background image

C

HAPTER 

9:

 

C

ONFIGURING 

R

EMOTE 

A

UTHENTICATION

 99 

 

 

 

Chapter 9: Configuring Remote Authentication 

Authentication and Authorization (AA)  

Users of CC-SG can be locally authenticated and authorized on the CC-SG or remotely 
authenticated using the following supported directory servers: 

 

Microsoft Active Directory (AD) 

 

Netscape’s Lightweight Directory Access Protocol (LDAP) 

 

 

 

RADIUS 

Any number of remote RADIUS, , and LDAP servers can be used for external 
authentication. For example, you could configure three AD servers, two iPlanet (LDAP) servers, 
and three RADIUS servers.  

Flow for Authentication 

When remote authentication is enabled, authentication and authorization follow these steps: 

1.

 

The user logs into CC-SG with the appropriate user name and password. 

2.

 

CC-SG connects to the external server and sends the user name and password. 

3.

 

User name and password are either accepted or rejected and sent back. If authentication is 
rejected, this results in a failed login attempt. 

4.

 

If authentication is successful, local authorization is performed. CC-SG checks if the user 
name entered matches a group that has been created in CC-SG or imported from AD, and 
grants privileges per the assigned policy. 

When remote authentication is disabled, both authentication and authorization are performed 
locally on CC-SG.  

User Accounts 

User Accounts must be added to the authentication server for remote authentication. Except when 
using AD for both authentication and authorization, all remote authentication servers require that 
users be created on CC-SG. The user’s username on both the authentication server and on CC-SG 
must be the same, although the passwords may be different. The local CC-SG password is used 
only when remote authentication is disabled. Please refer to 

Chapter 7: Adding and Managing 

Users and User Groups

 for additional information on adding users who will be remotely 

authenticated. 

Note: If remote authentication is used, users have to contact their Administrators to change their 
passwords on the remote server. Passwords cannot be changed on CC-SG for remotely 
authenticated users. 

Содержание CC-SG

Страница 1: ...CommandCenter Secure Gateway CC SG Administrator Guide Release 3 1 Copyright 2007 Raritan Inc CCA 0D E January 2007 255 80 5140 00...

Страница 2: ...This page intentionally left blank...

Страница 3: ...CC Rules These limits are designed to provide reasonable protection against harmful interference in a commercial installation This equipment generates uses and can radiate radio frequency energy and i...

Страница 4: ...ritan products which require Rack Mounting please follow these precautions Operation temperature in a closed rack environment may be greater than room temperature Do not exceed the rated maximum ambie...

Страница 5: ...lements 14 Device Setup 15 Discover and Add Devices 15 Create Groups 18 Add Device Groups and Node Groups 18 User Management 21 Add User Groups and Users 21 Chapter 4 Creating Associations 25 Associat...

Страница 6: ...e 65 Node Profile 65 Node and Interface Icons 65 Nodes and Interfaces Overview 66 About Nodes 66 About Interfaces 66 Add Node 67 Add an Interface 67 Connect to a Node 73 Edit an Interface 73 Delete an...

Страница 7: ...to CC SG 110 LDAP General Settings 111 LDAP Advanced Settings 112 LDAP Certificate Settings 113 Add a TACACS Module 114 TACACS General Settings 115 Add a RADIUS Module 116 RADIUS General Settings 117...

Страница 8: ...ondary CC SG Node 167 Remove Primary CC SG Node 167 Recover a Failed CC SG Node 168 Set Advanced Settings 168 Configure Security 169 Remote Authentication 169 Secure Client Connections 169 Login Setti...

Страница 9: ...y 215 CC SG Communication Channels 217 CC SG and Raritan Devices 217 CC SG Clustering 217 Access to Infrastructure Services 218 PC Clients to CC SG 218 PC Clients to Nodes 219 CC SG Client for IPMI iL...

Страница 10: ...ure 23 Delete Category Window 29 Figure 24 Association Manager Screen 29 Figure 25 Add Element Window 30 Figure 26 Edit Element Window 30 Figure 27 Delete Element Window 31 Figure 28 The Devices Tree...

Страница 11: ...Figure 74 Chat Session for a Node 76 Figure 75 The Users Tree 77 Figure 76 Add User Groups Screen 79 Figure 77 The Policies Tab on the Add User Group Screen 80 Figure 78 Editing the Selected Group 81...

Страница 12: ...Node Creation Report 132 Figure 131 Query Port Screen 133 Figure 132 Query Port Report 134 Figure 133 Active Ports Report 134 Figure 134 CC NOC Synchronization Report 135 Figure 135 Enter Maintenance...

Страница 13: ...fication Manager 178 Figure 183 Task Manager 180 Figure 184 Add CC NOC Configuration Screen 182 Figure 185 CC SG Commands via SSH 185 Figure 186 Listing Devices on CC SG 188 Figure 187 Access SX Devic...

Страница 14: ...IGURES Figure 211 Displaying CC SG Processes in Diagnostic Console 209 Figure 212 NTP not configured in CC SG GUI 210 Figure 213 NTP running on the CC SG GUI 210 Figure 214 CC SG Deployment Elements 2...

Страница 15: ...by normal access users who need to access a node managed by CC SG The Access Client does not allow the use of administration functions Associations are the relationship between categories elements of...

Страница 16: ...oot a target in your network KVM and Serial devices can be accessed via these in band applications RemoteDesktop Viewer SSH Client RSA Client VNC Viewer IPMI Servers Intelligent Platform Management In...

Страница 17: ...iagnostics only and is not a replacement for the browser based GUI to configure and operate CC SG Please refer to Chapter 12 Advanced Administration for additional information Note Users can be connec...

Страница 18: ...n list The IP addresses are stored in a properties file that is saved to your desktop 6 If the CC SG is configured for secure browser connections you must check the Secure Socket Layer SSL checkbox If...

Страница 19: ...he Desktop Integration window when you installed the thick client you can double click the shortcut icon on your desktop to launch the thick client and access CC SG If you do not have a shortcut icon...

Страница 20: ...nt icons Ports are grouped under their parent devices Click the and signs to expand or collapse the tree Click a port to view the Port Profile Right click a port and select Connect to connect to that...

Страница 21: ...re and applications Confirm IP Address 1 On the Administration menu click Configuration to open the Configuration Manager screen 2 Click the Network Setup tab Figure 4 Confirm IP Address 3 Check that...

Страница 22: ...ick the Time zone drop down arrow to select the time zone in which you are operating CC SG b To set the date and time via NTP Check the Enable Network Time Protocol checkbox at the bottom of the windo...

Страница 23: ...tem Maintenance menu click Maintenance Mode and then click Enter Maintenance Mode 5 In the Enter Maintenance Mode screen type the message that will display to users who will be logged off CC SG and th...

Страница 24: ...ility Matrix on http www raritan com support On the Support page click Firmware Upgrades and then click CommandCenter Secure Gateway 4 Click the Application name drop down arrow and select the applica...

Страница 25: ...owered down Users logged into CC SG via a web browser or SSH will not receive a message when the CC SG unit is powered down 3 If you must remove the AC power cord let the power down process finish com...

Страница 26: ...12 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank...

Страница 27: ...ning Associations discovering and adding devices to CC SG creating device groups and node groups creating user groups assigning policies and privileges to user groups and adding users Once you have co...

Страница 28: ...ed Location and Elements named for each server s location such as Philadelphia New York and New Orleans Create Categories and Elements 1 In the Guided Setup window the default panel is Create Categori...

Страница 29: ...o search for and discover devices in your network and add those devices to CC SG When adding devices you may select one element per category to be associated with the device Important Ensure that no o...

Страница 30: ...omplete a confirmation message pops up Click OK in the confirmation message 8 If CC SG has discovered devices of the specified type and in the specified address range the devices display in a table in...

Страница 31: ...lapse before timeout between the device and CC SG 15 If you are adding a Dominion SX device check the Local access Allowed checkbox if you want to allow local access to the device Clear the Local acce...

Страница 32: ...oups of similar devices and nodes rather than managing each device or node individually Add Device Groups and Node Groups 1 The Devices Groups Manager panel opens when you click Continue at the end of...

Страница 33: ...se from each list d Check the Create Full Access Policy for Group checkbox if you want to create a policy for this device group that allows access to all nodes and devices in the group at all times wi...

Страница 34: ...nd then click Go Describe Nodes a Click the Describe Nodes tab in the Add Nodes Groups panel In the Describe Nodes tab you create a table of rules that describe the nodes you want to assign to the gro...

Страница 35: ...which devices and nodes the members of the user group can view and modify Policies are based on Categories and Elements When you have created the user groups you can define individual users and add th...

Страница 36: ...ou can specify whether you want the user group to have access to In band and Out of band nodes and to Power Management functions Check the checkboxes that correspond to the types of access you want to...

Страница 37: ...nd then click Add User in the Guided Tasks tree view in the left panel to open the Add User panel 12 In the Username field type the name that the user you want to add will use to log in to CC SG 13 Ch...

Страница 38: ...up to which you want to assign the user from the list 21 If you want to add another user click Apply to save this user and then repeat the steps in this section to add additional users 22 When you hav...

Страница 39: ...created using this example You can customize the CC SG to organize and display your servers however you like Figure 19 CC SG Association Example Association Terminology Read the following definitions...

Страница 40: ...and elements to control user access to servers For example the category element pair Location New York can be used to create a Policy to control user access to servers in New York Other examples of ty...

Страница 41: ...gurations individually Please refer to Chapter 3 Configuring CC SG with Guided Setup for additional information Association Manager only allows you to work with associations and does not automate any...

Страница 42: ...the Category Name field Edit Category 1 On the Associations menu click Association The Association Manager screen appears 2 Click the Category Name drop down arrow and select the category you want to...

Страница 43: ...ciation Manager screen appears 2 Click the Category Name drop down arrow and select the category you want to delete 3 Click Delete in the Category panel of the screen to delete the category The Delete...

Страница 44: ...category whose element you want to edit 3 Select the element to be edited from the Element For Category list and then click Edit in the Elements For Category panel The Edit Element window appears Figu...

Страница 45: ...r Category panel The Delete Element window appears Figure 27 Delete Element Window 4 Click Yes to delete the element or No to close the window The element name is removed from the Element For Category...

Страница 46: ...32 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank...

Страница 47: ...nu that appears Note To configure iLO RILOE devices IPMI devices Dell DRAC devices IBM RSA devices or other generic devices use the Add Node menu and add these items as a connection interface Please r...

Страница 48: ...es tree to view a tool tip containing information about the device or port ICON MEANING Device available KVM port available or connected KVM port inactive Serial port available Serial port unavailable...

Страница 49: ...ce at the bottom of the Devices Tree type a search string in Search For Device field then press ENTER Wildcards are supported in the search string WILDCARD DESCRIPTION Indicates any character Indicate...

Страница 50: ...me used to log onto this device in the Username field If you followed the Raritan Digital Solutions Deployment Guide to prepare your devices to add to CC SG type the username for the CC SG Administrat...

Страница 51: ...guring this device click Apply to add this device and open a new blank Add Device screen that allows you to continue adding devices Or click OK to add this device without continuing to a new Add Devic...

Страница 52: ...to Chapter 4 Creating Associations for additional information 10 When you are done configuring this device click Apply to add this device and open a new blank Add Device screen that allows you to con...

Страница 53: ...you want to add Figure 34 Adding a Discovered Device 8 Type the user name and password that were created specifically for CC SG in the device in the Username and Password fields to allow CC SG to auth...

Страница 54: ...e device has been modified Edit PowerStrip Device You can edit a Managed PowerStrip device to rename it modify its properties and view outlet configuration status 1 Click the Devices tab and select th...

Страница 55: ...delete 2 On the Devices menu click Device Manager and then click Delete Device The Delete Device screen appears Figure 36 Delete Device Screen 3 Click OK to delete the device or Cancel to exit withou...

Страница 56: ...the device to CC SG You must configure ports before any Out of Band interfaces using those ports can be added to nodes Configure a Serial Port 1 Click the Devices tab and select a serial device from t...

Страница 57: ...Type a node name in the Node Name field to create a new node with an Out of Band interface from this port For ease of use name the node after the target that is connected to the port This means that...

Страница 58: ...Figure 39 Configure Ports Screen Click a column header to sort the ports by that attribute in ascending order Click the header again to sort the ports in descending order 3 Click the Configure button...

Страница 59: ...elect the correct application based on your browser select Auto Detect 7 Click OK to add the port Edit Ports You can edit ports to change the name or access application associated with existing config...

Страница 60: ...to delete the selected port A Port Deleted Successfully window confirms that port has been deleted Device Management Once a device has been added to CC SG several management functions besides configur...

Страница 61: ...SG a message will alert you and ask if you want to proceed Please refer to Chapter 2 Accessing CC SG for additional information Click Yes to upgrade the device 5 A Restart message appears Click Yes t...

Страница 62: ...ice to another or multiple devices Note Configuration can only be copied between Dominion SX units that have the same number of ports 1 Click the Devices tab and select the device whose configuration...

Страница 63: ...hen click Ping Device The Ping Device screen appears showing the result of the ping Figure 47 Ping Device Screen Pause Management You can pause a device to temporarily suspend CC SG control of it with...

Страница 64: ...ower port that is providing management of the PowerStrip 1 In the Devices tree select a PowerStrip device 2 On the Devices menu click Device Power Manager The Device Power Manager screen appears 3 The...

Страница 65: ...the Devices menu click Device Manager and then click Topological View The Topological View for the selected device appears Figure 49 Topological View 3 Navigate the Topological View in the same way yo...

Страница 66: ...mplete before the user s session with the device is terminated All other operations will be terminated immediately 1 Click the Devices tab and select the device you want to disconnect one or more user...

Страница 67: ...ured ports are nested under their parent devices To change the way the ports are displayed click the Devices menu then Port Sorting Options Select By Port Name or By Port Status to arrange the ports w...

Страница 68: ...reflect the selected custom view 5 Click Set Default if you want the selected custom view to be displayed when logging into CC SG 6 Check Is System Wide to make this the default view for all users wh...

Страница 69: ...w The Custom View screen appears 3 Click the Name drop down arrow in the Custom View panel and select the custom view to be edited Click Edit An Edit Custom View window appears 4 Type a new custom vie...

Страница 70: ...onal information on using P2 SC Admin After adding the Paragon System device the Paragon System includes the P2 SC device connected UMT units and connected IP Reach units to CC SG it will appear in th...

Страница 71: ...access Remote User Station Administration 1 Click the Device tab and then select the Paragon II System Controller 2 Right click the Paragon II System Controller and then click Remote User Station Adm...

Страница 72: ...nd remove device groups When you add a new device group you can create a full access policy for the group Please refer to Chapter 8 Policies for additional information Add Device Group 1 On the Associ...

Страница 73: ...devices The Describe Devices tab allows you to specify rules that describe devices and the devices whose parameters follow those rules will be added to the group Select Devices a Click the Select Devi...

Страница 74: ...s equal to LIKE used for find the Element in a name and is not equal to Element Select a value for the Category attribute to be compared against Only elements associated with the selected category wil...

Страница 75: ...belong to the engineering department or be located in Philadelphia use the OR operator to join the two Rule0 Rule1 We will make this comparison first by enclosing it parentheses Rule0 Rule1 Finally s...

Страница 76: ...ay in the left panel Select the Device Group whose name you want to edit The Device Group Details panel appears 3 If you want to edit the device group name type a new name for the device group in the...

Страница 77: ...k Device Groups The Device Groups Manager window opens Figure 61 Device Groups Manager Screen 2 Existing device groups display in the left panel Select the device group you want to delete The Device G...

Страница 78: ...64 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4 The Delete Device Group panel appears Click Delete Figure 63 Delete Device Group Panel 5 Click Yes in the confirmation message that displays...

Страница 79: ...status are sorted alphabetically within their availability grouping To switch between sorting methods right click the tree click Node Sorting Options then click By Node Name or By Node Status Node Pro...

Страница 80: ...r to Chapter 3 Configuring CC SG with Guided Setup or Chapter 5 Adding Devices and Device Groups Add a Device for additional information Node Names Node names must be unique CC SG will prompt you with...

Страница 81: ...is node Please refer to Chapter 4 Creating Associations for additional information For each Category listed click the Element drop down menu and then select the element you want to apply to the node f...

Страница 82: ...tem to create a KVM connection to an HP server through an iLO or RILOE interface Out of Band Connections KVM Select this item to create a KVM connection to a node through a Raritan KVM device KX KX101...

Страница 83: ...ddress or Hostname for this interface in the IP Address Hostname field 2 If necessary type a TCP Port for this connection in the TCP Port field 3 Type a username for this connection in the Username fi...

Страница 84: ...tect 2 Click the Raritan Device Name drop down menu and select the Raritan device providing access to this node Note a device must be added to CC SG first before appearing in this list 3 Click the Rar...

Страница 85: ...CC SG before the appropriate options are available 2 Click the Power Strip Name drop down menu and select the Power Strip that provides power to the node The power strip must be configured in CC SG be...

Страница 86: ...e a username for this interface in the Username field 6 If necessary type a password for this interface in the Password field 7 Click OK add the interface to the node You will be returned to the Add N...

Страница 87: ...en appears 3 In the Interfaces table click the name of the interface you want to connect with Alternatively 1 In the Nodes tab click the symbol next to the node you want to connect to expanding the li...

Страница 88: ...lete the interface Ping a Node You can ping a node from CC SG to make sure that the connection is active 1 Click the Nodes tab and then select the node you want to ping 2 On the Nodes menu select Ping...

Страница 89: ...sign a value to double click the Element field next to it The field turns into a drop down menu b Click the drop down menu and select the desired Element value Select None if you do not want to use th...

Страница 90: ...eft field and press the Enter key or click Send The message will appear in the chat upper left field for all users to see 4 Click Clear to clear any message you have typed in the new message field but...

Страница 91: ...rectory users groups and policies Please refer to Chapter 8 Policies still need to be created on CC SG Configuring CC SG to use external authentication is covered in Chapter 9 Remote Authentication Th...

Страница 92: ...ystem Administrators Group The System Administrators group has full administrative and access privileges Unlike the CC Super User group you can change the privileges and add or delete members CC Users...

Страница 93: ...ileges the user group will have Select the interface types the user group can use to access nodes Select policies which describe what nodes the user group can access To create a new user group 1 On th...

Страница 94: ...to the Selected Policies list Policies in the Selected Policies list will allow or deny users access to the node or devices controlled by this policy 9 Repeat this step to add additional policies to t...

Страница 95: ...up Uncheck a privilege to remove it from the group 7 In the Node Access area click the drop down menu for each kind of interface you want this group to have access through and select Control 8 Click t...

Страница 96: ...he group After clicking OK a status message will appear to confirm the successful deletion of the group Add User Add users to a group to assign the user access privileges in CC SG A User s ability to...

Страница 97: ...want to specify how often the user will be forced to change their password a If checked in the Expiration Period Days field type the number of days that the user will be able to use the same password...

Страница 98: ...assigned password the next time they log in 8 In the Email address field type a new email address to add or change the user s configured email address This will be used to send the user notifications...

Страница 99: ...up list Select the users you want to add from this column and then click the button to move them to the Users in group list 5 Click the button to move all users not in the group to the Users in group...

Страница 100: ...n Group group Other User and User Group Functions My Profile My Profile allows all users to view details about their account change some details and customize usability settings It is the only way for...

Страница 101: ...are done editing your profile click OK to save the changes or Cancel to exit without saving Logout Users This command can be used to log active users out of CC SG It can also be used to log out all a...

Страница 102: ...r Manager then Bulk Copy The Bulk Copy screen appears Figure 86 Bulk Copy Screen 5 In the All Users list select the users that will be adopting the privileges and polices of the user in the Username f...

Страница 103: ...he group If you completed Guided Setup refer Chapter 3 Configuring CC SG with Guided Setup a number of basic policies may already have been created Now you may want to apply these policies to existing...

Страница 104: ...The Node Groups Manager window displays A list of existing node groups is displayed on the left while details about selected node group displays in the main panel Figure 88 The Node Group Manager 1 A...

Страница 105: ...ck Node Group The Node Groups Manager window displays 2 On the Groups menu select Add A template for a node group will appear 3 In the Group name field type a name for a node group you want to create...

Страница 106: ...Selected list Nodes in the Selected list will be added to the group 4 If you want to remove a node from the group select the node name in the Selected list and then click Remove 5 You can search for a...

Страница 107: ...ble here Also included are Node Name and Interface Operator Select a comparison operation to be performed between the Category and Element items Three operators are available is equal to LIKE used for...

Страница 108: ...le0 in the Short Expression field Another example If you want to describe a group of nodes that belong to the engineering department OR are located in Philadelphia and specify that all of the machines...

Страница 109: ...he Node Group List to the left The details of that node will appear in the Node Groups window 3 Refer to the instructions in the Select Nodes or Describe Nodes sections above for details on how to con...

Страница 110: ...en created they can become the basis for creating an access policy a rule that states whether users can or cannot access the nodes or devices in the group or device group and what times this rule is i...

Страница 111: ...lly receive Control rights when the Deny policy is not in effect Edit a Policy When you edit a policy the changes do not affect users who are currently logged in to CC SG The changes will go into effe...

Страница 112: ...Write or Read only permission If you want to define this policy to deny Virtual Media Permission select Deny 10 Click Update to save the changes to the policy and then click Yes in the confirmation me...

Страница 113: ...lts in a failed login attempt 4 If authentication is successful local authorization is performed CC SG checks if the user name entered matches a group that has been created in CC SG or imported from A...

Страница 114: ...component dc Specifying a DN for Netscape LDAP and eDirectory LDAP should follow this structure user id uid organizational unit ou organization o Username When authenticating CC SG users on an AD serv...

Страница 115: ...e AD user groups and assign AD users to them before starting this process Also make sure that you have configured the CC SG DNS and Domain Suffix in Configuration Manager Please refer to Chapter 12 Co...

Страница 116: ...onfigured in the Configuration Manager section of CC SG Please refer to Chapter 12 Configuration Manager for additional information 3 Check Anonymous Bind if you want to connect to the AD server witho...

Страница 117: ...server is listening The default port is 389 If you are using secure connections for LDAP step 3 below you may need to change this port The standard port for secure LDAP connections is 636 3 Check Secu...

Страница 118: ...o connect to the AD server Only check Use Bind when the user logging in from the applet has permissions to perform search queries in the AD server 7 Check Use Bind After Search to use the username and...

Страница 119: ...and objectclass group as the Filter then all entries that are in the Groups entry and are of type group will be returned 4 Click Next to proceed The Trusts tab opens AD Trust Settings In the Trusts t...

Страница 120: ...oup Settings and AD Trust Settings for additional information 4 If you change the connection information click Test Connection to test the connection to the AD server using the given parameters You sh...

Страница 121: ...all to select all user groups for import Click Deselect all to deselect all selected user groups 5 In the Policies column click the field and then select a CC SG access policy from the list to assign...

Страница 122: ...user groups that have been imported into CC SG and refreshes the CC SG local cache The CC SG local cache contains all domain controllers for each domain all user groups for all modules and the user in...

Страница 123: ...omain Important CC SG will still be in Maintenance Mode after upgrading to 3 1 Therefore you must login with the CC Super User account to perform this action The default CC Super User account for syst...

Страница 124: ...s on generating a report containing information about AD user groups please refer to Chapter 10 Generating Reports AD User Group Report Add LDAP Netscape Module to CC SG Once CC SG starts and a userna...

Страница 125: ...n the permissions of each object 6 If you are not using anonymous binding type a username in the User name field Type a Distinguished Name DN to specify the credentials used to query the LDAP server F...

Страница 126: ...p down menu and select the default encryption of user passwords 4 Type the user attribute and group membership attribute parameters in the User Attribute and Group Membership Attribute fields These va...

Страница 127: ...e PARAMETER NAME OPEN LDAP PARAMETERS IP Address Hostname Directory Server IP Address User Name CN Valid user id O Organization Password Password User Base O accounts O Organization User Filter object...

Страница 128: ...se refer to Chapter 7 Adding and Managing Users and User Groups for additional information on adding users who will be remotely authenticated 1 On the Administration menu click Security The Security M...

Страница 129: ...s please refer to Terminology Acronyms in Chapter 1 Introduction Figure 108 TACACS General Settings 2 Type the port number on which the TACACS server is listening in the Port Number field The default...

Страница 130: ...to Chapter 7 Adding and Managing Users and User Groups for additional information on adding users who will be remotely authenticated 1 On the Administration menu click Security The Security Manager sc...

Страница 131: ...ation Using RADIUS By using an RSA RADIUS Server that supports two factor authentication in conjunction with an RSA Authentication Manager CC SG can make use of two factor authentication schemes with...

Страница 132: ...ck the Authorization checkbox if you want CC SG to use the server for authorization of users Only AD servers can be used for authorization 4 Click Update to save your changes Establish Order of Extern...

Страница 133: ...G It captures actions such as adding editing or deleting devices or ports and other modifications CC SG maintains an Audit Trail of the following events When CC SG is launched When CC SG is stopped Wh...

Страница 134: ...he log files used in the report Click Close to close the report Error Log Report CC SG stores error messages in a series of Error Log files which can be accessed and used to help troubleshoot problems...

Страница 135: ...rt page to a CSV file or click Save All to save all records Click Print to print the records that are displayed in the current report page or Print All to print all records Click Close to close the wi...

Страница 136: ...e field If you want to limit the report to a particular IP address s activities type the user s IP address in the User IP address field 4 Click OK to run the report The report is generated displaying...

Страница 137: ...troubleshooting 1 On the Reports menu click Availability Report The Availability Report is generated Figure 118 Availability Report Click Manage Report Data to save or print the report Click Save to s...

Страница 138: ...d Figure 119 Active Users Report To disconnect a user from an active session in CC SG select the user name you want to disconnect and then click Logout Click Manage Report Data to save or print the re...

Страница 139: ...n unlock users from this report Please refer to Chapter 12 Advanced Administration Lockout Settings for additional information on lockout settings 1 On the Reports menu click Users and then click Lock...

Страница 140: ...The Password Expiration field displays the number of days that the user can use the same password before being forced to change it Please refer to Chapter 7 Adding and Managing Users and User Groups...

Страница 141: ...s In Groups report is generated Figure 122 Users In Groups Report Click Manage Report Data to save or print the report Click Save to save the records that are displayed in the current report page to a...

Страница 142: ...h the user group the list of nodes that satisfy the node group rule or the list of devices that satisfy the device group rule AD User Group Report The AD User Group report displays all users in groups...

Страница 143: ...ort displays data on devices currently managed by CC SG 1 On the Reports menu click Devices and then click Asset Management Report The Asset Management report is generated for all devices 2 If you wan...

Страница 144: ...an also filter the report to include only data about nodes that correspond to a specified node group interface type device type or device 1 On the Reports menu click Nodes and then click Node Asset Re...

Страница 145: ...Report The Active Nodes report includes the name and type of each active interface the current user a timestamp and the user IP address for each node with an active connection You can view the active...

Страница 146: ...and End Date fields Click each component of the default date month day year hour minute second to select it and then click the up and down arrows to reach the desired number 3 Check the Potential Dup...

Страница 147: ...nnection to target server is in place but the port has not been configured Unused Port is unavailable physical connection to target server is not in place and the port has not been configured Availabl...

Страница 148: ...orts Click Configure next to a New or Unused port in the report to configure it Click Close to close the report Active Ports Report The Active Ports report displays out of band ports that are currentl...

Страница 149: ...s displayed you can select a particular Report Type such as Active Ports Report or Report Owner or change the start and end dates in the Reports generated between fields by clicking each component of...

Страница 150: ...base select the target you want to purge and then click Purge If you want to purge the entire list of targets from the CC SG database click Purge All Click Manage Report Data to save or print the repo...

Страница 151: ...C SG is in Maintenance Mode Please refer Chapter 12 Advanced Administration Task Manager for additional information on scheduled tasks When CC SG exits Maintenance Mode scheduled tasks will be execute...

Страница 152: ...nd event reports stored on CC SG o CC SG firmware files Stored firmware files used for updating the CC SG server itself o Device firmware files Stored firmware files used for updating Raritan devices...

Страница 153: ...pe of backup the date of the backup the description what CC SG version it was made from and the size of the backup file Figure 137 Restore CommandCenter Screen 2 If you want to restore from a backup s...

Страница 154: ...allows users time to complete their work and log off 6 In the Broadcast Message field type a message to notify other CC SG users that a restore will occur 7 Click Restore After clicking Restore CC SG...

Страница 155: ...le to default values 1 On the System Maintenance menu click Reset Figure 139 Reset CC SG Screen 2 Type your CC SG password 3 Either accept the current Broadcast message or edit to create one of your o...

Страница 156: ...ot be able to upgrade CC SG without performing this action Please refer to the Maintenance Mode section of this chapter for additional information 2 Once CC SG is in maintenance mode on the System Mai...

Страница 157: ...redirected to the login screen Users cannot log back in until you restart CC SG as described in the next section Restarting CC SG after Shutdown After shutting down CC SG use one of these two methods...

Страница 158: ...144 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank...

Страница 159: ...tup The message of the day setup screen appears 2 Check Display Message of the Day for All Users if you want the message to be displayed to all users after they log in 3 Select Message of the Day Cont...

Страница 160: ...tion Manager to add edit or delete an application Adding an Application 1 Click Add in the Applications section of the Applications tab The Add Applications dialog window appears Figure 145 Adding an...

Страница 161: ...ers in the Details area as necessary 3 Click Edit The Edit Applications window appears Figure 146 Edit Applications Window 4 If necessary select additional Raritan devices the application will functio...

Страница 162: ...tion of an Interface or Port Type 1 Select the row for an Interface or Port Type 2 Double click the Application listed on that row The value becomes a drop down menu Note that grayed out values are no...

Страница 163: ...hen new firmware versions become available they are posted on the Raritan website 1 On the Administration menu click Firmware The Firmware Manager screen appears Figure 148 Firmware Manager Screen 2 C...

Страница 164: ...5 Click Close to close the Firmware Manager screen Configuration Manager The Configuration Manager is where several of the CC SG core settings such as the network configuration are administered Networ...

Страница 165: ...de only one NIC is active at a given point of time and only one network IP address assignment is possible Figure 152 Primary Backup Network Typically both NICs are attached to the same LAN sub network...

Страница 166: ...cially if firewalls are involved If additional routes are needed they can be added in Diagnostic Console Please refer to Editing Static Routes Network Interfaces later in this chapter for additional i...

Страница 167: ...ick the Logs tab Figure 154 Configuration Manager Logs Screen 3 To assign an external log server for CC SG to use type the IP address into the Server Address field under Primary Server 4 Click the Lev...

Страница 168: ...for confirmation 4 Click Yes to clear CC SG s log of events Note The Audit Trail and Error Log reports are based off of CC SG s internal log If you purge CC SG s internal log these two reports will al...

Страница 169: ...and then click the Day in the calendar area Time use the up and down arrows to set the Hour Minutes and Seconds and then click the Time zone drop down arrow to select the time zone in which you are o...

Страница 170: ...address of the client that will dial into CC SG in the Client Address field 4 If you are using call back dialing type the call back number that CC SG dials to connect to the client in the Client Phon...

Страница 171: ...tection flag For example type at c for a SoftK56 Data Fax modem This is necessary to tell Windows not to close the started Modem connection process when the modem connection is closed from the other d...

Страница 172: ...umber used to connect to CC SG and then click Next This is NOT the dial back number that was configured as the Client phone under the Modem tab in Configuration Manager on CC SG Figure 162 Phone Numbe...

Страница 173: ...asks 3 Right click the CommandCenter connection and then click Properties 4 Click the Security tab Figure 163 Specify Dial up Script 5 Click the Show terminal window 6 Click Run script and then click...

Страница 174: ...work Tasks 3 Double click the CommandCenter connection Figure 164 Connecting to CC SG 4 Type a username of ccclient and password of cbupass Figure 165 Entering username and password 5 If not filled in...

Страница 175: ...the Modem tab in Configuration Manager on CC SG and login to CC SG Connection Mode When connected to a node you have the option to pass data back and forth directly with that node Direct Mode or to ro...

Страница 176: ...ct to a device via your CC SG unit c Click the Both radio button if you want to connect to some devices directly but others through Proxy Mode Then specify settings for the devices you wish to connect...

Страница 177: ...SNMP manager on the network Only a CC SG Administrator trained in handling an SNMP infrastructure should configure CC SG to work with SNMP CC SG also supports SNMP GET SET operations with third party...

Страница 178: ...ferent categories System Log traps which include notifications for the status of the CC unit itself such as a hard disk failure and Application Log traps for notifications generated by events in the C...

Страница 179: ...sions originating on the Primary CC SG node will terminate The devices connected to the Primary CC SG unit will recognize that the Primary node is not responding and will respond to requests initiated...

Страница 180: ...d then clicking Add CommandCenter Figure 170 Cluster Configuration Screen 3 Type a name for this cluster in Cluster Name If you do not provide a name now a default name will be provided such as cluste...

Страница 181: ...ion message appears on your screen 7 On the Administration menu click Cluster Configuration to view the updated Cluster Configuration table Note If the Primary and Secondary Nodes lose communication w...

Страница 182: ...gs of a cluster configuration 1 Select the Primary node just created 2 Click Advanced The Advanced Settings window appears Figure 172 Cluster Configuration Advanced Settings 3 For Time Interval enter...

Страница 183: ...G 1 On the Administration menu click Security The Security Manager screen appears 2 Click the General tab Figure 173 Secure Client Connections 3 Check the Requires AES Encryption between Client and Se...

Страница 184: ...be configured with the following criteria Minimum Password Length All passwords must contain a minimum number of characters Click the drop down menu and select the minimum length of passwords Passwor...

Страница 185: ...iled login attempts before lockout and after lockout is not configurable To configure user Lockout 1 Check Lockout Enabled 2 The default number of failed login attempts before a user is locked out is...

Страница 186: ...d Service Agreement A message can be configured to appear to the left of the login fields on the login screen This is intended for use as a Restricted Service Agreement or a statement users agree to u...

Страница 187: ...in Portal With Restricted Service Agreement Certificate Options in this window can be used to generate a certificate signing request also CSR or certification request A CSR is a message sent from an a...

Страница 188: ...ficate and Private Key and submit it by clicking Export Generate Certificate Signing Request The following explains how to generate a CSR and a private key on CC SG The CSR will be submitted to the Ce...

Страница 189: ...save it with a cer extension 5 Using an ASCII editor for example Notepad copy and paste the Private Key into a file and save it as a text file 6 Submit the CSR file cer saved in Step 4 to the Certifi...

Страница 190: ...aste both root and subroot certificate into one file and then import it Generate Self Signed Certificate Request Click the Generate Self Signed Certificate option button and then click Generate The Ge...

Страница 191: ...new item to the list specify a range to apply the rule to by typing the starting IP value in the Starting IP field and the ending IP value in the Ending IP field 5 Click the Group drop down arrow to s...

Страница 192: ...heckbox 3 Type the SMTP host in the SMTP host field For hostname rules please refer to Terminology Acronyms in Chapter 1 Introduction 4 Type a valid SMTP port number in the SMTP port field 5 Type a va...

Страница 193: ...es not apply to device groups Outlet Port Power Management Power On Off Recycle Outlet ports Generate all Reports HTML or CSV format Purge Logs Scheduling Sequential Tasks You may want to schedule tas...

Страница 194: ...select the Start time at which the task should begin Periodic Use the up and down arrows to select the Start time at which the task should begin Type the number of times the task should be executed i...

Страница 195: ...efer to Chapter 7 Adding and Managing Users and User Groups for additional information To add another email address click Add type the email address in the window that appears and then click OK By def...

Страница 196: ...protection against automated interception Add a CC NOC Note To create a valid connection the time settings on both the CC NOC and CC SG should be synchronized The best method of achieving this synchr...

Страница 197: ...in the CC NOC range If CC SG range does not overlap the range configured in CC NOC then CC NOC will not return any target device information at all To stop CC NOC from monitoring a device it can be u...

Страница 198: ...lete the process If the process does not complete within 5 minutes it times out and data is not saved in CC SG and any stored certificates are deleted Retry the procedure again go to Step 1 in Add a C...

Страница 199: ...client user belongs Administrators who use SSH to access CC SG cannot logout a CC Super User SSH user but are able to log out all other SSH client users including System Administrators To access CC SG...

Страница 200: ...spaces it should be surrounded by quotes copydevice b backup_id source_device_host target_device_host Copy device configuration disconnect u username p port_id id connection_id Close port connection e...

Страница 201: ...ser upgradedevice id device_id host Upgrade device firmware exit Exit SSH session Typing the command followed by the h switch displays help for that command such as listfirmwares h Command Tips The fo...

Страница 202: ...strative commands supported by the SX device are available Note Before you connect ensure that the SX device has been added to the CC SG 1 Type listdevices to ensure the SX has been added to CC SG Fig...

Страница 203: ...Band Interface 3 Once connected to the node type the default Escape keys of followed by a dot At the prompt that displays you can enter specific commands or aliases as described below COMMAND ALIAS D...

Страница 204: ...ics and restarting CC SG The Diagnostic Console admin account is separate and distinct from the admin account and password used in the CC SG administrator s Director Client and the html based Access C...

Страница 205: ...nputs or screen navigation All other inputs are ignored The following table describes the statuses for CC SG and the CC SG database STATUS DESCRIPTION CC SG Status Up CC SG is available CC SG Status D...

Страница 206: ...owever it may not work in all SSH clients or on the KVM console PRESS TO CTRL C or CTRL Q To exit Diagnostic Console CTRL L Clear screen and redraw the information but the information itself is not up...

Страница 207: ...Screen with the contents of the System Buffer Save as Default Puts the current Admin Console Screen into System Buffer Has no effect on the Active Message display Make Active Replaces the current Acti...

Страница 208: ...l Admin or Field Support access Figure 194 Edit Diagnostic Console Configuration 4 Click Save at the bottom of the screen or press the TAB key until Save is selected and then press Enter Editing Netwo...

Страница 209: ...l be automatically populated once you save and you exit and re enter Admin Console If you choose Static type an IP Address required Netmask required Default Gateway optional Primary DNS optional and S...

Страница 210: ...trip time so that effectively not more than one unanswered probes present in the network Minimal interval is 200 msec 4 Optionally type values for how many seconds the ping command will execute how ma...

Страница 211: ...d or hop count exceeded events occur Editing Static Routes Network Interfaces In Static Routes you can view the current IP routing table and modify add or delete routes Careful use and placement of st...

Страница 212: ...File names are either preceded by a timestamp indicating how recently the logfile has received new data or the file size of the logfile Timestamps are s seconds m minutes h hours and d days File size...

Страница 213: ...etrieved and forwarded to Raritan Technical Support Access to the contents of this package is not available to customer Exported logfiles will be available for up to 10 days and then the system will a...

Страница 214: ...of this Admin Console session use the TOP utility to dynamically monitor system resources Figure 200 Displaying Information 7 If desired you can filter the log file with a regular expression Type e t...

Страница 215: ...ile 9 Select F1 to get help on all LogViewer options Pressing CTRL C and CTRL Q terminates this LogViewer session Restarting CC SG Admin You can restart CC SG which will log off all current CC SG user...

Страница 216: ...Admin This option will reboot the entire CC SG which simulates a power cycle Users will not receive a notification CC SG SSH and Diagnostic Console users including this session will be logged off Any...

Страница 217: ...unit To power off the CC SG 1 Click Operation Admin and then click CC SG System Power OFF 2 Either click Power OFF the CC SG or press ENTER to remove AC power from the CC SG Confirm the power down ope...

Страница 218: ...l reset all or parts of the CC SG system back to their factory default values All active CC SG users will be logged off without notification and SNMP processing will stop It is highly recommended that...

Страница 219: ...Clients to Out of Band nodes Inactivity Timer 1800 the time before idle sessions are logged out Modem Setting 10 0 0 1 10 0 0 2 none the setting for the modem Server IP Address Client IP Address and c...

Страница 220: ...change the password which should be done via the Account Configuration menu The operation in these menus only applies to Diagnostic Console accounts status and admin and passwords it has no effect on...

Страница 221: ...rs can be the same in the new password relative to the old MinLEN is the minimum length of characters required in the password Specify how many Digits Upper case letters Lower case letters and Other s...

Страница 222: ...hentication token required or access is allowed and no password is required Do not lock out both the Admin and FS1 accounts at the same time or you cannot use Diagnostic Console Min Days The minimum n...

Страница 223: ...en as shown above The status of both md0 and md1 arrays are UU Displaying Top Display Utilities This option displays the list of processes and their attributes that are currently running on CC SG as w...

Страница 224: ...eration Utilities and then click NTP Status Display 2 The NTP Daemon can only be configured in the CC SG administrator s Director Client If NTP is not enabled and configured properly the following wil...

Страница 225: ...entium III 1 GHz Memory 512 MB Network Interfaces 2 10 100 Ethernet RJ45 Hard Disk Controller 2 40 GB IDE 7200 rpm RAID 1 CD ROM Drive CD ROM 40x Read Only Environmental Requirements OPERATING Humidit...

Страница 226: ...AMD Opteron 146 Memory 2 GB Network Interfaces 2 10 100 1000 Ethernet RJ45 Hard Disk Controller 2 80 GB SATA 7200 rpm RAID 1 CD ROM Drive DVD ROM Environmental Requirements OPERATING Humidity 8 90 RH...

Страница 227: ...tel PRO 1000 PT Dual Port Server Adapter Hard Disk Controller 2 WD740ADFD SATA 74GB 10K RPM 16MB cache CD ROM Drive DVD ROM Environmental Requirements OPERATING Humidity 5 90 non condensing Altitude S...

Страница 228: ...214 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank...

Страница 229: ...are to be enforced by the network Executive Summary In the sections below a very complete and thorough analysis of the communications and port usage by CC SG and its associated components is provided...

Страница 230: ...IDE Figure 214 CC SG Deployment Elements Internet Unsecured Network CC SG Cluster Peer CC Clients Internal Network Firewall CC NOC CC Clients Raritan Device Serial KVM Out of Band Node Access In Band...

Страница 231: ...t Number and Protocol used by CC SG Indicates if the port is Configurable which means the GUI or Diagnostic Console provides a field where you can change the port number to a different value from the...

Страница 232: ...SG CC SG 3232 TCP no Access to Infrastructure Services The CC SG can be configured to use several industry standard services like DHCP DNS and NTP In order for CC SG to communicate with these optiona...

Страница 233: ...ther The PC client connects directly to the target either via a Raritan device or In Band access which is called Direct Mode Or if the PC client connects to the target through CC SG which acts as an a...

Страница 234: ...ther blocked The ports currently in use are 1088 1098 2222 4444 4445 8009 8083 and 8093 In addition to these ports CC SG may have a couple of TCP and UDP ports in the 32xxx or higher range open Extern...

Страница 235: ...erver shut the connection abruptly when given a long username followed by a password Traditionally port 23 is used for telnet services However CC SG uses this port for SSH V2 Diagnostic Console sessio...

Страница 236: ......

Страница 237: ...ent Bulk Copy User Management User Group Manager Add User Group User Management Editing user groups User Management Via User Group Profile Delete User Group User Management Assign Users to Group User...

Страница 238: ...start Device Device Port and Node Management or Device Configuration and Upgrade Management Ping Device Device Port and Node Management or Device Configuration and Upgrade Management Pause Management...

Страница 239: ...gement or Device Configuration and Upgrade Management Port Manager Connect Device Port and Node Management Configure Ports Device Port and Node Management Bookmark Port Device Port and Node Management...

Страница 240: ...Device Port and Node Management Via the Node Profile Delete Node Device Port and Node Management interfaceName In Band Access or Out of Band Access Disconnect In Band Access or Out of Band Access Powe...

Страница 241: ...Band Access or Node Out of Band Access or Node Power Control Tree View Any of the following Device Port and Node Management or Node In Band Access or Node Out of Band Access or Node Power Control Ass...

Страница 242: ...ers User Management Locked Out Users CC Setup and Control User Data To view all user data User Management To view your own user data None Users in Groups User Management Group Data User Security Manag...

Страница 243: ...ce Port and Node Management User Management and User Security Management Message of the Day Setup CC Setup and Control Applications CC Setup and Control Firmware CC Setup and Control Configuration CC...

Страница 244: ...MENU MENU ITEM REQUIRED PRIVILEGE DESCRIPTION Exit Maintenance Mode CC Setup and Control View None Window None Help None None means that no particular privilege is required Any user who has access to...

Страница 245: ...eviceFirmware CC SG detected a device with incompatible firmware ccDeviceUpgrade CC SG has upgraded the firmware on a device ccEnterMaintenanceMode CC SG entered Maintenance Mode ccExitMaintenanceMode...

Страница 246: ...232 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE...

Страница 247: ...er If you have problems adding devices ensure the devices have the correct firmware versions If the network interface cable is disconnected between the device and CC SG wait for the configured heartbe...

Страница 248: ...234 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE...

Страница 249: ...cation Manager 6 1 on Windows Server 2003 RSA Secure ID SID700 hardware token Earlier RSA product versions should also work with CC SG but they have not been verified Setup Requirements Proper configu...

Страница 250: ...236 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE...

Страница 251: ...access possible Generic answer Yes as long as PDA has a Java enabled browser and supports 128 bit or lower strength for some geographies SSL encryption Call Raritan Tech Support for further informatio...

Страница 252: ...re some design guidelines for large scale systems Any constraints or assumptions Raritan provides two models for server scalability the datacenter model and the network model The datacenter model uses...

Страница 253: ...d list Sometimes I receive a No longer logged in message when I click any menu in CC SG after leaving my workstation idle for a period of time Why CC SG times each user session If no activity happens...

Страница 254: ...if the administrator is logged in on the console other access is denied Finally from the console the administrator can also disable the network interfaces when if necessary to block all other access N...

Страница 255: ...horization be achieved via RADIUS TACACS LDAP LDAP and TACACS are used for remote authentication only not authorization User Experience Regarding console management via network port or local serial po...

Страница 256: ...242 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE...

Страница 257: ...UTS 243 Appendix H Keyboard Shortcuts The following keyboard shortcuts can be used in the Director Client OPERATION KEYBOARD SHORTCUT Refresh F5 Print panel Ctrl P Help F1 Insert row in Associations t...

Страница 258: ...Raritan Osaka 1 15 8 Nishihonmachi Nishi ku Osaka 550 0005 Japan Tel 81 6 4391 7752 Fax 81 6 4391 7761 Email sales raritan co jp Website Raritan co jp Asia Pacific Headquarters Raritan Taiwan 5F 121...

Отзывы: