Page 1
User Guide for CiscoWorks
Common Services 3.0
CiscoWorks
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-7816571
Text Part Number: 78-16571-01
Page 2
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
CCSP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live,
Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,
CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco
Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare,
GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys,
MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet , PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX,
ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO
are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0411R)
User Guide for CiscoWorks Common Services
Copyright © 1998-2005 Cisco Systems, Inc. All rights reserved.
Page 3
Preface xiii
Audience xiii
Conventions xiii
Product Documentation xiv
Related Documentation xvi
Additional Information Online xvi
Obtaining Documentation xvi
Cisco.com xvii
Ordering Documentation xvii
CONTENTS
CHAPTER
Documentation Feedback xviii
Obtaining Technical Assistance xviii
Cisco Technical Support Website xviii
Submitting a Service Request xix
Definitions of Service Request Severity xx
Obtaining Additional Publications and Information xx
1 Overview 1-1
New Features 1-2
Understanding Time Zone Settings 1-3
Learning More About the Common Services 1-3
78-16571-01
User Guide for CiscoWorks Common Services
iii
Page 4
Contents
CHAPTER
2 Interacting With CiscoWorks Homepage 2-1
Invoking CiscoWorks Homepage 2-2
Invoking CWHP in Normal Mode (HTTP) 2-2
Invoking CWHP in SSL Enabled Mode (HTTPS) 2-3
Logging Into CiscoWorks 2-4
Using CWHP 2-5
Common Services Panel 2-5
Application Panels 2-6
Supporting Applications on Another Server 2-6
Supporting Traditional Applications With New Navigation 2-7
Device Troubleshooting Panel 2-7
Resources Panel 2-7
CiscoWorks Product Updates Panel 2-7
Tool Bar Items 2-8
Configuring CWHP 2-8
CHAPTER
Registering Applications With CWHP 2-8
Registering a New Application 2-9
Importing from other servers 2-10
Unregistering an Application 2-11
Registering Links With CWHP 2-11
Unregistering a Link 2-12
Setting Up CiscoWorks Homepage 2-12
Using Online Help 2-13
Changing Web Server Port Numbers 2-14
3 Configuring the Server 3-1
Setting up Security 3-1
Managing Security in Single Server Mode 3-1
User Guide for CiscoWorks Common Services
iv
78-16571-01
Page 5
Setting up Browser-Server Security 3-2
Enabling Browser-Server Security From the CiscoWorks Server 3-2
Enabling Browser-Server Security From the Command Line Interface
(CLI)
3-4
About User Accounts 3-4
Understanding Security Levels 3-5
Setting up Local Users 3-6
Modifying Your Profile 3-6
Adding a User 3-7
Editing User Profiles 3-8
Deleting a User 3-8
Creating Self Signed Certificate 3-9
Contents
Managing Security in Multi-Server Mode 3-10
Setting up Peer Server Account 3-11
Setting up System Identity Account 3-13
Setting up Peer Server Certificate 3-14
Deleting Peer Certificates 3-15
Enabling Single Sign-On 3-15
Navigating Through the SSO Domain 3-16
Registering Server Links 3-17
Launching a new Browser Instance 3-17
Changing the Single Sign-On Mode 3-18
Setting up the AAA Mode 3-20
About Common Services Authentication 3-21
Cisco Secure ACS Support for Common Services Client Applications 3-22
Setting the Login Module to Non-ACS 3-24
Changing Login Module to CiscoWorks Local 3-25
Changing Login Module to IBM SecureWay Directory 3-25
Changing Login Module to KerberosLogin 3-27
78-16571-01
User Guide for CiscoWorks Common Services
v
Page 6
Contents
Changing Login Module to Local Unix System 3-28
Changing Login Module to Local NT System 3-29
Changing Login Module to MS Active Directory 3-29
Changing Login Module to Netscape Directory 3-30
Changing Login Module to Radius 3-32
Changing Login Module to TACACS+ 3-33
Understanding Fallback Options for Non-ACS mode 3-35
Setting the Login Module to ACS 3-35
Assigning Privileges in ACS 3-38
Creating and Modifying Roles in ACS 3-39
Resetting Login Module 3-42
Understanding Fallback Options for ACS Mode 3-43
Managing Cisco.com Connection 3-44
Setting up Cisco.com User Account 3-44
Setting Up the Proxy Server 3-44
Generating Reports 3-45
Log File Status Report 3-45
Permissions Report 3-46
Users Logged In Report 3-47
Process Status Report 3-48
Viewing Audit Log Report 3-49
Administering Common Services 3-51
Using Daemon Manager 3-52
Restarting Daemon Manager on Solaris 3-52
Restarting Daemon Manager on Windows 3-53
Managing Processes 3-53
Viewing Process Details 3-54
Starting a Process 3-54
Stopping a Process 3-55
User Guide for CiscoWorks Common Services
vi
78-16571-01
Page 7
Backing Up Data 3-55
Backing up Using CLI 3-57
Data Backed up During CS 3.0 Backup 3-57
Restoring Data 3-58
Restoring Data on UNIX 3-59
Restoring Data on Windows 3-60
Data Restored from Common Services 3.0 Backup Archive 3-61
Data Restored from Common Services 2.2 Backup Archive 3-62
Data Restored from CD One 5th Edition Backup Archive 3-62
Effects of Backup-Restore on DCR 3-63
Master -Slave Configuration Prerequisites and Restore Operations 3-66
Effects of Backup-Restore on Groups 3-67
Contents
Licensing CiscoWorks Applications 3-68
Obtaining a License for CiscoWorks Applications 3-68
Licensing the Application 3-69
Viewing License Information 3-70
Updating Licenses 3-70
Collecting Server Information 3-71
Collecting Self Test Information 3-72
Messaging Online Users 3-72
Managing Jobs 3-73
Managing Resources 3-76
Maintaining Log Files 3-78
Maintaining Log Files on UNIX 3-78
Maintaining Log Files on Windows 3-80
Using Logrot 3-81
Configuring Logrot 3-81
Running Logrot 3-82
Modifying System Preferences 3-83
78-16571-01
User Guide for CiscoWorks Common Services
vii
Page 8
Contents
CHAPTER
4 Managing Device and Credentials 4-1
DCR Architecture 4-5
Master DCR 4-6
Slave DCR 4-6
Standalone DCR 4-6
Using the Device and Credential Admin 4-7
Managing Devices 4-7
Adding Devices 4-8
Standard Type 4-9
Auto Update Type 4-10
Cluster Managed Type 4-11
Deleting Devices 4-12
Editing Device Credentials 4-13
Importing Devices and Credentials 4-14
Import Using DCA Interface 4-15
Exporting Devices and Credentials 4-18
Export Using DCA Interface 4-19
Excluding Devices 4-21
A Sample CSV Exclude File 4-21
Viewing Devices List 4-22
Generating Reports in DCA 4-23
Managing Auto Update Servers 4-24
Adding Auto Update Server 4-24
Editing Auto Update Server 4-25
Deleting Auto Update Server 4-25
User Guide for CiscoWorks Common Services
viii
78-16571-01
Page 9
Administering Device and Credential Repository 4-26
Changing DCR Mode 4-26
Master-Slave Configuration Prerequisites 4-27
Changing the Mode to Standalone 4-27
Changing the Mode to Master 4-28
Changing the Mode to Slave 4-28
Adding User-defined Fields 4-29
Renaming User-defined Fields 4-30
Deleting User-defined Fields 4-31
Sample CSV File 4-31
A Sample CSV 2.0 File 4-31
A Sample CSV 3.0 File 4-32
Sample CSV 3.0 File for Auto Update Server Managed Devices 4-33
Contents
Sample CSV 3.0 File for Cluster Managed Devices 4-34
Mapping CSV 2.0 to CSV 3.0 Fields 4-35
Sample XML File 4-36
Sample XML File (Standard) 4-36
Sample XML File for Auto Update Server Managed Devices 4-37
Sample XML File for Cluster Managed Devices 4-38
Using DCR Features Through CLI 4-39
Adding Devices Using dcrcli 4-39
Deleting Devices Using dcrcli 4-39
Editing Devices Using dcrcli 4-40
Listing the Attributes 4-40
Viewing the Current DCR Mode Using dcrcli 4-41
Viewing Device Details 4-41
Changing DCR Mode Using dcrcli 4-42
Import Using CLI 4-43
Export Using CLI 4-44
78-16571-01
User Guide for CiscoWorks Common Services
ix
Page 10
Contents
Implications of ACS Login Module on DCR 4-45
Custom Roles and DCR 4-45
CHAPTER
5 Administering Groups 5-1
Group Concept 5-2
Group Hierarchy 5-2
Dynamic Group 5-3
Static Group 5-3
Container Groups 5-3
System-defined and User-defined Groups 5-3
Common Groups and Shared Groups 5-4
Secure Views 5-6
Groups in a Single-Server Setup 5-7
Groups in Multi-Server Setup 5-7
DCR Mode Changes and Group behavior 5-10
Unregistering a Slave 5-13
Group Administration 5-14
Creating Groups 5-14
Specifying Group Properties 5-15
Defining Group Rules 5-17
Assigning Group Membership 5-18
Removing Devices 5-19
Viewing Group Details 5-19
Modifying Group Details 5-20
Refreshing Groups 5-22
Deleting Groups 5-22
System Defined and User Defined Attributes 5-23
User Guide for CiscoWorks Common Services
x
78-16571-01
Page 11
Contents
CHAPTER
6 Using Device Center 6-1
Launching Device Center 6-2
Invoking Device Center 6-3
Using Device Center Functions 6-3
Device Selector 6-4
Device Summary 6-4
Management Functions 6-5
Enabling Debugging Tools 6-5
Checking Device Connectivity 6-6
Using Ping 6-8
Using Traceroute 6-9
Using SNMP Walk 6-9
Using SNMP Set 6-11
Using Packet Capture 6-12
Creating a New Packet Capture File 6-13
CHAPTER
Editing Device Credentials 6-15
Displaying Reports 6-15
Performing Management Tasks 6-15
7 Working With Software Center 7-1
Performing Software Updates 7-2
Performing Device Update 7-4
Deleting Packages 7-6
Scheduling Device Package Downloads 7-7
Viewing Activity Logs 7-9
78-16571-01
User Guide for CiscoWorks Common Services
xi
Page 12
Contents
CHAPTER
APPENDIX
8 Diagnosing Problems With CiscoWorks Server 8-1
Verifying Server Status 8-1
Testing Device Connectivity 8-4
Troubleshooting the CiscoWorks Server 8-6
Frequently Asked Questions 8-6
Troubleshooting Suggestions 8-33
A Understanding CiscoWorks Security A-1
General Security A-2
Server Security A-2
Server–Imposed Security A-2
Files, File Ownership, and Permissions A-3
Runtime A-4
Remote Connectivity A-5
Access to Systems Other Than the CiscoWorks Server A-6
I
NDEX
Access Control A-6
System Administrator-Imposed Security A-7
Connection Security A-7
Security Certificates A-7
Terms and Definitions A-8
User Guide for CiscoWorks Common Services
xii
78-16571-01
Page 13
Preface
This document describes CiscoWorks Common Services 3.0 and gives an
overview of the features and functions provided by CiscoWorks Common
Services.
Audience
This manual is for network administrators who need to configure and maintain
CiscoWorks Common Services. Most of the tools and applications described are
available only to systems administrators.
Conventions
This document uses the following conventions:
Item Convention
Commands and keywords boldface font
Variables for which you supply values italic font
Displayed session and system information
Information you enter
Variables you enter
screen font
boldface screen font
italic screen font
Menu items and button names boldface font
78-16571-01
User Guide for CiscoWorks Common Services
xiii
Page 14
Product Documentation
Note Means reader take note. Notes contain helpful suggestions or references to
Caution Means reader be careful. In this situation, you might do something that could
Preface
Item Convention
Selecting a menu item in paragraphs Option > Network Preferences
Selecting a menu item in tables Option > Network Preferences
material not covered in the publication.
result in equipment damage or loss of data.
Product Documentation
Note We sometimes update the printed and electronic documentation after original
publication. Therefore, you should also review the documentation on Cisco.com
for any updates.
Table 1 describes the product documentation that is available.
User Guide for CiscoWorks Common Services
xiv
78-16571-01
Page 15
Preface
Table 1 Product Documentation
Document Title Available Formats
Product Documentation
Release Notes for CiscoWorks
Common Services 3.0
Installation Guide for CiscoWorks
Common Services 3.0 on Windows
Installation Guide for CiscoWorks
Common Services 3.0 on Solaris
User Guide for CiscoWorks
Common Services 3.0 (this
document)
• Printed document that was included with the product.
• On Cisco.com at:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/c
w2000/cw2000_d/comser30/relnotes/index.htm
• PDF on the product CD-ROM.
• On Cisco.com at:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000_d/comser30/ig_win/index.htm
• Printed document available by order (part number
DOC-7816497=).
• PDF on the product CD-ROM.
• On Cisco.com at:
1
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000_d/comser30/ig_sol/index.htm
• Printed document available by order (part number
DOC-7815885=).
• PDF on the product CD-ROM.
• On Cisco.com at:
1
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000_d/comser30/usrguide/index.htm
Context-sensitive online help • Select an option from the navigation tree, then click Help.
1. See the “Obtaining Documentation” section on page xvi
78-16571-01
• Printed document available by order (part number
DOC-7816571=).
• Click the Help button in the dialog box
1
User Guide for CiscoWorks Common Services
xv
Page 16
Related Documentation
Related Documentation
Note We sometimes update the printed and electronic documentation after original
publication. Therefore, you should also review the documentation on Cisco.com
for any updates.
Table 2 describes the additional documentation that is available.
Table 2 Related Documentation
Document Title Available Formats
Preface
Quick Start Guide for LAN
Management Solution 3.0
• Printed document that was included with the product.
• PDF on the product CD-ROM.
• On Cisco.com at:
Additional Information Online
To determine which packages are installed on your CiscoWorks Server, select
Common Services > Software Center > Applications and Versions.
You can also obtain any published patches from the download site.
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco
also provides several ways to obtain technical assistance and other technical
resources. These sections explain how to obtain technical information from Cisco
Systems.
User Guide for CiscoWorks Common Services
xvi
78-16571-01
Page 17
Preface
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Ordering Documentation
You can find instructions for ordering documentation at this URL:
Obtaining Documentation
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
• Registered Cisco.com users (Cisco direct customers) can order Cisco product
documentation from the Ordering tool:
http://www.cisco.com/en/US/partner/ordering/index.shtml
• Nonregistered Cisco.com users can order documentation through a local
account representative by calling Cisco Systems Corporate Headquarters
(California, USA) at 408 526-7208 or, elsewhere in North America, by
calling 1 800 553-NETS (6387).
78-16571-01
User Guide for CiscoWorks Common Services
xvii
Page 18
Documentation Feedback
Documentation Feedback
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front
cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance
Preface
For all customers, partners, resellers, and distributors who hold valid Cisco
service contracts, Cisco Technical Support provides 24-hour-a-day,
award-winning technical assistance. The Cisco Technical Support Website on
Cisco.com features extensive online support resources. In addition, Cisco
Technical Assistance Center (TAC) engineers provide telephone support. If you
do not hold a valid Cisco service contract, contact your reseller.
Cisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for
troubleshooting and resolving technical issues with Cisco products and
technologies. The website is available 24 hours a day, 365 days a year, at this
URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com
user ID and password. If you have a valid service contract but do not have a user
ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
User Guide for CiscoWorks Common Services
xviii
78-16571-01
Page 19
Preface
Note Use the Cisco Product Identification (CPI) tool to locate your product serial
number before submitting a web or phone request for service. You can access the
CPI tool from the Cisco Technical Support Website by clicking the Tools &
Resources link under Documentation & Tools. Choose Cisco Product
Identification Tool from the Alphabetical Index drop-down list, or click the
Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool
offers three search options: by product ID or model name; by tree view; or for
certain products, by copying and pasting show command output. Search results
show an illustration of your product with the serial number label location
highlighted. Locate the serial number label on your product and record the
information before placing a service call.
Submitting a Service Request
Obtaining Technical Assistance
Using the online TAC Service Request Tool is the fastest way to open S3 and S4
service requests. (S3 and S4 service requests are those in which your network is
minimally impaired or for which you require product information.) After you
describe your situation, the TAC Service Request Tool provides recommended
solutions. If your issue is not resolved using the recommended resources, your
service request is assigned to a Cisco TAC engineer. The TAC Service Request
Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the
Cisco TAC by telephone. (S1 or S2 service requests are those in which your
production network is down or severely degraded.) Cisco TAC engineers are
assigned immediately to S1 and S2 service requests to help keep your business
operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
78-16571-01
User Guide for CiscoWorks Common Services
xix
Page 20
Obtaining Additional Publications and Information
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has
established severity definitions.
Severity 1 (S1)—Your network is “down,” or there is a critical impact to your
business operations. You and Cisco will commit all necessary resources around
the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or
significant aspects of your business operation are negatively affected by
inadequate performance of Cisco products. You and Cisco will commit full-time
resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most
business operations remain functional. You and Cisco will commit resources
during normal business hours to restore service to satisfactory levels.
Preface
Severity 4 (S4)—You require information or assistance with Cisco product
capabilities, installation, or configuration. There is little or no effect on your
business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is
available from various online and printed sources.
• Cisco Marketplace provides a variety of Cisco books, reference guides, and
logo merchandise. Visit Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
• The Cisco Product Catalog describes the networking products offered by
Cisco Systems, as well as ordering and customer support services. Access the
Cisco Product Catalog at this URL:
http://cisco.com/univercd/cc/td/doc/pcat/
• Cisco Press publishes a wide range of general networking, training and
certification titles. Both new and experienced users will benefit from these
publications. For current Cisco Press titles and other information, go to Cisco
Press at this URL:
http://www.ciscopress.com
User Guide for CiscoWorks Common Services
xx
78-16571-01
Page 21
Preface
Obtaining Additional Publications and Information
• Packet magazine is the Cisco Systems technical user magazine for
maximizing Internet and networking investments. Each quarter, Packet
delivers coverage of the latest industry trends, technology breakthroughs, and
Cisco products and solutions, as well as network deployment and
troubleshooting tips, configuration examples, customer case studies,
certification and training information, and links to scores of in-depth online
resources. You can access Packet magazine at this URL:
http://www.cisco.com/packet
• iQ Magazine is the quarterly publication from Cisco Systems designed to
help growing companies learn how they can use technology to increase
revenue, streamline their business, and expand services. The publication
identifies the challenges facing these companies and the technologies to help
solve them, using real-world case studies and business strategies to help
readers make sound technology investment decisions. You can access iQ
Magazine at this URL:
http://www.cisco.com/go/iqmagazine
• Internet Protocol Journal is a quarterly journal published by Cisco Systems
for engineering professionals involved in designing, developing, and
operating public and private internets and intranets. You can access the
Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
• World-class networking training is available from Cisco. You can view
current offerings at this URL:
http://www.cisco.com/en/US/learning/index.html
78-16571-01
User Guide for CiscoWorks Common Services
xxi
Page 22
Obtaining Additional Publications and Information
Preface
User Guide for CiscoWorks Common Services
xxii
78-16571-01
Page 23
CHAPTER
1
Overview
CiscoWorks Common Services (Common Services) represents a common set of
management services that are shared by CiscoWorks applications. CiscoWorks is
a family of products based on Internet standards for managing networks and
devices. All CiscoWorks products use and depend on Common Services.
Common Services provides a foundation for CiscoWorks applications to share a
common model for data storage, login, user role definitions, access privileges,
security protocols, as well as navigation.
It creates a standard user experience for all management functions. It also
provides the common framework for all basic system level operations such as
installation, data management including backup-restore and import-export, event
and message handling, and job and process management.
78-16571-01
Common Services 3.0 provides a set of new features required to drive the
CiscoWorks applications towards a common look and feel. The new CiscoWorks
Homepage replaces the existing desktop.
Common Services 3.0 enables sharing of critical information among the various
products, and provides a new framework for delivering timely support of new
devices. In addition, it supports new platforms, and provides enhanced security
mechanisms.
User Guide for CiscoWorks Common Services
1-1
Page 24
New Features
New Features
The major new features in this release:
• CiscoWorks Homepage
• Device and Credential Repository (DCR)
• Device Center
Chapter 1 Overview
Provides launch points for CiscoWorks family of products and other
resources. The HTML based CiscoWorks Homepage replaces the Java applet
based Desktop.
Provides a central place for management of devices and their credentials that
the different applications managing those devices can use. Sharing of devices
and credentials help in common administration.
Provides a one-stop place where you can see a summary for a device, and
launch troubleshooting tools, management tasks, and reports for the selected
device.
• Groups
Provides a mechanism for applications to create shared device groups.
Provides grouping facility based on various attributes in Device and
Credential Repository (DCR).
• Software Center
Allows you to download and deploy device packages and software patches.
• Enhanced security to support SNMPv3 authNoPriv
Provides packet level security, integrity protection, and replay protection.
However, it does not encrypt the packets.
• Enhanced restore framework.
Enables Common Services and its applications to restore the data backed up
from an earlier version.
• Security mechanisms for managing security in Single-Server and
Multi-Server scenarios. Granular role based access.
• New utilities for diagnosing problems with CiscoWorks Server, and
managing log files.
• New licensing framework.
User Guide for CiscoWorks Common Services
1-2
78-16571-01
Page 25
Chapter 1 Overview
• Support for IPv6.
• HTML based Online help.
Understanding Time Zone Settings
Common Services and associated CiscoWorks application suites support many
time zones. However, applications that have scheduling and reporting functions,
and applications that produce or use time stamps vary based on:
• Server and client—Time stamps can differ between server and client if they
are located in different time zones.
• Platforms—Windows and UNIX servers support different time zones and are
not synchronized.
For detailed information, see the Release Notes included with your CiscoWorks
applications.
Understanding Time Zone Settings
Learning More About the Common Services
You can find detailed information on the features and functions of CiscoWorks
Common Services in the following sections:
• Interacting With CiscoWorks Homepage
• Setting up Security
• Generating Reports
• Administering Common Services
• Managing Device and Credentials
• Administering Groups
• Using Device Center
• Working With Software Center
In addition, the Online help included with Common Services provides
explanations and procedures for the related tasks.
You can launch the Online help from the CiscoWorks Homepage by clicking the
Help button on top of the right hand side of the CiscoWorks Homepage.
78-16571-01
User Guide for CiscoWorks Common Services
1-3
Page 26
Learning More About the Common Services
For tips about accessing Online help, see Using Online Help.
You can check the version details and licensing information about Common
Services by clicking the About button on top of the right hand side of the
CiscoWorks Homepage.
Chapter 1 Overview
User Guide for CiscoWorks Common Services
1-4
78-16571-01
Page 27
CHAPTER
2
Interacting With CiscoWorks
Homepage
CiscoWorks Homepage (CWHP) provides launch points for all Common Services
features. It also provides launch points for applications installed on the same
server or a remote server, and their major functions.
CWHP also provides launch points for other web-based products
(Non-CiscoWorks products and third party/home-grown tools) residing on the
same or a different server.
After you install the applications, you can see the application panels on CWHP.
78-16571-01
CWHP supports application oriented and device oriented navigation paradigms.
When you select any of the application functions on CWHP, it launches the
application homepage, and the selected function is launched in application
homepage content area.
CWHP is completely based on HTML, and provides intuitive navigation for you
to move back-and-forth between CiscoWorks Homepage, and all other application
homepages.
CWHP has the look and feel of a portal. By default, CWHP provides launch
points for:
• Server
• HomePage
• Device and Credentials
• Groups
User Guide for CiscoWorks Common Services
2-1
Page 28
Chapter 2 Interacting With CiscoWorks Homepage
Invoking CiscoWorks Homepage
• Software Center
• Device Center
The following sections explain the CWHP features, in detail:
• Invoking CiscoWorks Homepage
• Logging Into CiscoWorks
• Using CWHP
• Configuring CWHP
• Using Online Help
• Changing Web Server Port Numbers
Invoking CiscoWorks Homepage
You may invoke CWHP in the normal mode (HTTP), or secure mode (HTTPS).
Invoking CWHP in Normal Mode (HTTP)
To invoke CWHP in the normal mode (HTTP), enter the URL for your
CiscoWorks Server in your web browser:
http://server_name:port_number
where server name is the name of the CiscoWorks Server and port number is the
TCP port used by the CiscoWorks Server, in the normal mode.
If you enter,
CiscoWorks Server will not launch. Also, do not bookmark the URL with the
login.html.
In normal mode (HTTP), the default TCP port for CiscoWorks Server is 1741.
• On Windows, the CiscoWorks Server always uses the default port numbers in
secure and normal modes.
• On Solaris, if the default TCP ports (1741 and 443) are used by other
applications, you can select different ports for secure and normal modes
during CiscoWorks Server installation.
http://server_name:port_number/login.html in your browser, the
User Guide for CiscoWorks Common Services
2-2
78-16571-01
Page 29
Chapter 2 Interacting With CiscoWorks Homepage
Invoking CiscoWorks Homepage
For more information, see the “Logging Into CiscoWorks” section on page 2-4.
See also, Installation and Setup Guide for CiscoWorks Common Services on
Solaris.
Invoking CWHP in SSL Enabled Mode (HTTPS)
To invoke CWHP in the SSL enabled mode (HTTPS):
Step 1 Enter the URL for your CiscoWorks Server in your browser.
http://server_name:port_number
where server name is the name of the CiscoWorks Server and port number is the
TCP port used by the CiscoWorks Server, when SSL is enabled (secure mode).
If you enter,
http://server_name:port_number/login.html in your web
browser, the CiscoWorks Server will not launch. Also, do not bookmark the URL
with the login.html.
When SSL is enabled (HTTPS), the default TCP port for CiscoWorks Server is
443.
• On Windows, CiscoWorks Server always uses the default port numbers in
secure and normal modes.
• On Solaris, if the default TCP ports (1741 and 443) are used by other
applications, you can select different ports for secure and normal modes
during CiscoWorks Server installation. For more information, see Installation
and Setup Guide for CiscoWorks Common Services on Solaris.
If you use Microsoft Internet Explorer to invoke CWHP, the browser displays a
Security Alert window, indicating that you are about to view web pages over a
secure connection.
a. Click OK in the Security Alert window.
The Security Alert window displays the security certificate alert.
b. Click Yes in the Security Alert window.
If you use Netscape Navigator to invoke CWHP, the browser displays the New
Site Certificate wizard.
78-16571-01
User Guide for CiscoWorks Common Services
2-3
Page 30
Logging Into CiscoWorks
In the New Site Certificate wizard you can accept the certificate for the current
session or accept it till the certificate expires. To avoid going through the New Site
Certificate wizard every time you invoke CWHP, you may accept the certificate
till it expires.
If Common Services is running in a Plug-in environment, it displays Plug-in alert
dialogs. (For example, Server Certificate details, Hostname Mismatch details).
Step 2 Click Yes in the Plug-in alert dialogs to get to the Login panel.
If the server is in SSL mode and if you invoke Common Services as
http://server_name:1741, you will be redirected to https://server_name:443
Logging Into CiscoWorks
Chapter 2 Interacting With CiscoWorks Homepage
If you have installed CiscoWorks Server and logging in for the first time, use the
reserved admin user name and password.
To log in:
Step 1 Enter admin in the User ID field, and the password for admin in the Password
field of the Login Page.
The CiscoWorks Server administrator can set the passwords to admin and guest
users during installation. Contact the CiscoWorks Server administrator if you do
not know the password.
Step 2 Click Login or press Enter.
You are now logged into CiscoWorks Server.
Step 3 You can change the admin password at Common Services > Server >
Security > User Management
For more information, see Online Help.
Login sessions time out after two hours of inactivity. If the session is not used for
two hours, you will be prompted to login again.
Session timeout is not automatic. If you try to do any task after timeout, a message
appears informing you that your session has timed out.
User Guide for CiscoWorks Common Services
2-4
78-16571-01
Page 31
Chapter 2 Interacting With CiscoWorks Homepage
The Login screen replaces the current page of the current browser window. After
you log in, the page you were on before re-logging in, appears.
Using CWHP
CiscoWorks Homepage is the primary user interface and the launch point for all
features. After you log in to CiscoWorks, the default CiscoWorks Homepage
appears.
The CWHP window consists of:
• Common Services Panel
• Application Panels
• Device Troubleshooting Panel
Using CWHP
• Resources Panel
• CiscoWorks Product Updates Panel
• Tool Bar Items
Common Services 3.0 and CiscoWorks applications use popup dialog boxes at
many places.
If you have a popup-blocker enabled in your browser, none of these popups would
appear. Therefore, you have to disable the popup-blocker, if you have installed
any.
Common Services Panel
The Common Services Panel displays all Common Services functions. The
Common Services panel appears in a tree window.
First level items displayed in the Tree window are:
• Server
• HomePage
• Software Center
• Device and Credentials
• Groups
78-16571-01
User Guide for CiscoWorks Common Services
2-5
Page 32
Using CWHP
Application Panels
Each Application Panel in the CWHP serves as a top-level launch point for all
Common Services applications installed on the local/remote server.
Applications appear in the CWHP in three columns.
By default, only the first level items are displayed when you login. These first
level items are in collapsed mode. Lower level navigations are displayed only if
you manually expand a first level item.
The title of each application panel displays the application name and it serves as
a link to the relevant application homepage.
Application tasks are displayed in a hierarchical manner. When you select a task
from the hierarchy, it launches the application homepage in a new window.
If the corresponding application homepage already exists for some other task, the
window for this task is focussed, instead of creating a new window.
Chapter 2 Interacting With CiscoWorks Homepage
To launch the URL associated with the item in the popup window, click on the
label.
Supporting Applications on Another Server
CiscoWorks applications from other servers can be made to display in the same
way as CiscoWorks applications from the local server.
For this, you should import registration details of CiscoWorks applications
installed on other servers. This allows you to navigate various CiscoWorks
applications from same or different bundles (such as LMS, RWAN, VMS), from
a single homepage.
You should authenticate yourself before using applications from other server
(once for each server, for each session), even if you are authenticated on the local
server.
Common Services will not do the license check. Applications need to authenticate
and do the license check.
For details on transparently navigating through multiple CiscoWorks Servers, see
“Enabling Single Sign-On” section on page 3-15.
User Guide for CiscoWorks Common Services
2-6
78-16571-01
Page 33
Chapter 2 Interacting With CiscoWorks Homepage
Supporting Traditional Applications With New Navigation
CWHP also displays the applications that are based on the traditional CiscoWorks
Common Services desktop.
CWHP provides a Product Home Page, which looks similar to the traditional
CiscoWorks Common Services desktop. Traditional applications are registered
during installation to display their links on CWHP.
Device Troubleshooting Panel
The Device Troubleshooting panel provides a launch point to the Device Center.
See Chapter 6, “Using Device Center” for details.
Using CWHP
Resources Panel
Resources panel is on the top of the right hand side of the CWHP. It also serves
as a top-level launch point for CiscoWorks resources, Cisco.com resources, third
party application links, and web based custom tool links. This panel shows the
types of resources as first level and details in the next level.
Note CWHP provides an Admin UI to turn off this information if you are behind the
firewall or if you do not want this information to be displayed in CWHP.
CiscoWorks Product Updates Panel
CiscoWorks Product Updates panel is on the right hand side of the page. It
displays informative messages about CiscoWorks product announcements, and
help related topics.
If you click the More Updates link, a popup window appears with all the Cisco
Product Update details.
78-16571-01
User Guide for CiscoWorks Common Services
2-7
Page 34
Configuring CWHP
Tool Bar Items
Chapter 2 Interacting With CiscoWorks Homepage
In case the CiscoWorks Server is behind a firewall, the proxy settings are used to
download messages from Cisco.com. CWHP provides an Admin UI to accept the
proxy settings. CWHP alerts you if any urgent messages are found.
By default, the polling interval is one minute. You can change this polling
interval.
Three buttons are available on top of the right hand side of the CWHP:
• Logout—Returns the browser to the Login dialog box.
• Help—Displays the Online help in a separate browser window. See Using
Online Help for details.
• About—Displays the general information about the software. The window
displays license information, version and patch level, installation date and
copyright information.
Configuring CWHP
The Application Registration, Link Registration, and Settings links under
Homepage help you configure your CiscoWorks Homepage. They help you in:
• Registering Applications With CWHP
• Registering Links With CWHP
• Setting Up CiscoWorks Homepage
Registering Applications With CWHP
Using this feature you can register CiscoWorks applications on local or remote
servers. You need to enter application instance attributes (host, port, and
protocol).
Other information such as AppName, URLs available are already defined by the
application in a template.
User Guide for CiscoWorks Common Services
2-8
78-16571-01
Page 35
Chapter 2 Interacting With CiscoWorks Homepage
During registration you are prompted to select an application template and then
register with CiscoWorks Server. The registration enables the application to be
integrated with other applications based on the template definition. It also helps
application launch points to be displayed on CWHP.
To register applications:
Step 1 Select Common Services > HomePage > Application Registrations.
The Application Registration Status page appears.
Step 2 View the list of registered applications in the Registered Applications dialog box.
Registering a New Application
Configuring CWHP
To register a new application:
Step 1 Click Registration in the Registered Applications dialog box.
The Choose Location for Registration page appears. A wizard guides you through
the process.
Step 2 Choose the location for registration.
You can choose to Register from Templates or Import from Other servers.
To register from Templates:
Step 1 Select the Register from Templates radio button and click Next.
The Registration Through Template page appears. A list of templates appears in
the Select a Template to Register dialog box.
Step 2 Select the radio button corresponding to the Template you require and click Next.
The Server Attributes page appears.
78-16571-01
User Guide for CiscoWorks Common Services
2-9
Page 36
Configuring CWHP
Step 3 Enter the Server attributes in the Server attributes dialog box and click Next.
The Registration Summary page displays the Application Registration summary
window. It displays a summary the information you entered.
Step 4 Click Finish.
Importing from other servers
You must perform the following tasks before importing application registrations
from other servers. This is to ensure a secure environment for importing
registrations.
• Create self signed certificates for the local and remote servers (if not already
done).
Chapter 2 Interacting With CiscoWorks Homepage
• Add remote server's certificate to the local server. See Setting up Peer Server
Certificate for details.
• Restart the local server.
• Create a Peer Server user on the remote server. Configure this user a System
Identity user in the local server. See Setting up Peer Server Account and
Setting up System Identity Account for details.
To import from other servers:
Step 1 Select the Import from Servers radio button and click Next.
The Import Registrations page appears.
Step 2 Enter the Server Name, Server Display Name, and the secure Port Number in the
Import Server’s Attributes dialog box.
Step 3 Click Next.
The Import Registrations Summary window displays a summary of the
information you entered.
Step 4 Click Finish.
User Guide for CiscoWorks Common Services
2-10
78-16571-01
Page 37
Chapter 2 Interacting With CiscoWorks Homepage
Unregistering an Application
To unregister an application:
Step 1 Select Common Services > HomePage > Application Registrations.
The Application Registration Status page appears. You can view the list of
registered applications in the Registered Applications dialog box.
Step 2 Select the radio button corresponding to the Application you want to unregister,
and click Unregister.
The Applications to be Unregistered window appears with the details of the
Application unregistered.
Step 3 Click Confirm.
Configuring CWHP
Registering Links With CWHP
You can add additional links to CiscoWorks Homepage for Custom tools and
home grown tools, and third party applications such as HPOV. The links appear
under the Third Party or Custom Tools, as you specify.
To register links with CiscoWorks Homepage:
Step 1 Select Common Services > HomePage > Links Registration.
The Links Registration Status page appears.
Step 2 Click Registration.
The Enter Link Attributes dialog box appears.
Step 3 Enter the Link Name and the URL.
Select the radio button corresponding to Third Party or Custom Tools to set the
display location.
Step 4 Click OK.
78-16571-01
User Guide for CiscoWorks Common Services
2-11
Page 38
Configuring CWHP
Unregistering a Link
To unregister a link:
Step 1 Select Common Services > HomePage > Links Registration.
The Links Registration Status page appears.
Step 2 Select the check box corresponding to the link you need to unregister.
Step 3 Click Unregister.
Setting Up CiscoWorks Homepage
Chapter 2 Interacting With CiscoWorks Homepage
You can configure or change the CiscoWorks Homepage settings.
To modify CiscoWorks Homepage settings:
Step 1 Select Common Services > HomePage > Settings.
The Homepage Settings page displays the Homepage Settings dialog box.
Step 2 Enter a name for the CiscoWorks Server in the Change Homepage Server Name
field.
You can use this name in the Provider Group name in the Common Services
Groups UI. See “System-defined and User-defined Groups” section on page 5-3
for details on Provider Group.
Step 3 Select the Hide External Resources check box to hide the Resources and
CiscoWorks Product Updates panels in the Homepage.
Step 4 Enter the display name you want for Third Party tools in the Custom Name for
Third Party field.
Step 5 Enter the display name you want for Custom tools/homegrown tools in the
Custom Name for Custom Tools field.
User Guide for CiscoWorks Common Services
2-12
78-16571-01
Page 39
Chapter 2 Interacting With CiscoWorks Homepage
Step 6 Select a value from the Urgent Messages Polling Interval drop-down list to set the
polling interval for messages.
The time you set here decides the polling interval for disk watcher messages and
messages you want to broadcast using the Notify Users features.
To disable this feature, select DISABLE from the drop-down list.
Disk watcher is a utility that monitors the file system. If the file system size goes
above 90 percent, it displays an alert to logged in CiscoWorks users. You can use
this to monitor critical file systems.
To know more about the Notify Users feature, see “Messaging Online Users”
section on page 3-72.
Step 7 Click Update.
You can update any one of the above settings by clicking update.
If you have changed the Homepage Server Name, a popup window appears
prompting you to confirm whether you want to use this name in Provider Group
name.
Using Online Help
• Click OK if you want the name to be suffixed to the Provider Group name.
• You need to restart Daemon Manager for the Provider Group name change to
take effect. See “Using Daemon Manager” section on page 3-52 for details on
restarting Daemon Manager.
Using Online Help
Each CiscoWorks application includes online help that provides procedural and
conceptual information to assist you in using CiscoWorks.
Online help also contains:
• A search engine—Allows you to search the topics in Help, based on
keywords.
• An index—Contains typical network tasks.
• A glossary.
78-16571-01
User Guide for CiscoWorks Common Services
2-13
Page 40
Chapter 2 Interacting With CiscoWorks Homepage
Changing Web Server Port Numbers
To access Online help, click the Help button on the top-right corner. This opens a
window that displays help contents. From this window, you can access help for all
the CiscoWorks applications installed.
Changing Web Server Port Numbers
To change the web server port numbers, you must execute separate commands for
both Windows and Solaris.
On Solaris:
You can change the web server port numbers (for HTTP and HTTPS) for
CiscoWorks webservers.
To change the port numbers you must login as CiscoWorks Server administrator,
and run the following command at the prompt:
/opt/CSCOpx/MDC/Apache/bin/changeport
If you run this command without any command line parameter, CiscoWorks
displays:
*** CiscoWorks Webserver port change utility ***
Usage: changeport <port number> [-s] [-f]
where
port number—The new port number that should be used
-s—Changes the SSL port instead of the default HTTP port
-f—Forces port change even if Daemon Manager detection FAILS.
Note Do not use this option by default. Use it only when CiscoWorks
instructs you to use.
For example, you can enter:
changeport 1744—Changes the CiscoWorks web server HTTP port to use 1744.
Or
changeport port number -s—Changes the CiscoWorks web server HTTPS port
to use the specified port number.
User Guide for CiscoWorks Common Services
2-14
78-16571-01
Page 41
Chapter 2 Interacting With CiscoWorks Homepage
If you change the port after installation, CiscoWorks will not launch from Start
menu (Start > Programs > Ciscoworks > Ciscoworks). You have to manually
invoke the browser, and specify the URL, with the changed port number.
The restrictions that apply to the specified port number are:
• Port numbers less than 1025 are not allowed except 80 (HTTP) and
443 (HTTPS). Also port 80 is not allowed for SSL port, and port 443 is not
allowed for HTTP port.
• The specified port should not be used by any other service or daemon. The
utility checks for active listening ports, and ports listed in /etc/services. If
there is any conflict, it rejects the specified port.
• The port number must be a numeric value in the range 1026 – 65000. Values
outside this range, and non-numeric values are not allowed.
• If port 80 or 443 is specified for any of the webservers, that webserver process
is started as root. This is because ports lower than 1026 are allowed to be used
only by root in Solaris.
Changing Web Server Port Numbers
However, according to Apache behavior, only the main webserver process run
as root, and all the child processes run as casuser:casusers. Only the child
processes serve the external requests.
The main process which runs as root, monitors the child processes. It does not
accept any HTTP requests. Owing to this, Apache ensures that a root process
is not exposed to the external world, and thus ensures security.
• If you do not want CiscoWorks processes to run as root, do not use the ports
80 and 443.
When you execute the utility with the appropriate options, it displays
messages on the tasks it performs.
This utility lists out all the files that are being updated. Before updating, the
utility will back up all the affected files in /opt/CSCOpx/conf/backup and
creates appropriate unique sub-directories.
It also creates a new file called
index.txt. This text file contains information
about the changed port, a list of all the files that are backed up, and their
actual location in the CiscoWorks directory.
78-16571-01
User Guide for CiscoWorks Common Services
2-15
Page 42
Changing Web Server Port Numbers
A sample backup may be similar to:
/opt
|
`--/CSCOpx
|
`--/conf
|
`--/backup
|
|--README.txt (Note the purpose of this directory as it
is initially empty)
|
`--/AAAtpaG03_Ciscobak (Autogenerated unique backup
directory).
|
|--index.txt (The backup file list)
|--httpd.conf (Webserver config file)
|--md.properties (CiscoWorks config elements)
|--mdc_web.xml (Common Services application
config file)
|--regdaemon.key (Common Services config
registry key file)
|--regdaemon.xml (Common Services config
registry data file)
|--rootapps.conf (CiscoWorks daemons using
privileged ports)
|--services (The system /etc/services file)
|--ssl.properties (CiscoWorks config elements
for SSL mode)
`--vms_web.xml (Common Services application
config file)
Chapter 2 Interacting With CiscoWorks Homepage
Note All the above files and the unique directories are stored with read only permission
to casuser:casusers. To ensure the security of the backup files, only the
CiscoWorks Server administrator has write permissions.
The change port utility displays messages to the console, as it runs. These
messages contain information about the directory where the backup files are being
stored. These messages are also logged to a file, changeport.log
This file is saved to the directory:
/var/adm/CSCOpx/log/changeport.log
This file contains the date and time stamps to indicate when the log entries were
created.
User Guide for CiscoWorks Common Services
2-16
78-16571-01
Page 43
Chapter 2 Interacting With CiscoWorks Homepage
On Windows:
You can change the web server port numbers (for HTTP and HTTPS) for the
CiscoWorks Webserver.
To change the port numbers you must have administrative privileges. Run the
following command at the prompt:
CSCOpx\MDC\Apache\changeport.exe
If you run this utility without any command line parameter, CiscoWorks displays
the following usage text:
*** Common Services Webserver port change utility ***
Usage: changeport <port number> [-s] [-f]
where:
port number—The new port number that should be used
Changing Web Server Port Numbers
-s—Change the SSL port instead of the default HTTP port
-f—Force port change even if Daemon Manager detection fails.
Note Do not use this option by default. Use it only when CiscoWorks
instructs you to use.
For example, you can enter:
changeport 1744—Changes the Common Services web server HTTP port to use
1744.
Or
changeport port number -s—Changes the Common Services web server HTTPS
port to use the specified port number.
78-16571-01
User Guide for CiscoWorks Common Services
2-17
Page 44
Changing Web Server Port Numbers
The restrictions that apply to the specified port number are:
• Port numbers less than 1025 are not allowed except 80 (HTTP) and
443 (HTTPS). Also port 80 is not allowed for HTTPS port and port 443 is not
allowed for HTTP port.
• The specified port should not be used by any other service or daemon. The
utility checks for active listening ports, and if any conflict is found the utility
rejects the specified port.
There is no reliable way to determine whether any other service or application
is using a specified port. If the service or application is running and actively
listening on a port, it can be easily detected.
However, if the service is currently stopped, there is no way that the utility
can determine what port it uses. This is because on Windows there is no
common port registry equivalent to /etc/services as in UNIX.
• The port number must be a numeric value in the range 1026 – 65000. Values
outside this range, and non-numeric values are not allowed.
Chapter 2 Interacting With CiscoWorks Homepage
When you run the utility with the appropriate options, it displays messages on the
actions it is performing.
It lists out all the files that are being updated. Before updating, the utility backs
up all the affected files in CSCOpx\conf\backup, and creates, appropriate, unique,
sub-directories.
It also creates a new file called
index.txt. This text file contains information
about the changed port, a list of all the files that are backed up, and their actual
location in the CiscoWorks directory.
User Guide for CiscoWorks Common Services
2-18
78-16571-01
Page 45
Chapter 2 Interacting With CiscoWorks Homepage
A sample backup may be similar to:
[drive:]
|
`--\Program Files
|
`--\CSCOpx
|
`--\conf
|
`--\backup
|
|--README.txt (Notes the purpose of this dir as
it is initially empty)
|
`--\skc03._Ciscobak (Autogenerated unique
backup directory).
|
|--index.txt (The backup file list)
|--httpd.conf (Webserver config file)
|--md.properties (CiscoWorks config
elements)
|--mdc_web.xml (Common Services
application config file)
|--regdaemon.key (Common Services config
registry key file)
|--regdaemon.xml (Common Services config
registry data file)
|--ssl.properties (CiscoWorks config
elements for SSL mode)
`--vms_web.xml (Common Services
application config file)
Changing Web Server Port Numbers
Note All the above files and the unique directories are stored with read only
permissions. Only the administrator and casuser have write permissions, to ensure
the security of the backup files.
The change port utility displays messages on the console, as it runs. These
messages contain information about the directory where the backup files are being
stored. These messages are also logged to a file, changeport.log.
This file is saved to the directory:
NMSROOT\log\changeport.log
This log file contains the date and time stamps to indicate when the log entries
were created.
78-16571-01
User Guide for CiscoWorks Common Services
2-19
Page 46
Changing Web Server Port Numbers
Chapter 2 Interacting With CiscoWorks Homepage
User Guide for CiscoWorks Common Services
2-20
78-16571-01
Page 47
Configuring the Server
Common Services includes administrative tools to configure the server, manage
security, and data. You can set up security mechanisms, manage processes, jobs,
resources, and generate reports that provide troubleshooting information about
the status of the server.
Setting up Security
Common Services provides security mechanisms that help to prevent
unauthenticated access to the CiscoWorks Server, CiscoWorks applications, and
data. Common Services provides features for managing security when operating
in single-server and multi-server modes.
CHAPTER
3
You can specify the user authentication mode using the AAA Mode Setup. You
can create user accounts on Cisco.com using the Cisco.com Connection
Management UI.
Managing Security in Single Server Mode
You can set up browser-server security, add and modify users, and create self
signed certificate using the features that come under Single-Server Management
link in the Security Settings UI.
78-16571-01
User Guide for CiscoWorks Common Services
3-1
Page 48
Setting up Browser-Server Security
For details, see:
• Setting up Browser-Server Security
• Setting up Local Users
• Creating Self Signed Certificate
Setting up Browser-Server Security
Common Services provides secure access between the client browser and
management server, and also between the management server and devices. It does
this using SSL (Secure Socket Layer).
SSL encrypts the transmission channel between the client, and server.
Common Services provides secure access between the client browser, and
management server, and also between the management server, and devices.
Chapter 3 Configuring the Server
SSL is an application-level protocol that enables secure transactions of data
through privacy, authentication, and data integrity. It relies upon certificates,
public keys, and private keys.
You can enable or disable SSL, depending on the need to use secure access
between the client browser and the management server.
CiscoWorks Server uses certificates for authenticating secure access between the
client browser and the management server.
• Enabling Browser-Server Security From the CiscoWorks Server
• Enabling Browser-Server Security From the Command Line Interface (CLI)
Enabling Browser-Server Security From the CiscoWorks Server
To enable Browser-Server Security:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Security >
Browser-Server Security Mode Setup.
The Browser-Server Security Mode Setup dialog box appears.
Step 2 Select the Enable check box.
Step 3 Click Apply.
User Guide for CiscoWorks Common Services
3-2
78-16571-01
Page 49
Chapter 3 Configuring the Server
Step 4 Log out from your CiscoWorks session, and close all browser sessions.
Step 5 Restart the Daemon Manager from the CiscoWorks Server CLI:
On Windows:
a. Enter net stop crmdmgtd
b. Enter net start crmdmgtd
On Solaris:
a. Enter /etc/init.d/dmgtd stop
b. Enter /etc/init.d/dmgtd start
Step 6 Restart the browser, and the CiscoWorks session.
When you restart the CiscoWorks session after enabling SSL, you must enter the
URL with the following changes:
• The URL should begin with https instead of http to indicate secure
connection. CiscoWorks will automatically redirect you to HTTPS mode if SSL
is enabled.
Setting up Browser-Server Security
• Change the port number suffix from 1741 to 443.
If you do not make the above changes, CiscoWorks Server will automatically
redirect you to HTTPS mode with port number 443. The port numbers mentioned
above are applicable for CiscoWorks Server running on Windows.
On Solaris, if the default port (1741) is used by another application, you can select
a different port during CiscoWorks Server installation. For details, see
Installation and Setup Guide for CiscoWorks Common Services on Solaris.
78-16571-01
User Guide for CiscoWorks Common Services
3-3
Page 50
About User Accounts
Enabling Browser-Server Security From the
Command Line Interface (CLI)
To enable Browser-Server Security from CLI:
Step 1 Go to the command prompt.
Step 2 Navigate to the directory NMSROOT\MDC\Apache.
Step 3 Enter NMSROOT\bin\perl ConfigSSL.pl -enable
Step 4 Press Enter.
Chapter 3 Configuring the Server
About User Accounts
Several CiscoWorks network management and application management
operations are potentially disruptive to the network or to the applications
themselves, and must be protected.
To prevent such operations from being used accidentally or maliciously,
CiscoWorks uses a multi-level security system that only allows access to certain
features to users who can authenticate themselves at the appropriate level.
Common Services provides two predefined login IDs:
• guest—Specify a password during installation. User role is Help Desk.
• admin—Specify the password during installation. The user role is a
combination of System Administrator, Network Administrator, Network
Operator, Approver, and Help Desk.
The login named admin is the equivalent of a superuser (in UNIX) or an
administrator (in Windows). This login provides access to all CiscoWorks
tasks.
User Guide for CiscoWorks Common Services
3-4
78-16571-01
Page 51
Chapter 3 Configuring the Server
However, as an administrator, you can create additional unique login IDs for users
at your company.
Note The CiscoWorks Server administrator can set the passwords for admin and guest
users during installation. Contact the CiscoWorks Server administrator if you do
not know the password for admin.
Understanding Security Levels
System administrators determine user security levels when users are granted
access to CiscoWorks. When users are granted logins to the CiscoWorks
application, they are assigned one or more roles.
A role is a collection of privileges that dictate the type of system access you have.
A privilege is a task or operation defined within the application. The set of
privileges assigned to you, defines your role and dictates how much and what type
of system access you have.
Understanding Security Levels
The user role or combination of roles, dictates which tasks are presented to the
users. Table 3-1 shows the security levels.
Table 3-1 Security Levels
Level Description
0Help Desk
1 Approver
2 Network Operator
4Network Administrator
8 System Administrator
16 Export Data
For information on tasks that can be performed with each role, see the
“Permissions Report” section on page 3-46.
See also “About Common Services Authentication” section on page 3-21.
Other roles are displayed, depending on your applications.
78-16571-01
User Guide for CiscoWorks Common Services
3-5
Page 52
Setting up Local Users
Setting up Local Users
Local User Setup feature helps you in:
• Modifying Your Profile
• Adding a User
• Editing User Profiles.
• Deleting a User
For information on tasks that can be performed with each role, see the
“Permissions Report” section on page 3-46.
Modifying Your Profile
Chapter 3 Configuring the Server
To edit your profile:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Security >
Local User Setup.
The Local User Setup page appears.
Step 2 Click Modify me to modify the logged in user credentials.
Step 3 Enter the password in the Password field.
Step 4 Re-enter the password in the Verify field.
Step 5 Enter the e-mail ID in the E-mail field.
Step 6 Click OK.
User Guide for CiscoWorks Common Services
3-6
78-16571-01
Page 53
Chapter 3 Configuring the Server
Adding a User
You can add further users into CiscoWorks as required. To add a user:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Security >
Local User Setup.
The Local User Setup page appears.
Step 2 Click Add.
The User Information dialog box appears.
Step 3 Enter the username in the Username field.
Step 4 Enter the password in the Password field.
Step 5 Re-enter the password in the Verify field.
Setting up Local Users
Step 6 Enter the e-mail ID in the E-mail field.
Step 7 In the Roles pane, select the check box corresponding to the role to specify the
roles to be assigned to the user.
The following roles are available:
• Help Desk (available by default)
• Approver
• Network Operator
• Network Administrator
• System Administrator
• Export Data
See “About Common Services Authentication” section on page 3-21 for
more details.
78-16571-01
User Guide for CiscoWorks Common Services
3-7
Page 54
Setting up Local Users
Editing User Profiles
You can edit the user profiles to modify the roles assigned to the users.
To edit user profiles:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Security >
Local User Setup.
The Local User Setup page appears.
Step 2 Click Edit.
The User Information dialog box appears.
Step 3 Enter the username in the Username field.
Step 4 Enter the password in the Password field.
Chapter 3 Configuring the Server
Step 5 Re-enter the password in the Verify field.
Step 6 Enter the E-mail ID in the E-mail field.
In the Roles pane, select or deselect the check box corresponding to the role to
change the role to be assigned to the user.
Deleting a User
To delete a user:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Security >
Local User Setup.
The Local User Setup page appears.
Step 2 Select the check box corresponding to the user.
Step 3 Click Delete.
A confirmation dialog box appears.
Step 4 Click OK to confirm.
User Guide for CiscoWorks Common Services
3-8
78-16571-01
Page 55
Chapter 3 Configuring the Server
Creating Self Signed Certificate
CiscoWorks allows you to create security certificate used to enable SSL
communication between your client browser and management server.
Self signed certificates are valid for five years from the date of creation. When the
certificate expires, the browser prompts you to install the certificate again from
the server where you have installed CiscoWorks.
Note If you re-generate the certificate, when you are in multi-server mode, any existing
peer relation might break. The peers need to re-import the certificate in this
scenario.
To create a certificate:
Creating Self Signed Certificate
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Security >
Certificate Setup.
The Certificate page appears.
Step 2 Enter the values required for the fields described in the following table:
Field Usage Notes
Country Name Two character country code.
State or Province Two character state or province code or the
complete name of the state or province.
Locality Two character city or town code or the
complete name of the city or town.
Organization Name Complete name of your organization or an
abbreviation.
Organization Unit Name Complete name of your department or an
abbreviation.
78-16571-01
User Guide for CiscoWorks Common Services
3-9
Page 56
Managing Security in Multi-Server Mode
Field Usage Notes
Host Name DNS name of the computer or the IP address
Email Address E-mail address to which the mail has to be
Step 3 Click Apply to create the certificate.
The process generates the following files:
• server.key—Server's private key.
Chapter 3 Configuring the Server
of the computer.
Enter the Host Name with a proper domain
name. This is displayed on your certificate
(whether self-signed or third party issued).
Local host or 127.0.0.1 should not be given.
sent.
• server.crt—Server's self- signed certificate.
• server.pk8—Server's private key in PKCS#8 format.
• server.csr—Certificate Signing Request (CSR) file.
You can use CSR file to request a security certificate, if you want to use a third
party security certificate.
If the certificate is not a Self signed certificate, you cannot modify it.
Managing Security in Multi-Server Mode
Communication between peer servers part of a multi server domain has to be
secure. In multi-server mode the server is configured as DCR Master/Slave or
SSO Master/Slave. In a multi-server scenario, secure communication between
peer CiscoWorks Servers is enabled using certificates and shared secrets.
You have to copy certificates between the CiscoWorks Servers. In addition, you
have to generate a shared secret on one server, and configure it on the other servers
that need to communicate with the server. The shared secret is tied to a particular
CiscoWorks user (for authorization).
User Guide for CiscoWorks Common Services
3-10
78-16571-01
Page 57
Chapter 3 Configuring the Server
See the following sections to understand more about the features that enables
secure communication between peer servers part of a multi-server domain:
• Setting up Peer Server Account
• Setting up System Identity Account
• Setting up Peer Server Certificate
• Enabling Single Sign-On
Setting up Peer Server Account
Peer server Account Setup helps you create users who can programmatically login
to CiscoWorks Servers and perform certain tasks. These users should be set up to
enable communication between multiple CiscoWorks Servers. Users created
using Peer Server Account Setup can authenticate processes running on remote
CiscoWorks Servers.
Setting up Peer Server Account
In ACS mode, the user created with Peer Server Account Setup needs to be
configured in ACS, with all the privileges that user has in CiscoWorks.
See “Master-Slave Configuration Prerequisites” section on page 4-27 to know
more about the usage of this feature.
You can add a Peer Server user, edit user information and role, and delete a user.
To add a Peer Server user:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Security >
Peer Server Account Setup.
Step 2 Click Add.
The Peer Server Account Setup page appears.
Step 3 Enter the username in the Username field.
Step 4 Enter the password in the Password field.
Step 5 Re-enter the password in the Verify field.
Step 6 Click OK.
78-16571-01
User Guide for CiscoWorks Common Services
3-11
Page 58
Setting up Peer Server Account
To edit User information:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Security >
Peer Server Account Setup.
Step 2 Click Edit.
The Peer Server Account Setup page appears.
Step 3 Enter the password in the Password field.
Step 4 Re-enter the password in the Verify field.
Step 5 Click OK.
To delete a User:
Chapter 3 Configuring the Server
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Security >
Peer Server Account Setup.
The Peer Server Account Setup page appears.
Step 2 Select the check box corresponding to the user you want to delete.
Step 3 Click Delete.
The confirmation dialog box appears.
Step 4 Click OK to confirm.
User Guide for CiscoWorks Common Services
3-12
78-16571-01
Page 59
Chapter 3 Configuring the Server
Setting up System Identity Account
Communication between multiple CiscoWorks Servers is enabled by a trust model
addressed by certificates and shared secrets. System Identity setup helps you to
create a “trust” user on servers that are part of a multi-server setup. This user
enables communication between servers that are part of a domain.
There can only be one System Identity User for each machine.
The System Identity User you configure must be a Peer Server User.
In Non-ACS mode, the System Identity User you create must be a Local User,
with System Administrator privileges. In ACS mode, the System Identity user
should be configured in ACS, with all the privileges the user has in CiscoWorks.
CiscoWorks installation program allows you to have the admin user configured as
the default System Identity User.
Setting up System Identity Account
For the admin user to work as a System Identity User, the same password should
be configured on all machines that are part of the domain, while Installing
CiscoWorks on the machines part of that domain. If this is done, the user admin
serves the purpose of System Identity user. See Installation Guide for Common
Services 3.0, for details.
However, you can create a System Identity User from the Common Services UI
too (Common Services > Server > Security > System Identity Setup UI).
If you create a System Identity User, the default System Identity User, admin, will
be replaced by the newly created user.
While you create the System Identity User, Common Services checks whether:
• The user is a Local User with all privileges. If the user is not present, or if the
user does not have all privileges, an error message appears.
• The System Identity User is also a Peer Server User. If not, the user will
automatically be made a Peer Server User too.
For peer to peer communication to work in a multi-server domain, you have to
configure the same System Identity User on all the machines that are part of the
domain.
For example, if S1, S2, S3, S4 are part of a domain, and you configure a new
System Identity User, say Joe, on S1, you have to configure the same user, Joe,
with the same password you specified on S1, on all the other servers, S2, S3, and
S4, to enable communication between them.
78-16571-01
User Guide for CiscoWorks Common Services
3-13
Page 60
Setting up Peer Server Certificate
See “Master-Slave Configuration Prerequisites” section on page 4-27 and
“Enabling Single Sign-On” section on page 3-15 to know more on the usage of
this features.
To add a System Identity user:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Security >
System Identity Setup
Step 2 Enter the username in the Username field.
Step 3 Enter the password in the Password field.
Step 4 Re-enter the password in the Verify field.
Step 5 Click Apply.
Chapter 3 Configuring the Server
Setting up Peer Server Certificate
You can add the certificate of another CiscoWorks Server into it's trusted store.
This will allow one CiscoWorks Server to communicate to another. If a
CiscoWorks Server needs to communicate to another CiscoWorks Server, it must
possess the Certificate of the other server. You can add Certificates of any number
of peer CiscoWorks Servers to the trusted store.
To add peer CiscoWorks Server certificates:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Security>
Peer Server Certificate Setup.
The Peer Server Certificate page appears with a list of certificates imported from
other servers.
Step 2 Click Add.
Step 3 Enter the IP address/hostname of peer CiscoWorks Server in the corresponding
fields.
User Guide for CiscoWorks Common Services
3-14
78-16571-01
Page 61
Chapter 3 Configuring the Server
Step 4 Enter the value of the Non-SSL(HTTP) Port of the peer CiscoWorks Server.
Step 5 Click OK.
The default Non-SSL(HTTP) Port of the peer CiscoWorks Server is 1741.
Deleting Peer Certificates
To delete peer certificates:
Step 1 Select the check box corresponding to the certificate you want to delete.
Step 2 Click Delete.
.
Enabling Single Sign-On
You can also view the details of the client certificates. For this, select the
check box corresponding to the certificate and click View.
Enabling Single Sign-On
With Single Sign-On (SSO), you can use your browser session to transparently
navigate to multiple CiscoWorks Servers without authenticating to each of them.
Communication between multiple CiscoWorks Servers is enabled by a trust model
addressed by Certificates and shared secrets.
The following tasks need to be done initially:
• One of the CiscoWorks Servers should be set up as the authentication server.
• Trust should be built between the CiscoWorks Servers, using self signed
certificates. A trusted certificate is created by adding it in the trust key store
of the server. CiscoWorks TrustStore or KeyStore is maintained by the
certificate management framework in Common Services.
• Each CiscoWorks Server should setup a shared secret with the authentication
server. The System Identity user password acts as a secret key for SSO.
The SSO authentication server is called the Master, and the SSO regular server is
called the Slave.
78-16571-01
User Guide for CiscoWorks Common Services
3-15
Page 62
Navigating Through the SSO Domain
The following tasks should be performed if the server is either configured as
Master or Slave.
• Configure the System Identity User and password in both Master and Slave.
The System Identity User name and password you specify in Master and
Slave should be the same.
• Configure Master’s Self Signed Certificate in Slave.
To set up System Identity User:
Step 1 Select Common Services > Server > Security > System Identity Setup.
Step 2 Enter the username and password.
Step 3 Click Apply.
SSO uses System Identity User password as the secret key to provide
confidentiality and authenticity between Master and Slave.
Chapter 3 Configuring the Server
It is sufficient to have the same System Identity User passwords in Master and
Slave, without having the same user name.
We recommend that you have the same user name and password across Master and
Slave.
To configure Master’s Self Signed Certificate in the Slave, select
Common Services > Server > Security > Peer Server Certificate Setup > Add.
The CN present in the certificate should match with the Master server name.
Otherwise it would not be considered as a valid certificate.
Navigating Through the SSO Domain
The Authentication Server and all Regular Servers that are configured on this
Authentication Server forms an SSO domain. If you login to any of the servers
that are part of the same SSO domain, you can launch any other server that is part
of the domain.
You can navigate through the SSO domain in two ways. By:
• Registering Server Links
• Launching a new Browser Instance
User Guide for CiscoWorks Common Services
3-16
78-16571-01
Page 63
Chapter 3 Configuring the Server
Registering Server Links
You can register the links of servers part of the SSO domain, in any of the servers,
using the Link registration feature. See “Registering Links With CWHP” section
on page 2-11.
The registered links will appear either under Third Party or Custom tools,
depending on what you specify during registration. If you click on the registered
link, it launches the page corresponding to the registered link.
You must specify the URL, with the context while registering the server link.
For example, let ABC and XYZ be part of the same SSO domain. You can register
the link for ABC on XYZ. While registering server ABC in XYZ, you have to
specify the URL as:
http://ABC:1741/cwhp/cwhp.applications.do
If ABC is running in HTTPS mode, you have to specify the URL as:
https://ABC:443/cwhp/cwhp.applications.do
Navigating Through the SSO Domain
In the above example, clicking on the registered link will launch the CiscoWorks
Homepage of server ABC.
Launching a new Browser Instance
After logging in to any of the servers part of the SSO domain, you can open a new
browser instance from that server, and provide the URL of any other server part
of the SSO domain, to which you need to navigate to.
Note We recommend that you do not use IP address of the servers that are part of SSO
or localhost, while specifying the URL.
78-16571-01
User Guide for CiscoWorks Common Services
3-17
Page 64
Changing the Single Sign-On Mode
Suppose ABC and XYZ are part of an SSO domain.
Step 1 Login to ABC.
Step 2 Launch a new browser instance (File > New > Window, in Internet Explorer)
from the same browser window.
Step 3 Enter the URL, with the context (http://XYZ:1741/cwhp/cwhp.applications.do) of
XYZ in the new browser instance.
This launches the CiscoWorks Homepage of XYZ, directly.
Changing the Single Sign-On Mode
Chapter 3 Configuring the Server
The Common Services server can be configured for Single Sign-On (SSO). It can
also be configured to be in Standalone mode (Normal mode, without SSO).
When the server is configured for SSO, it can either be in:
• Master mode—The SSO Authentication Server does the authentication and
sends the result to the Regular Server.
Change the SSO mode to Master, if log in is required for all SSO regular
servers. Login requests for all the SSO regular servers will be served from the
Master.
• Slave mode—SSO Regular server for which authentication is done at the
Master.
Only one server is configured to be in the Master mode. All other servers are
configured as Slaves. If the server is configured as an SSO Regular server (Slave),
you should provide the following details:
• Master server name
• Login Port of the Master (443)
If you change the name of the server configured as the Master, in the /etc/hosts
file, you must restart Daemon Manager for the name resolution to reflect in
the Slave.
User Guide for CiscoWorks Common Services
3-18
78-16571-01
Page 65
Chapter 3 Configuring the Server
To change the SSO mode to Standalone:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Security >
Single Sign-On.
The Single Sign-On Configuration page shows the current Single Sign-On mode.
Step 2 Click Change Mode
Step 3 Select Standalone (Normal) radio button.
Step 4 Click Apply.
To change the SSO mode to Master:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Security >
Single Sign-On.
Changing the Single Sign-On Mode
The Single Sign-On Configuration page shows the current Single Sign On mode.
Step 2 Click Change Mode.
Step 3 Select the Master (SSO Authentication Server) radio button.
Step 4 Click Apply.
To change the SSO mode to Slave:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Security >
Single Sign-On.
The Single Sign-On Configuration page shows the current Single Sign-On mode.
Step 2 Click Change Mode.
Step 3 Select the Slave (SSO Regular Server) radio button.
Step 4 Enter the Master server name and port number.
If you select the Slave mode, ensure that you specify the Master server name and
port. The default port is 443. The server configured as master (or Authentication
Server) should be DNS resolvable.
78-16571-01
User Guide for CiscoWorks Common Services
3-19
Page 66
Setting up the AAA Mode
Step 5 Click Apply.
It checks whether:
In case these checks fail, you are prompted to perform these steps, before
proceeding.
Chapter 3 Configuring the Server
• The System Identity user password of the Slave matches that of the Master.
• The Self Signed Certificate of the Master is added as the peer certificate in
the Slave. The CN present in the certificate should match with the Master
server name.
• The Master is up and running on the specified port.
Setting up the AAA Mode
The CiscoWorks Server provides mechanisms used to authenticate users for
CiscoWorks applications.
CiscoWorks login modules allow administrators to add new users using a source
of authentication other than the native CiscoWorks Server mechanism (that is, the
CiscoWorks Local login module). You can use Cisco Secure ACS services for this
purpose (see Setting the Login Module to ACS).
However, many network managers already have a means of authenticating users.
To use your current authentication database for CiscoWorks authentication, you
can select a login module (NT, UNIX, TACACS+, Radius, and others).
After you select and configure a login module, all authentication transactions are
performed by that source.
The CiscoWorks Server determines user roles. Therefore, all users must be in the
local database of user IDs and passwords. Users who are authenticated by an
alternative service and who are not in the local database are assigned to the same
role as the guest user (by default, the Help Desk role).
To assign a user to a different role, such as the System Admin role, you must
configure the user locally. Such users must have the same user ID locally, as they
have in the alternative authentication source. Users log in with the user ID and
password associated with the current login module.
User Guide for CiscoWorks Common Services
3-20
78-16571-01
Page 67
Chapter 3 Configuring the Server
CiscoWorks Common Services supports two AAA modes:
• Non-ACS
• ACS
To use this mode, you must have a Cisco Secure ACS (Access Control
Server), installed on your network. Common Services 3.0 supports the
following versions of Cisco Secure ACS for Windows Server:
We recommend that you install the Admin HTTPS PSIRT patch, if you are
using ACS3.2.3.
To install the patch:
–
Cisco Secure ACS 3.2
–
Cisco Secure ACS 3.2.3
–
Cisco Secure ACS 3.3.2
About Common Services Authentication
• Go to http://www.cisco.com/kobayashi/sw-center/ciscosecure/cs-acs.shtml
• Click Download CiscoSecure ACS Software (Windows) link. You can find
the link to the Admin HTTPS PSIRT patch, in the table.
See “Setting the Login Module to Non-ACS” section on page 3-24 and “Setting
the Login Module to ACS” section on page 3-35 for details on usage of the login
modules.
About Common Services Authentication
By default, CiscoWorks Common Services uses CiscoWorks Server
authentication (CiscoWorks Local) to authenticate users, and authorize them to
access CiscoWorks Common Services applications.
After authentication, your authorization is based on the privileges that have been
assigned to you. A privilege is a task or an operation defined within the
application. The set of privileges assigned to you, defines your role. It dictates
how much, and what type of system access you have.
78-16571-01
User Guide for CiscoWorks Common Services
3-21
Page 68
About Common Services Authentication
The CiscoWorks Server authentication scheme has five default roles. They are
listed here from the least privileged to most privileged:
• Help Desk
Can access network status information only. Can access persisted data on the
system and cannot perform any action on a device or schedule a job which
will reach the network.
• Approver
Can approve all tasks.
• Network Operator
Can do all Help Desk tasks. Can do tasks related to network data collection.
Cannot do any task that requires write access on the network.
• Network Administrator
Can do all Network Operators tasks. Can do tasks that result in a network
configuration change.
Chapter 3 Configuring the Server
• System Administrator.
Can perform all CiscoWorks system administration tasks.
If you configure Common Services to use Non-ACS for authentication,
authorization services are provided by CiscoWorks Server.
In Non-ACS mode, you cannot change the roles, or the privileges assigned to
these roles. However, a user can be assigned a combination of these roles. See
“Setting up Local Users” section on page 3-6.
In ACS mode, you can create custom roles so that you can customize
Common Services client applications to best suit your business workflow and
needs.
That is, you can create a user, and assign the user with a set of privileges, that
would suit your needs. See “Assigning Privileges in ACS” section on page 3-38
and “Creating and Modifying Roles in ACS” section on page 3-39 sections for
details.
User Guide for CiscoWorks Common Services
3-22
78-16571-01
Page 69
Chapter 3 Configuring the Server
Cisco Secure ACS Support for Common Services Client Applications
Cisco Secure ACS Support for Common Services
Client Applications
CiscoSecure ACS provides authentication, authorization, and accounting services
to network devices that function as AAA clients. CiscoSecure ACS uses the
TACACS+ and RADIUS protocols to provide AAA services that ensure a secure
environment.
Cisco Secure ACS supports Common Services client applications by providing
command authorization for network users who use the management application to
configure managed network devices.
Command authorization for client application users is supported using unique
command authorization set types for each client application configured to use
Cisco Secure ACS for authorization.
Cisco Secure ACS uses TACACS+ to communicate with client applications. For
a client application to communicate with Cisco Secure ACS, you must configure
it in Cisco Secure ACS as an AAA client that uses TACACS+.
Also, you must provide the client application with a valid administrator name and
password. When a client application initially communicates with
Cisco Secure ACS, these requirements ensure the validity of the communication.
Additionally, the administrator (used by the client application) must have the
Create New Device Command Set Type privilege enabled. When a client
application initially communicates with Cisco Secure ACS, it makes the
Cisco Secure ACS create a new device command set type.
This new device command set type appears in the Shared Profile Components
section of the HTML interface. It also dictates a custom service to be authorized
by TACACS+. The custom service appears on the TACACS+ page in the
Interface Configuration section of the HTML interface.
After the client application has dictated the custom TACACS+ service and device
command set type to Cisco Secure ACS, you can configure command
authorization sets for each role supported by the client application.
You can then apply those sets to user groups that contain network administrators
or to individual users who are network administrators.
For more information about configuring Cisco Secure ACS administrators, users,
and command authorization sets, see the User Guide for Cisco Secure ACS for
Windows Server Version 3.3 on Cisco.com, or the CiscoSecure ACS Online Help.
78-16571-01
User Guide for CiscoWorks Common Services
3-23
Page 70
Setting the Login Module to Non-ACS
Detailed information about the various configuration options appear in the
Cisco Secure ACS documentation.
Setting the Login Module to Non-ACS
The Login Module defines how authorization and authentication are performed.
To set the login module to Non-ACS mode:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Security >
AAA Mode Setup.
Step 2 Select the Non-ACS radio button.
The Login Module window displays the current login module, and the available
login modules. The available login modules are:
Chapter 3 Configuring the Server
• CiscoWorks Local
• IBM SecureWay Directory
• KerberosLogin
• Local UNIX System
• Local NT System
• MS Active Directory
• Netscape Directory
• Radius
• TACACS+
The login username is case sensitive when you use the following Non-ACS login
modules:
• KerberosLogin
• Local UNIX System
• Netscape Directory
• Radius
• TACACS+
User Guide for CiscoWorks Common Services
3-24
78-16571-01
Page 71
Chapter 3 Configuring the Server
Setting the Login Module to Non-ACS
Changing Login Module to CiscoWorks Local
To change the login module to CiscoWorks Local:
Step 1 Select the CiscoWorks Local radio button.
Step 2 Click Change.
The Login Module Options popup window appears.
Step 3 Set the Debug option to False.
Set it to True for debugging purposes, when requested by your customer service
representative.
Changing Login Module to IBM SecureWay Directory
The IBM SecureWay Directory login module implements Lightweight Directory
Access Protocol (LDAP). Before a user can log in, a user's account is set up in the
LDAP server. The user's account has two fields, Distinguished name and
password.
A Distinguished name is made up of three parts, Prefix, User login, and Usersroot.
Userroot is queried for the username during login and the Distinguished name is
automatically created.
If the user is not found, then the Distinguished name is created by appending
Prefix + login name + Usersroot.
For example, a Distinguished name could be represented as: uid=John ou=embu
o=cisco.com, where the Prefix is uid=, the login name is John, and the Usersroot
ou=embu, o=cisco.com).
78-16571-01
User Guide for CiscoWorks Common Services
3-25
Page 72
Setting the Login Module to Non-ACS
To change the login module to IBM SecureWay Directory:
Step 1 Select the IBM SecureWay Directory radio button.
Step 2 Click Change.
The Login Module Options popup window appears with the following details:
Field Description
Selected Login Module IBM SecureWay Directory
Description CiscoWorks IBM LDAP module.
Server Default set to ldap://ldap.company.com.
Userroot Default set to ou=active, ou=employees,
Chapter 3 Configuring the Server
ou=people, o=company
Prefix Default set to cn=
Debug Set to false. Set to true for debugging
Login fallback options Set the option for fallback to the
Step 3 Click OK.
purposes, when requested by your
customer service representative.
CiscoWorks Local module if the
alternative service fails.
User Guide for CiscoWorks Common Services
3-26
78-16571-01
Page 73
Chapter 3 Configuring the Server
Changing Login Module to KerberosLogin
Kerberos provides strong authentication for client/server applications by using
secret-key cryptography.
To change the Login Module to KerberosLogin:
Step 1 Select the KerberosLogin radio button.
Step 2 Click Change.
The Login Module Options popup window appears with the following details:
Field Description
Selected Login Module KerberosLogin Kerberos login module.
Description Kerberos login module.
Setting the Login Module to Non-ACS
Debug Set to False. Set to True for debugging
Realm The Kerberos realm name. Although the realm
KDC The Kerberos Key Distribution Center. For
Login fallback options Set the option for fallback to the CiscoWorks
Step 3 Click OK.
purposes, when requested by your customer
service representative.
can be any ASCII string, the convention is to
make it the same as your domain name, in
upper-case letters.
For example, SERVER.COM.
example, my_kdc.server.com.
Local module if the alternative service fails.
78-16571-01
User Guide for CiscoWorks Common Services
3-27
Page 74
Setting the Login Module to Non-ACS
Changing Login Module to Local Unix System
This option is available only on Unix systems.
To change the login module to Local Unix System:
Step 1 Select the Local Unix System radio button.
Step 2 Click Change.
The Login Module Options popup window appears with the following details:
Field Description
Selected Login Module Local UNIX System.
Description CiscoWorks native Solaris module.
Chapter 3 Configuring the Server
Debug Set to False. Set to True for debugging
Login fallback options Set the option for fallback to the
Step 3 Click OK.
purposes, when requested by your customer
service representative.
CiscoWorks Local module if the alternative
service fails.
User Guide for CiscoWorks Common Services
3-28
78-16571-01
Page 75
Chapter 3 Configuring the Server
Changing Login Module to Local NT System
This option is available only on Windows
To change the login module to Local NT System:
Step 1 Select Local NT System radio button.
Step 2 Click Change.
The Login Module Options popup window appears with the following details:
Field Description
Selected Login Module Local NT System.
Description CiscoWorks native NT login module.
Setting the Login Module to Non-ACS
Debug Set to False. Set to True for debugging
purposes, when requested by your
customer service representative.
Domain Set to localhost.
Login fallback options Set the option for fallback to the
CiscoWorks Local module if the
alternative service fails.
Step 3 Click OK.
Changing Login Module to MS Active Directory
The MS Active Directory login module implements Lightweight Directory
Access Protocol (LDAP). Before a user can log in, a user's account is set up in the
LDAP server. The user's account has two fields, Distinguished name and
password.
A Distinguished name is made up of three parts, Prefix, User login, and Usersroot.
The user login is appended when the user logs in so the Distinguished name is
Prefix+login name+Usersroot.
78-16571-01
User Guide for CiscoWorks Common Services
3-29
Page 76
Setting the Login Module to Non-ACS
For example, a Distinguished name could be represented as: cn=John dc=embu
dc=cisco, where the Prefix is cn=, the login name is John, and the Usersroot
dc=embu, dc=cisco).
To change login module to MS Active Directory:
Step 1 Select MS Active Directory radio button.
Step 2 Click Change.
The Login Module Options popup window appears with the following details:
Field Description
Selected Login Module MS Active Directory.
Description CiscoWorks MS Active Directory module.
Server Default set to ldap://ldap.company.com.
Chapter 3 Configuring the Server
Usersroot Default set to cn=users, dc=servername,
dc=company, dc=com. If you are using
Windows 2003 Active Directory, you have
to provide the complete Usersroot
information. This is because Windows 2003
Active Directory implementation has
disabled anonymous search requests.
Prefix Default set to cn=
Debug Set to False. Set to True for debugging
purposes, when requested by your customer
service representative.
Login fallback options Set the option for fallback to the
CiscoWorks Local module if the alternative
service fails.
Step 3 Click OK.
.
User Guide for CiscoWorks Common Services
3-30
78-16571-01
Page 77
Chapter 3 Configuring the Server
Setting the Login Module to Non-ACS
Changing Login Module to Netscape Directory
The Netscape Directory login module implements Lightweight Directory Access
Protocol (LDAP). Before a user can log in, a user's account is set up in the LDAP
server. The user's account has two fields, Distinguished name and password.
A Distinguished name is made up of three parts, Prefix, User login, and Usersroot.
Userroot is queried for the username during login and the Distinguished name is
automatically created. If the user is not found, then the Distinguished name is
created by appending Prefix + login name + Usersroot.
For example, a Distinguished name could be represented as: uid=John ou=embu
o=cisco.com, where the Prefix is uid=, the login name is John, and the Usersroot
ou=embu, o=cisco.com).
To change login module to Netscape Directory:
Step 1 Select Netscape Directory radio button.
Step 2 Click Change.
The Login Module Options popup window appears with the following details:
Field Description
Selected Login Module Netscape Directory.
Description CiscoWorks Netscape LDAP module.
Server Default set to ldap://ldap.company.com.
Usersroot Default set to ou=active, ou=employees,
ou=people, o=company.com.
Prefix Default set to uid=
Debug Set to False. Set to True for debugging
purposes, when requested by your customer
service representative.
Login fallback options Set the option for fallback to the CiscoWorks
Local module if the alternative service fails.
Step 3 Click OK.
78-16571-01
User Guide for CiscoWorks Common Services
3-31
Page 78
Setting the Login Module to Non-ACS
Changing Login Module to Radius
To change login module to Radius:
Step 1 Select Radius radio button.
Step 2 Click Change.
The Login Module Options popup window appears with the following details:
Field Description
Selected Login Module Radius.
Description CiscoWorks Radius module.
Server Set to module type servername,
radius.company.com.
Chapter 3 Configuring the Server
Port Set to 1645. Attempt to override it only if
Key Enter the secret key.
Debug Set to False. Set to True for debugging
Login fallback options Set the option for fallback to the
Step 3 Click OK.
your authentication server was configured
with a non-default port.
purposes, when requested by your customer
service representative.
CiscoWorks Local module if the alternative
service fails.
User Guide for CiscoWorks Common Services
3-32
78-16571-01
Page 79
Chapter 3 Configuring the Server
Changing Login Module to TACACS+
To change login module to TACACS+:
Step 1 Select TACACS+ radio button.
Step 2 Click Change.
The Login Module Options popup window appears with the following details:
Field Description
Selected Login Module TACACS+.
Description CiscoWorks TACACS+ login module.
Server Set to module type tacacs.company.com
Setting the Login Module to Non-ACS
Port Set to 49. The listed port number is the
default for this protocol. Attempt to
override it only if your authentication server
was configured with a non-default port.
Secondary Server Set to module type tacacs.company.com.
This is the secondary fallback server.
Secondary Port Set to 49. The listed port number is the
default for this protocol. Attempt to
override it only if your authentication server
was configured with a non-default port.
Tertiary Server Set to module type tacacs.company.com.
This is the tertiary fallback server.
Tertiary Port Set to 49. The listed port number is the
default for this protocol. Attempt to
override it only if your authentication server
was configured with a non-default port.
Key Enter the secret key.
78-16571-01
User Guide for CiscoWorks Common Services
3-33
Page 80
Setting the Login Module to Non-ACS
Field Description
Debug Set to False. Set to True for debugging
Login fallback options Set the option for fallback to the
Note The values true or false should not be entered in the Server, Secondary Server
and Tertiary Server fields, the corresponding Port fields or the Key field.
Step 3 Click OK.
Chapter 3 Configuring the Server
purposes, when requested by your customer
service representative.
CiscoWorks Local module if the alternative
service fails.
After you change the login module, you do not have to restart CiscoWorks. The
user who logs in after the change, automatically uses the new module. Changes to
the login module are logged in the following directory:
$NMSROOT/MDC/Tomcat/logs/stdout.log
User Guide for CiscoWorks Common Services
3-34
78-16571-01
Page 81
Chapter 3 Configuring the Server
Setting the Login Module to ACS
Understanding Fallback Options for Non-ACS mode
Fallback options allow you to access the software if the login module fails, or you
accidentally lock yourself or others. There are three login module fallback
options. These are available on all platforms. The Table 3-2 gives details:
Table 3-2 Login Module Fallback Options
Option Description
Allow all CiscoWorks Local users to
fall back to the CiscoWorks Local
login.
Allow only the following user(s) to fall
back to the CiscoWorks Local login if
preceding login fails: username.
Allow no fall backs to the CiscoWorks
Local login.
Setting the Login Module to ACS
The Login Module determines the type of authentication and authorization
Common Services uses. By default, the login module is set to local authentication
and authorization.
You can change this default value to use Cisco Secure ACS for user
authentication and authorization.
All users can access CiscoWorks using
the Local login if the current login
module fails.
Specified users can access CiscoWorks
using the Local login if the current
login module fails. Use commas
between user names.
No access is allowed if the current
login module fails.
When you change login module to ACS ensure that:
• The CiscoWorks Server is added as an AAA client in the ACS server. For the
first time, it can be done at the Network Configuration UI in ACS server. You
can add the host (with IP Address), and configure the secret key there.
The same secret key should be entered in the AAA Mode Setup dialog box.
• The username you enter while logging in to CiscoWorks is a valid ACS user
name. In ACS mode, authentication takes place from the ACS server.
78-16571-01
User Guide for CiscoWorks Common Services
3-35
Page 82
Setting the Login Module to ACS
To set login module to ACS:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Security >
AAA Mode Setup.
The AAA Mode Setup page appears with the AAA Mode Setup dialog box.
Step 2 Select the ACS radio button.
Step 3 In the Server details panel, enter:
• Primary IP Address/Hostname
• Secondary IP Address/Hostname
• Tertiary IP Address/Hostname
and the corresponding ACS TACACS+ port numbers.
The default port is 49. Secondary and Tertiary IP address/hostname details are
optional.
Chapter 3 Configuring the Server
The values true and false will not be accepted in the Primary, Secondary, and
Tertiary IP Address/Hostname fields.
Step 4 In the login panel, enter:
• ACS Admin Name
• ACS Admin Password
• ACS Shared Secret Key
Also, re-enter the ACS admin password, and ACS shared secret key in the
Veri f y field s .
The values true and false will not be accepted in the above fields.
Step 5 Select the Register all installed applications with ACS to register all the
installed application with the ACS server.
Note In case an application is already registered with ACS, the current
registration will overwrite the previous one.
Step 6 Click Apply.
User Guide for CiscoWorks Common Services
3-36
78-16571-01
Page 83
Chapter 3 Configuring the Server
Step 7 Restart the Daemon Manager:
On Windows:
a. Enter net stop crmdmgtd
b. Enter net start crmdmgtd
On Solaris:
a. Enter /etc/init.d/dmgtd stop
b. Enter /etc/init.d/dmgtd start
Select the Connect to ACS in HTTPS mode check box in the Login Module
dialog box, if ACS is in HTTPS mode.
Setting the Login Module to ACS
Note You must enable ACS communication on HTTPS if ACS is in HTTPS
mode.
Primary, Secondary, and Tertiary servers should use the same protocol. All of
them should either operate in HTTP mode, or HTTPS mode.
The Primary, Secondary, and Tertiary servers must have the same configuration.
For Primary, Secondary, and Tertiary servers, the ACS Admin Name, the ACS
Admin Password, and the ACS Shared Secret Key should be the same.
AAA clients, Network Device Groups (NDGs), users, groups, registered
applications, and custom roles must be the same across Primary, Secondary, and
Tertiary servers.
Common Services supports SSL and non SSL modes of communication with ACS
server. TACACS+ is used for AAA requests. HTTP/HTTPS mode is used for
application registration, and device or device group import/export tasks.
78-16571-01
User Guide for CiscoWorks Common Services
3-37
Page 84
Setting the Login Module to ACS
Assigning Privileges in ACS
You have to ensure that the user has been assigned the proper privileges in ACS
mode.
To assign the privileges to the user if ACS is configured to use group
authentication:
Step 1 In Cisco Secure ACS, go to Group Setup.
Step 2 Select the group to which the user belongs, from the Group drop-down list.
Step 3 Click Edit Settings.
A page appears with the group settings.
Step 4 Scroll down to CiscoWorks. There are three options:
Chapter 3 Configuring the Server
• None: Authorization will fail for any task.
• Assign a Ciscoworks for any network device.
Select the desired role from the drop-down list. The user can execute the tasks
that are assigned to the chosen role, on every device.
• Assign a Ciscoworks on a per Network Device Group Basis.
Select the device group from the Device Group drop-down list. Choose the
role you want to associate with the group. The user can execute the tasks that
are assigned to the chosen roles on the chosen device groups.
Step 5 Select any of the options, based on the required security level.
To assign the privileges if ACS is configured to use user authentication:
Step 1 In Cisco Secure ACS, go to User Setup.
Step 2 Enter the user name and click Add/Edit.
Or,
Click List all Users and click the required user link from the User List.
A page appears with the user details and settings.
User Guide for CiscoWorks Common Services
3-38
78-16571-01
Page 85
Chapter 3 Configuring the Server
Step 3 Scroll down to CiscoWorks. There are four options:
• None: Authorization will fail for any task.
• As Group: The privileges applicable to the group, the user is part of.
• Assign a Ciscoworks for any network device.
Select the desired role from the drop-down list. The user can execute the tasks
that are assigned to the chosen role, on every device.
• Assign a Ciscoworks on a per Network Device Group Basis.
Select the device group from the Device Group drop-down list. Choose the
role you want to associate with the group. The user can execute the tasks that
are assigned to the chosen roles on the chosen device groups.
Step 4 Select any of the options, based on the required security level.
Setting the Login Module to ACS
Creating and Modifying Roles in ACS
In ACS, you can create new roles or modify existing roles.
To create a new role:
Step 1 Go to Cisco Secure ACS.
Step 2 Select Shared Profile Components > CiscoWorks Common Services. The
Shared Profile Components page appears.
Step 3 Click Add.
Step 4 Enter the name and description for the new role.
78-16571-01
User Guide for CiscoWorks Common Services
3-39
Page 86
Setting the Login Module to ACS
Step 5 Select the required Common Services tasks that you need to associate with the
role.
Tasks are displayed as a checklist tree on the left pane of the ACS UI.
• If you select an expandable check box node, all check boxes within that node
are selected.
• If you select the first check box in the checklist tree, all check boxes in the
checklist tree are selected.
Step 6 Click Submit.
To edit an existing role:
Step 1 Go to Cisco Secure ACS.
Chapter 3 Configuring the Server
Step 2 Select Shared Profile Components > CiscoWorks Common Services. The
Shared Profile Components page appears.
Step 3 Select the role you need.
The Shared Profile Components page displays the Edit dialog box.
Step 4 Select the Common Services tasks that you need to associate with the role.
If you want to remove any task associated with the role, deselect the check box
corresponding to the task.
Step 5 Click Submit.
User Guide for CiscoWorks Common Services
3-40
78-16571-01
Page 87
Chapter 3 Configuring the Server
To delete a role:
Step 1 Go to Cisco Secure ACS.
Step 2 Select Shared Profile Components > CiscoWorks Common Services.
The Shared Profile Components page appears.
Step 3 Select the role you need to delete.
The Shared Profile Components page displays the Edit dialog box.
Step 4 Click Delete.
We recommend not to assign roles to DEFAULT device group. When DEFAULT
(unassigned device group) is selected, you can perform only Help Desk role,
irrespective of the roles chosen.
Setting the Login Module to ACS
To assign the proper role, the network access server (NAS) should be added in the
device groups other than DEFAULT.
You should log in as a user that has been created on the ACS server. If you log in
as a user configured in Common Services, say admin, you will get authenticated.
However, if the user is not configured in the ACS server, authorization will fail.
In case of users other than Admin, even authentication will not happen.
If you add or change device information in the Network Device Group, the change
will not be immediately propagated to Common Services. For the changes to get
updated in Common Services (when in ACS mode) you have to re-login to
Common Services.
You can assign only one role to a user in ACS, to operate on the same NDG.
If a user requires privileges other than those associated with the current role, to
operate on an NDG, a custom role should be created. All necessary privileges to
enable the user operate on the NDG should be given to this role.
For example, if a user needs to have Approver and Network Operator privileges
to operate on NDG1, you can create a new role with Network Operator and
Approver privileges, and assign the role to the user so that he can operate on
NDG1.
We recommend that you have maximum 50 NDGs and 50000 devices in ACS. If
the number of NDGs or devices exceed these limits, performance may be affected.
78-16571-01
User Guide for CiscoWorks Common Services
3-41
Page 88
Setting the Login Module to ACS
Resetting Login Module
If there is an authorization failure with ACS server, most of the Common Services
features will be disabled.
To recover, you have to reset the login module.
To do this:
Step 1 Stop the Daemon Manager using:
• net stop crmdmgtd (For Windows)
or
• /etc/init.d/dmgtd stop (For Solaris)
Step 2 Run the following script:
Chapter 3 Configuring the Server
• NMSROOT/bin/perl ResetLoginModule.pl (For Windows)
or
• /opt/CSCOpx/bin/perl ResetLoginModule.pl (For Solaris)
Step 3 Start the Daemon Manager using:
• net start crmdmgtd (For Windows)
or
• /etc/init.d/dmgtd start (For Solaris)
This reset the login module to CiscoWorks local mode.
Multiple instances of same application using same ACS server will share settings.
Any changes will affect all instances of that application.
If an application is configured with ACS, and then the application is reinstalled,
the application will inherit the old settings.
User Guide for CiscoWorks Common Services
3-42
78-16571-01
Page 89
Chapter 3 Configuring the Server
Setting the Login Module to ACS
Understanding Fallback Options for ACS Mode
Fallback option in ACS mode is different from Non-ACS mode. Here, fallback is
provided only for authentication. If authentication with ACS fails, authentication
is tried with CiscoWorks local mode.
If it succeeds, you are allowed to change the login module to Non-ACS mode,
provided you have permission to do that operation in Non-ACS mode. You will
not be allowed to login if the authentication fails in CiscoWorks local mode.
If you log in using fallback mode, you will be presented with a dialog box with
instructions to change the login mode to CiscoWorks local.
To change the login mode:
Step 1 Go to Common Services > Server > Security > AAA Mode Setup >
CiscoWorks Local.
Step 2 Click Change.
You need to have proper permission to change the login mode. Otherwise the
Change button will be disabled.
To add the fallback users in ACS, the admin should:
Step 1 Select Non-ACS mode.
Step 2 Select Tacacs+ and click Change.
Step 3 Specify the fallback users in Login fallback options field.
Step 4 Click OK.
Step 5 Select ACS mode.
Step 6 Enter the required values. See “Setting the Login Module to ACS” section on
page 3-35, for details.
Step 7 Click Apply.
78-16571-01
User Guide for CiscoWorks Common Services
3-43
Page 90
Managing Cisco.com Connection
Managing Cisco.com Connection
Certain Software Center features require Cisco.com access. This means that
CiscoWorks must be configured with a Cisco.com account which is to be used
when downloading new and updated packages.
Setting up Cisco.com User Account
To set up Cisco.com login account:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Security >
Cisco.com User Account Setup.
The Cisco.com Login dialog box appears.
Chapter 3 Configuring the Server
Step 2 Enter the Username, and Password.
Step 3 Re-enter Password in the Verify Password field.
Step 4 Click Apply.
Setting Up the Proxy Server
You can update the proxy server configuration using the Proxy Server set up
option.
To update your proxy server configuration:
Step 1 In the Cisco Works Homepage, select Common Services > Server > Security >
Proxy Server Setup.
The Proxy Information dialog box appears.
Step 2 Enter the Proxy Server host name or IP address, and the port number.
Step 3 Click Apply.
User Guide for CiscoWorks Common Services
3-44
78-16571-01
Page 91
Chapter 3 Configuring the Server
Generating Reports
Common Services includes a Report Generator that provides detailed reports on
log file status, roles and privileges, users currently logged in, and processes that
are currently running.
The following reports are available:
• Log File Status Report
• Permissions Report
• Users Logged In Report
• Process Status Report
• Viewing Audit Log Report
The following sections describe how to launch these reports, and explain each
report.
Generating Reports
Log File Status Report
The Log File Status Report provides information on log file size and file system
utilization.
To generate the log file status report:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Reports.
The Reports page appears.
Step 2 From the Available Reports pane, select Log File Status.
78-16571-01
User Guide for CiscoWorks Common Services
3-45
Page 92
Generating Reports
Step 3 Click Generate Report.
Chapter 3 Configuring the Server
The Log File Status Report appears.
The Log File Status Report appears with the following details:
Item Description
Log File Name of the log file.
Location Location of the log file.
File Size Current size of the log file.
File size displayed in Red means the size has
exceeded the limit.
Size Limit Maximum size a log file can have.
File System Utilization File system utilization in percentage.
Permissions Report
The Permissions Report provides information on roles and privileges associated
with the roles. It specifies the tasks that a user in a particular role can perform.
A privilege is a task or an operation defined within the application. The set of
privileges assigned to you, defines your role and dictates how much, and what
type of system access you have.
To generate the Permissions Report:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Reports.
The Reports page appears.
Value if displayed in Red means the size has
exceeded the limit.
Step 2 From the Available Reports pane, select Permissions Report.
User Guide for CiscoWorks Common Services
3-46
78-16571-01
Page 93
Chapter 3 Configuring the Server
Step 3 Click Generate Report.
The Permissions Report appears.
The Permissions Report appears with the following details:
Item Description
Last Run Time Last time the report was run.
Duration Duration for which the report was run.
Device Scanned Devices that were scanned.
Average Scan Time Average time taken to scan each device.
Device with Changes Devices that has changed state.
Description Description of the task.
Task Path Navigational path.
Generating Reports
Role Role required to perform the task.
Users Logged In Report
The Users Logged In Report provides information on users currently logged into
Common Services.
To generate the Report:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Reports.
The Reports page appears.
Step 2 In the Available Reports pane, select Who is Logged On.
78-16571-01
User Guide for CiscoWorks Common Services
3-47
Page 94
Generating Reports
Step 3 Click Generate Report.
Chapter 3 Configuring the Server
The Users Logged In report appears.
The Users Logged In report appears with the following information:
Item Descriptions
Status Whether the user is online or offline.
User Name User name
Roles Shows the roles of the user.
IP address IP address
Last Active Date and time when the user was previously active.
Logged in Time when the user previously logged in
Process Status Report
The Process Status Report shows the status of the processes running on the
CiscoWorks Server.
To generate the Process Status Report:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Reports.
The Reports page appears.
Step 2 In the Available Reports pane, select Process Status.
User Guide for CiscoWorks Common Services
3-48
78-16571-01
Page 95
Chapter 3 Configuring the Server
Step 3 Click Generate Report.
The Process Status report is displayed.
The Process Status Report appears with the following information:
Item Description
Process Name Name of the process.
State Current state of the process.
Pid Process ID.
Start Time Time at which the process started.
Stop time Time at which the process stopped.
Viewing Audit Log Report
Generating Reports
Audit log maintains the log of user logins into Common Services.
In non-ACS mode, audit log report provides information on user logins to
CiscoWorks Homepage and other applications launched from the Homepage.
In ACS mode, audit log reports log messages maintained by ACS.
Audit Logs are stored as comma-separated value lists (CSVs).
• If you are using local authentication, the files are stored on the local server.
• If you are using ACS authentication, the files are stored on the ACS server
and you can view them from within both ACS and CiscoWorks Common
Services.
To view Audit Log Report:
Step 1 Select Common Services > Server > Reports > Audit Log in the
CiscoWorks Common Services navigation tree.
Step 2 Click Generate Report.
The Audit Log Data Viewer appears with a list of audit logs.
The Audit Logs are listed in chronological order, with the most recent logs
appearing at the top of the list. The logs are named and listed by the date on which
they were created, for example
Audit-Log-2004-10-27.csv.
78-16571-01
User Guide for CiscoWorks Common Services
3-49
Page 96
Generating Reports
Step 3 Click an Audit Log file link to view the audit log details.
Chapter 3 Configuring the Server
Audit log report in Non-ACS mode:
Item Description
Date Date on which the activity is carried out.
Time Time at which the activity is carried out.
User The user who performed the activity.
Acct-Flags The status of the activity. For example
start
Service The application that the user accessed.
Cmd The activity that was performed.
For example: Logout
Reason A description of the activity.
For example: User admin logged out of cwhp
Audit log report in ACS mode:
Item Description
Date Date on which the activity is carried out.
Time Time at which the activity is carried out.
User_Name The user who performed the activity.
Group_Name The group to which the user belongs.
Cmd The activity that was performed. For example:
Logout.
Priv_Lv1 The privilege level of the user in ACS.
Service The application that the user accessed. For
NAS_Portname The NAS port name.
Task_Id The unique identifier for the task.
NAS_IP_Address The IP address of the CiscoWorks Server.
Reason A description of the activity. For example: User
User Guide for CiscoWorks Common Services
3-50
Common Services, the value displayed is cwhp.
admin logged out of cwhp
78-16571-01
Page 97
Chapter 3 Configuring the Server
If you are using local authentication, the files are stored on the local server. If you
are using ACS authentication, the files are stored on the ACS server and you can
view them from within both ACS, and Common Services.
In ACS, you can add additional fields to be logged in the Report.
This can be done at:
System Configuration > Logging > CSV TACACS+ Administration.
If a field added is of no relevance to CiscoWorks Common Services, it’s value
will not be displayed in the Report.
To view the Audit Logs from ACS:
Step 1 Click Reports and Activity in the ACS Navigation bar.
Administering Common Services
A list of report types appears.
Step 2 Click TACACS+ Administration.
A list of Audit Logs appears. The Audit Logs are listed in chronological order,
with the most recent logs appearing at the top of the list. The logs are named and
listed by the date on which they were created, for example an Audit Log created
on 14 October 2004 is named
Note If you configure ACS to use Day/Month/Year format, an Audit Log
TACACS+ Administration 2004-10-14.
created on 14 October 2004 is named
2004-14-10.csv.
Administering Common Services
Common Services includes several administrative features to ensure that the
server is performing properly. You can manage process, set up backup
parameters, update licensing information, collect server information, and manage
jobs and resources.
TACACS+ Administration
78-16571-01
User Guide for CiscoWorks Common Services
3-51
Page 98
Using Daemon Manager
Using Daemon Manager
The Daemon Manager provides the following services:
• Maintains the startup dependencies among processes.
• Starts and stops processes based on their dependency relationships.
• Restarts processes if an abnormal termination is detected.
• Monitors the status of processes.
The Daemon Manager is useful to applications that have long-running processes
that must be monitored and restarted, if necessary. It is also used to start processes
in a dependency sequence, and to start transient jobs.
Restarting Daemon Manager on Solaris
Chapter 3 Configuring the Server
To restart Daemon Manager on Solaris:
Step 1 Log in as root.
Step 2 To stop the Daemon Manager, enter:
/etc/init.d/dmgtd stop
Step 3 To start the Daemon Manager, enter:
/etc/init.d/dmgtd start
Note Do not start the Daemon Manager immediately after you stop it. The ports used
by Daemon Manager will be in use for some more time even after the Daemon
Manager is stopped. Wait for at least a minute before you start the Daemon
Manager.
If the System resources are less than the required resources to install the
application, Daemon Manager restart displays warning messages.
You cannot start the Daemon Manager if there are Non-SSL compliant
applications installed on the server when SSL is enabled in Common Services.
User Guide for CiscoWorks Common Services
3-52
78-16571-01
Page 99
Chapter 3 Configuring the Server
Restarting Daemon Manager on Windows
To restart Daemon Manager on Windows:
Step 1 Go to Command Prompt.
Step 2 To stop the Daemon Manager, enter:
net stop CRMdmgtd
Step 3 To start the Daemon Manager, enter:
net start CRMdmgtd
Note Do not start the Daemon Manager immediately after you stop it. The ports used
by Daemon Manager will be in use for some more time even after the Daemon
Manager is stopped. Wait for at least one minute before you start the Daemon
Manager.
Managing Processes
If the System resources are less than the required resources to install the
application, Daemon Manager restart displays warning messages that are logged
into syslog.log.
Managing Processes
CiscoWorks applications use back-end processes to manage application-specific
activities or jobs. The process management tools enable you to manage these
back-end processes to optimize or troubleshoot the CiscoWorks Server.
78-16571-01
User Guide for CiscoWorks Common Services
3-53
Page 100
Managing Processes
Viewing Process Details
To view Process details:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Admin >
Process.
The Process page appears.
Step 2 Click the Process link.
The Process Details popup window appears. The window provides information on
the path, flags, startup, and dependencies.
.
Chapter 3 Configuring the Server
Starting a Process
To start a Process:
Step 1 In the CiscoWorks Homepage, select Common Services > Server > Admin >
Process.
The process page appears.
Step 2 Select the check box corresponding to the process.
Step 3 Click Start.
User Guide for CiscoWorks Common Services
3-54
78-16571-01
Loading...