1 On the Setup menu click Configuration Manager When the Configuration Manager screen...

Page 181: ...up down arrows to set the Hour Minutes and Seconds and then click on the Time Zone drop down arrow to select the time zone in which you are operating CC SG b To set the date and time via NTP Click on...

Page 182: ...SG 4 Type the Client Phone that is if using call back dialing this is the call back number that CC SG dials to connect to the client 5 Click Update Configuration to save the modem information to the...

Page 183: ...indows not to close the started Modem connection process when the modem connection is closed from the other dialed in side Click OK to save the settings Configure the Dial Up Connection The following...

Page 184: ...e CommandCenter Figure 203 Connection Name 8 Type the phone number used to connect to CC SG and click Next This is NOT the dial back number that was configured as the Client phone under the Modem tab...

Page 185: ...cript file for call back 1 On the start menu click My Network Places 2 Click view network connections under Network Tasks 3 Right click on the CommandCenter connection and click Properties 4 Click the...

Page 186: ...ns under Network Tasks 3 Double click on the CommandCenter connection Figure 206 Connecting to CC SG 4 Type a username of ccclient and password of cbupass Figure 207 Entering username and password 5 I...

Page 187: ...ack Connection earlier in this chapter then a window similar to the one below will be displayed Figure 208 After Dial Terminal 8 Wait 1 or 2 minutes and in a supported browser enter the IP address of...

Page 188: ...tion Manager When the Configuration Manager screen appears click on the Connection Mode tab 2 Click on the radio button for the connection mode you prefer a Click on the Direct Mode radio button to co...

Page 189: ...173 iii Click the Add button to add the Net Address and Mask to the screen You may have to use the scroll bar on the right side of the screen to view the Add Remove Update buttons Figure 210 Configura...

Page 190: ...Port value Type the new Default Port value and press the Enter key 3 To update device timeout duration double click on the Heartbeat sec value at the bottom of the screen Type new timeout duration for...

Page 191: ...ded with your CC SG unit and also under Firmware Upgrades on http www raritan com support Configuring SNMP in CC SG 1 On the Setup menu click Configuration Manager When the Configuration Manager scree...

Page 192: ...managers that can be set in this list 9 When SNMP traps and their destinations are configured click Update Trap Configuration Configure Security The General properties allow you to configure SSL for...

Page 193: ...henticated by external servers see Chapter 9 Configuring Remote Authentication for additional information Failed login attempts due to insufficient user licenses also do not apply Note By default the...

Page 194: ...Error User Being Locked Out Screen Application Manager Add Application You can upload different custom applications to CC SG and assign the applications to different ports in order to access them ind...

Page 195: ...or configuration and attachment to a specific port 7 Click Close to close the Application Manager screen Note Once the application has been loaded into CC SG and assigned to a port verify that the app...

Page 196: ...ck Application Manager The Application Manager screen appears 2 Click on the Application Name drop down arrow and select the application to be deleted 3 Click the Delete button in the Applications pan...

Page 197: ...delete the firmware or No to close the window 5 Click Close to close the Firmware Manager screen CommandCenter NOC Adding a CommandCenter NOC CC NOC to your setup will expand your target management c...

Page 198: ...eving this synchronization it to use a common NTP Network Time Protocol server For this reason the CC NOC and CC SG are required to be configured to use an NTP server 1 On the CommandCenter NOC menu c...

Page 199: ...sents the range of addresses CC SG is interested in and instructs CC NOC to send events for these devices to CC SG This range is related to the discovery range that is configured in the CC NOC see Rar...

Page 200: ...e so synchronization will not affect the performance of other processes 8 For Heartbeat Interval enter how often in seconds CC SG sends a heartbeat message to CC NOC This confirms if CC NOC if still u...

Page 201: ...tter protection against automated interception 12 Once the certificate exchange process is complete a secure channel has been established between CC NOC and CC SG The CC NOC data will be copied to CC...

Page 202: ...uration screen appears Figure 229 Edit CC NOC Configuration Screen 3 Refer to the previous section Add a CC NOC for field details Launch CC NOC To launch CC NOC from CC SG 1 In the CC NOC Configuratio...

Page 203: ...is replicated between the two nodes The primary and secondary nodes in a cluster must be running the same version of software Unless defined by the user CC SG will assign a default name to each clust...

Page 204: ...SG appliances on the same subset as your one you are currently using Alternatively you can add a CC SG perhaps from a different subnet by specifying an IP address in CommandCenter address in the botto...

Page 205: ...must match the primary node s version 3 Type a valid user name and password for the backup node Figure 234 Cluster Configuration Set Secondary CC SG 4 Click Join Backup Node 5 A confirmation message...

Page 206: ...luster 2 When the confirmation message appears click Yes to remove Primary Node status or click No to cancel Note Clicking Remove Cluster does not delete the Primary CC SG unit from your configuration...

Page 207: ...recovered 6 Click OK to save the settings or Cancel to exit without saving Note Changing the time zone is disabled in a cluster configuration Task Manager Use Task Manager to schedule CC SG tasks on a...

Page 208: ...confirm that the correct versions of firmware were upgraded Email Notifications Upon completion of a task an email message can be sent to a specified recipient How the email is sent such as if it is...

Page 209: ...hedule a new task 1 On the Setup menu click Task Manager Figure 237 Task Manager 2 Click New Figure 238 Create Task 3 In the Main tab type a name 1 32 characters alphanumeric characters or underscores...

Page 210: ...e periodic daily weekly monthly yearly For periods that do include an initial starting time for example Weekly enter a Start at time based on the CC SG server time as displayed near the top of the mai...

Page 211: ...sful or On Failure to have the recipient be notified if the task failed or both View a Task Details of a Task and Task History To view a task 1 On the Setup menu click Task Manager Figure 242 View a T...

Page 212: ...istory of a task select a task and click Task History Figure 243 Task History 5 To view details of a task double click on a task Figure 244 Task Details Note If a task is changed or updated its prior...

Page 213: ...ger Figure 245 Notification Manager 2 Ensure Enable SMTP Notification is selected and type the SMTP host For hostname rules see Terminology Acronyms in Chapter 1 Introduction 3 Type a valid SMTP port...

Page 214: ...termined by the permissions for the user group s to which the SSH client user belongs Administrators who use SSH to access CC SG cannot logout a ccroot SSH user but are able to log out all other SSH c...

Page 215: ...NISTRATION 199 4 A shell prompt appears Type ls to display all commands available from SSH Figure 248 CC SG Commands via SSH 5 Typing help or provides the syntax and description of all available comma...

Page 216: ...ollowing describes several nuances of the SSH commands For commands that pass an IP address such as upgradedevice you can substitute the hostname for an IP address For hostname rules see Terminology A...

Page 217: ...mands supported by the SX device are available Note Before you can connect ensure that the SX device has been added to the CC SG 1 Type listdevices to ensure the SX has been added to CC SG Figure 251...

Page 218: ...et server You can access serial ports on a SX KSX or IP Reach device The SSH connection to the serial ports are in proxy mode 1 Type listports to view the port ids Figure 253 Listing Ports on CC SG 2...

Page 219: ...to execute commands at target server while browser user can only observe proceedings in the port get_history gh Gets History Displays the last few commands and results at target server send_break sb S...

Page 220: ...formation to ascertain the health of CC SG The admin account allows you to set initial parameters view log files and perform some limited diagnostics such as changing the IP address of the CC SG or re...

Page 221: ...t corner of the screen is the last time on the CC SG the data was polled Figure 257 Status Console Important information to hone in on includes the Up status for CC SG and other sub components such as...

Page 222: ...nistrator Console 1 After login as type admin Figure 258 Login to Administrator Console 2 Type the CC SG password raritan is the default Re enter this password and when prompted type a new password Se...

Page 223: ...Console The Pre Login message appears in the Administrator Console after entering any login username and before entering the password The Message of the Day MOTD appears at the top of the Status Cons...

Page 224: ...ve Message with the contents of the Admin Console screen All new users will see the new message Editing Status Console Configuration Status Console The Diagnostic Console can be accessed from a serial...

Page 225: ...ion Network Interfaces In Network Interface Configuration you can perform initial setup tasks such as setting the hostname and IP address of the CC SG Click with the mouse or use the TAB keys to navig...

Page 226: ...mary Backup Mode or Active Active Mode See section Network Configuration earlier in this chapter for details 5 Click either DHCP or Static from the list If you choose DHCP and your DHCP server has bee...

Page 227: ...e Timing Adaptive ping Interpacket interval adapts to round trip time so that effectively not more than one unanswered probes present in the network Minimal interval is 200 msec 4 Optionally type valu...

Page 228: ...which lists received ICMP packets other than TIME_EXCEEDED and UNREACHABLEs No DNS Resolution Does not resolve addresses to host names Use ICMP vs normal UDP Use ICMP ECHO instead of UDP datagrams 4...

Page 229: ...1 To view or change static routes click Operation Network Interfaces then Static Routes Figure 268 Selecting Static Routes 2 The current IP routing table is displayed You can add a host or network ro...

Page 230: ...og will appear and the item will be de selected for you Figure 271 Selecting Log Files to View OPTION DESCRIPTION Individual Windows Display the selected logs in separate windows Merged Windows Merge...

Page 231: ...og file to highlight what is important Type c to change colors of a log file and select a log from the list if you have chosen to view several Once color choices are displayed type q to exit the windo...

Page 232: ...regular expression and select a log from the list if you have chosen to view several Figure 275 Adding Expressions in Log Files 8 Type a to add a regular expression For example if you want to display...

Page 233: ...d terminate their sessions to remote target servers Important It is is HIGHLY recommended to restart CC SG in the CC SG GUI instead unless it is absolutely necessary to restart it here See section Res...

Page 234: ...option will reboot the entire CC SG which simulates a power cycle Users will NOT receive a notification at all CC SG SSH and Diagnostic Console users including this session will be logged off Any con...

Page 235: ...figure the strength of passwords status and admin and allows you to configure password attributes such as the setting maximum number of days that must lapse before you need to change the password whic...

Page 236: ...mum password size in bits minimum is 14 maximum is 70 default is 20 and number of retries default is 10 which is the number of times you will be asked if you want to accept the new password You can ei...

Page 237: ...the settings for each account that is Status Admin FS1 and FS2 Figure 285 Configuring Accounts 3 If you want to require a password for the Status account select Enabled underneath it This screen is s...

Page 238: ...t can be changed again Default is 0 Max Days The maximum number of days the password will stay in affect Default is 99999 Warning The number of days that warning messages are issued before the passwor...

Page 239: ...f CC SG in Diagnostic Console The disk drives are fully synchronized and full RAID 1 protection is available when you see a screen as shown above note the status of both md0 and md1 arrays are UU Disp...

Page 240: ...tal number and processes that have stopped Figure 289 Displaying CC SG Processes in Diagnostic Console 3 Type h to bring up an extensive help screen for the top command The standard F1 help key is not...

Page 241: ...ocessor Intel Pentium III 1 GHz Memory 512 MB Network Interfaces 2 10 100 Ethernet RJ45 Hard Disk Controller 2 40 GB IDE 7200 rpm RAID 1 CD ROM Drive CD ROM 40x Read Only IPMI N A Remote Connection Mo...

Page 242: ...Vibration 5 55 5 HZ 0 38mm 1 minutes per cycle 30 minutes for each axis X Y Z Shock N A Electrical Specifications INPUT Nominal Frequencies 50 60 Hz Nominal Voltage Range 100 240 VAC Maximum Current...

Page 243: ...ations Processor AMD Opteron 146 Memory 2 GB Network Interfaces 2 10 100 1000 Ethernet RJ45 Hard Disk Controller 2 80 GB SATA 7200 rpm RAID 1 CD ROM Drive DVD ROM Remote Connection Modem Not Applicabl...

Page 244: ...X Y Z Shock N A Electrical Specifications INPUT Nominal Frequencies 50 60 Hz Nominal Voltage Range 100 240 VAC Maximum Current AC RMS 3A AC Operating Range 100 to 240 VAC 10 50 60 Hz OUTPUT 5 VDC 12V...

Page 245: ...security policies are to be enforced by the network Executive Summary In the sections below a very complete and thorough analysis of the communications and port usage by CC SG and its associated comp...

Page 246: ...DE Figure 290 CC SG Deployment Elements Internet Unsecured Network CC SG Cluster Peer CC Clients Internal Network Firewall CC NOC CC Clients Raritan Device Serial KVM Out of Band Target Access In Band...

Page 247: ...urpose of the port Indicates if the port is Configurable which means the GUI or Diagnostic Console provides a field where you can change the port number to a different value from the default listed du...

Page 248: ...no CC SG CC SG 3232 TCP SNMP no Access to Infrastructure Services The CC SG can be configured to use several industry standard services like DHCP DNS and NTP In order for CC SG to communicate with the...

Page 249: ...ll SSH Another facet of PC client to target communication is whether The PC client connects directly to the target either via a Raritan device or In Band access which is called Direct Mode Or if the P...

Page 250: ...orts is not required and can be further blocked The ports currently in use are 1088 1098 2222 4444 4445 8009 8083 and 8093 In addition to these ports CC SG may have a couple of TCP and UDP ports in th...

Page 251: ...et server shut the connection abruptly when given a long username followed by a password Traditionally port 23 is used for telnet services However CC SG uses this port for SSH V2 Diagnostic Console se...

Page 252: ......

Page 253: ...entified Add Ports with Category Element clearly identified Create Group s Add User s 1 Add Device Group with rule based on Category Element 2 Add Port Group with rule based on Category Element 3 Add...

Page 254: ...238 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE...

Page 255: ...NOC Users are able to view and configure CommandCenter NOC parameters CC Setup And Control Cross Compatibility Matrix Users are able to view Compatibility Matrix Backup Device Configuration Users are...

Page 256: ...ify port name and parameters Active Ports Users are able to view active ports report Asset Management Report Users are able to view asset management report Ping Report Users are able to view ping repo...

Page 257: ...able to modify user name and parameters Change User Password Users are able to change other user password Delete User Users are able to delete user from the system Logoff User Users are able to logof...

Page 258: ...242 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE...

Page 259: ...cationFailure CC SG user authentication failure CCUserDeleted CC SG a user deleted CCUserLogin CC SG user Log in CCUserLogout CC SG user Log out CCUserModified CC SG user modified CCAvailable CC SG ap...

Page 260: ...244 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE...

Page 261: ...ersions If the network interface cable is disconnected between the device and CC SG wait for the configured heartbeat minutes and then plug the network interface cable back in During the configured he...

Page 262: ...ps and policies created in the Association Wizard are named after the elements of a category If the element names are not unique the default port groups and policies cannot be created see the screen b...

Page 263: ...wer Yes as long has PDA has a Java enabled browser and supports 128 bit or lower strength for some geographies SSL encryption Call Raritan Tech Support for further information No testing has been done...

Page 264: ...ication If there is firewall between two cluster nodes the following ports should be opened for cluster to be worked properly 8732 for cluster nodes heartbeat 5432 for cluster nodes DB replication Wha...

Page 265: ...How is a password secure Passwords are encrypted using MD5 encryption which is a one way hash This provides additional security to prevent unauthorized users from accessing the password list Sometimes...

Page 266: ...g admin over network interfaces A console is generally considered a secure and reliable access path of last resort Some UNIX systems allow root login only on the console For security reasons other sys...

Page 267: ...or remote authentication only not authorization User Experience How will I know if someone else is logged in to leaf nodes CC SG can present the list of users logged in to leaf devices and can show wh...

Page 268: ...252 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 255 80 5140 00...

Page 269: ...APPENDIX G FAQS 253...

Page 270: ...Raritan Osaka 1 15 8 Nishihonmachi Nishi ku Osaka 550 0005 Japan Tel 81 6 4391 7752 Fax 81 6 4391 7761 Email sales raritan co jp Website Raritan co jp Asia Pacific Headquarters Raritan Taiwan 5F 121...

Reviews: