Cisco Craft Works Interface User Manual

Cisco Craft Works Interface Quick Start Guide

Cisco IOS XR Software Release 3.4

1 Introduction

2 About CWI

3 Prerequisites

4 Configuring the Router and CWI Client

5 Installing, Launching, and Uninstalling CWI

6 Getting Started with the Operation of CWI

7 Reference Information

8 Obtaining Documentation

9 Documentation Feedback

10 Cisco Product Security Overview

11 Product Alerts and Field Notices

12 Obtaining Technical Assistance

13 Obtaining Additional Publications and Information

Quick Start Guide

1 Introduction

This document introduces Craft Works Interface (CWI) that supports Cisco IOS XR Software Release 3.4.

Note This document refers to CWI managing devices. For Cisco IOS XR software, the devices can be any or all of the secure

domain routers (SDRs) of which your Cisco IOS XR system is composed.

Related Documentation

See the following list for related documents that may be useful:

• Cisco Craft Works Interface User Guide

• Cisco Craft Works Interface Online Help

Intended Audience

This document is intended for experienced service provider administrators, Cisco telecommunication management engineers,
and third-party field service technicians who have completed the required Cisco router training sessions.

2 About CWI

CWI is a powerful, session-based tool that allows you to manage, monitor, and configure a single device or a network of devices.
CWI is designed to operate in as many situations as possible. You can:

• Connect to the devices in several ways through a serial port, a terminal server, or an IP-based method, such as Telnet, SSH,
or CORBA.

• Run Windows, Macintosh, and Linux clients.

• Connect to devices with or without XML or command-line interface (CLI) capabilities.

• Display both the administrative (admin) plane and device plane for Cisco IOS XR devices.

Depending on the tasks that you want to perform, CWI offers a selection of CLI- and graphic-based tools from which you can
choose to perform the tasks. In addition to monitoring tools, CWI provides the following three methods to configure devices:

• Telnet, SSH, and Terminal Plus applications for direct access to the CLI of the device.

• CLI-based configuration editor tool for free-form editing and advanced navigation of the device configuration.

• Table-based applications that are used for bulk-configuration and client-side validation.

Unlike an Element Management System (EMS), CWI provides the following capabilities:

• Any Cisco IOS XR user can download CWI.

• CWI has a small footprint and no server is required.

• CWI has the flexibility to connect to the router through a serial port, terminal server, or management interface that uses

CLI or XML data.

• Many features are aimed at the CLI user.

See Cisco

Craft Works Interface User Guide for details on the activities in the CWI Desktop.

3 Prerequisites

Prerequisites ensure that the CWI client and router are correctly set up to allow them to communicate. Meeting all prerequisites
before starting any of the procedures in this guide is recommended to ensure successful communication between the CWI client
and router. For network information, see “Network Considerations” section on page 21.

2

Note If you are using a CORBA connection and require notifications, the router must be explicitly configured for each client

that is to receive notifications. These notifications include real-time inventory updates (for example, online insertion
and removal [OIR]), alarms, and change-of-configuration events. See the “Configuring the Router and CWI Client”
section on page 4 for information on configuring the router to send notifications to a specified client.

These prerequisites sections are described:

• Router Prerequisites, page 3

• CWI Client Prerequisites, page 3

• CWI Client System Requirements, page 3

Router Prerequisites

The router prerequisites ensure that the router is correctly set up. Before logging in to a router using CWI, you must meet the
router prerequisites that are described in Table 1.

Table 1 Checklist for Router Prerequisites

Item Task Additional Information

Base image and
manageability PIE

Minimum router
configuration

TTY or CORBA
connection method

1

username and

AAA
password

1. AAA = Authentication, Authorization, and Accounting

Ensure that the base image and manageability pie are
installed and running on the router to which you are
connecting using CWI client. Optionally, install and
activate the Cisco IOS XR Security Package (K9SEC) to
enable SSH and SSL functionality.

Set the minimum router configuration before configuring
the CWI client and required Management Services

Ensure if that connectivity is established between the
router Management Ethernet interface and CWI client.

Configure at least one username and password on the
router. A valid AAA username and password for accessing
the router must be configured.

See Cisco IOS XR System Management
Configuration Guide for information on
how to start the base image.

—

See Cisco IOS XR Getting Started Guide
for information on connecting an
Ethernet interface from CWI client to the
router.

See Cisco IOS XR System Security
Configuration Guide for information on
configuring usernames and passwords
on the router.

CWI Client Prerequisites

Ensure that the CWI client is correctly set up to communicate with the router. You should test the client connection. No special
configuration is required on CWI client.

Contact your system administrator to obtain the following information required to configure the router for use with CWI:

• Router hostname

• CWI client IP address if the client DNS name is not registered in a DNS server accessible by the router

CWI Client System Requirements

These sections list the CWI client hardware and software requirements. The CWI client hardware requirements ensure that the
CWI client has the proper verified system requirements for the chosen platform.

3

Hardware Requirements

Table 2 lists the CWI client hardware requirements.

Table 2 CWI Client Hardware Requirements

System
Requirement CPU and CPU Speed MHz RAM Drive Space

Windows-based
PC

UNIX Solaris 550 MHz minimum,

Linux-based PC IBM PC-compatible 500 MHz PentiumIII minimum,

Macintosh 500 MHz minimum,

IBM PC-compatible 500 MHz PentiumIII minimum,

1.20 GHz Pentium IV recommended

1.2 GHz recommended

1.20 GHz Pentium IV recommended

1.20 GHz recommended

256 MB minimum,
512 MB recommended

256 MB minimum,
512 MB recommended

256 MB minimum,
512 MB recommended

256 MB minimum,
512 MB recommended

CWI=5MB,
JRE=48MB.

CWI=5MB,
JRE=48MB

CWI=5MB,
JRE=48MB

CWI=5MB,
JRE=48MB

Software Requirements

Table 3 lists the CWI client software requirements.

Table 3 CWI Client Software Requirements

System Requirement Operating System Additional Software

Windows-based PC

Linux-based PC Red Hat Linux Release 7.1 or any Linux operating

Macintosh MAC OS X 10 Safari version 1.2.3

1. JRE = Java Runtime Environment

Windows 2000 or Windows XP One of these browsers:

• Microsoft Internet Explorer 5.0 or higher

• Netscape Navigator 7.0 or higher

JRE version 1.5

Netscape Navigator

JRE version 1.5

See the Sun website for the latest minimum system
requirements for the JRE on Linux.

JRE version 1.5

system on which JRE

1

1.5 runs

Monitor Display
Settings

1024 by
768 pixels

1024 by
768 pixels

1024 by
768 pixels

1024 by
768 pixels

4 Configuring the Router and CWI Client

To install CWI and for CWI to manage a router, specific configuration pieces must be active on the router. If you want to use
the serial port or terminal server connection method after installation, no further router configuration is required. For all other
connection methods, ensure that the router is configured, as described in this section.

The “Troubleshooting Basic IP Connectivity” section on page 24 provides information on resolving connectivity problems. See
Cisco IOS XR System Management Configuration Guide for information on the capabilities of, installation of
Cisco IOS XR software packages on, and bootup of the router.

These sections describe how to set up client connections on the router:

• Enabling the HTTP Server, page 5

• Setting Up the Common Configuration for IP Connection Methods, page 5

• Connection Methods, page 6

• Setting Up the Minimum Crypto Requirements, page 6

4

Enabling the HTTP Server

To download and install CWI, you must enable the HTTP server on the device.

Note The HTTP server is used only to install CWI. After installation, the server can be deactivated.

To activate the HTTP server, install the manageability PIE, and add the configuration, use the http server command in global
configuration mode, as shown in the following example:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# http server

In addition, you can enable SSL by using the ssl keyword from the http server command in global configuration mode, as shown
in the following example:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# http server ssl

Setting Up the Common Configuration for IP Connection Methods

For CWI to manage the device through an IP connection method (for example, Secure Shell Version 1 [SSHv1], Secure Shell
Version 2 [SSHv2], or CORBA) one or more of Telnet, SSHv1, and SSHv2 must be active on the router, regardless of which main
connection method you are using. The default number of available virtual terminal lines (vtys) is relatively small. We strongly
recommend that the number be increased to allow several management sessions to run simultaneously.

To set the maximum number of vtys, use the vty-pool command in global configuration mode, as shown in the following
example:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# vty-pool default 0 max vty

For more information, see Cisco IOS XR System Management Command Reference.

Enabling the Telnet Server

To enable the Telnet server on a device for CWI, use the telnet server command in global configuration mode. The following
example shows that you can set the default VPN routing and forwarding (VRF) instance name for the Telnet server, specify the
IPv4 address prefix, and either specify the maximum number of Telnet servers or specify no limit to the maximum number of
Telnet services:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# telnet vrf default ipv4 server max-servers [no-limit | 1-200]

For more information, see Cisco IOS XR IP Addresses and Services Command Reference.

Enabling the SSH Server

Before you begin to enable the SSH server, ensure that you have generated the Rivest, Shamir, and Adelman (RSA) key pair for
SSHv1 and Digital Signature Algorithm (DSA) key pair for SSHv2, as described in the “Setting Up the Minimum Crypto
Requirements” section on page 6. To enable the SSHv1 server and SSHv2 server, use the ssh server command in EXEC mode,
as shown in the following example:

RP/0/RP0/CPU0:router# ssh server

You can set both the rate limit and session limit options for the SSH server. For more information, see Cisco IOS XR System
Security Configuration Guide.

5

Connection Methods

Some connection methods require additional configuration on the router, as described in Table 4. For the connection methods
that require cryptographic (crypto) set up, see the “Setting Up the Minimum Crypto Requirements” section on page 6.

Table 4 Connection Methods and Requirements

Additional Router

Connection Method

Serial port — — —

Terminal server (all types) — — —

CLI over Telnet/SSHv1/SSHv2 — — Yes

XML over Telnet xml agent tty Yes —

XML over SSHv1/SSHv2 xml agent tty Yes Yes

XML over CORBA xml agent corba Yes —

XML over CORBA SSL xml agent corba ssl Yes Yes

Configuration Command

Manageability PIE
Requirement Crypto Setup Requirement

Setting Up the Minimum Crypto Requirements

This section describes the essential crypto requirements to enable the various secure communication options. If you want to run
CWI in a nonsecure (for example, Telnet- or CORBA-based) environment, this configuration is not required. For more detailed
information, see Cisco IOS XR System Security Configuration Guide.

Setting Up the Minimum Crypto Configuration for SSHv1 or SSHv2

To set up the minimum crypto configuration for SSHv1, use the crypto key generate rsa command in EXEC mode to generate a
RSA key pair. You must accept all prompted defaults. For more detailed information, see Cisco IOS XR System Security
Configuration Guide.

To set up the minimum crypto configuration for SSHv2, use the crypto key generate dsa command in EXEC mode to generate
a DSA key pair. For more detailed information, see Cisco IOS XR System Security Configuration Guide.

Setting Up the Minimum Crypto Configuration for SSL

To set up the minimum crypto configuration for SSL (CORBA, HTTP, or both), perform the following steps:

Step 1 Generate an RSA key pair. Accept all prompted defaults. If the key pair label is not specified, “the_default” is used.

RP/0/RP0/CPU0:router# crypto key generate rsa

Step 2 Configure the certification authority (CA) trust point.

RP/0/RP0/CPU0:router(config)# crypto ca trustpoint ca-name
RP/0/RP0/CPU0:router(config-trustp)# enrollment url ca-URL
RP/0/RP0/CPU0:router(config-trustp)# rsakeypair keypair-label (If your RSA key pair was assigned a label)
RP/0/RP0/CPU0:router(config-trustp)# exit
RP/0/RP0/CPU0:router(config)# commit

The following example shows how to configure the CA trust point:

RP/0/RP0/CPU0:router(config)# crypto ca trustpoint myca
RP/0/RP0/CPU0:router(config-trustp)# enrollment url http://myca/mydomain.com
RP/0/RP0/CPU0:router(config-trustp)# rsakeypair keypair-label
RP/0/RP0/CPU0:router(config-trustp)# exit
RP/0/RP0/CPU0:router(config)# commit

Step 3 Exit configuration mode.

RP/0/RP0/CPU0:router(config)# commit

6

Step 4 Authenticate the CA by getting the certificate for the CA.

RP/0/RP0/CPU0:router# crypto ca authenticate ca-name

Step 5 Obtain a router certificate from the CA.

RP/0/RP0/CPU0:router# crypto ca enroll ca-name

5 Installing, Launching, and Uninstalling CWI

This section provides information on how to install, launch, and uninstall CWI. For a list of the login modes, see the “Login
Modes and Requirements” section on page 22.

The following sections are presented:

• Installing CWI, page 7

• Launching CWI, page 8

• Closing CWI, page 16

• Uninstalling CWI, page 17

Installing CWI

Use this procedure to install CWI and log in to a router when SSL is either enabled or not enabled on the required Management
Services. Ensure that you have already set up the minimum client connections on the router. See the “Configuring the Router
and CWI Client” section on page 4 for more information.

Note All steps associated with accepting a certificate are not required after the first time you have started the CWI client and

logged in to a router if you choose the certificate option Always.

To install CWI, perform the following steps:

Step 1 Launch your HTTP- or HTTPS-enabled web browser. See the “CWI Client System Requirements” section on page 3 for

information on web browsers.

If SSL is enabled, the router SSL certificate must be accepted. To choose the applicable option, follow the online
instructions.

Note If you click No to deny the SSL certificate, the login process is canceled.

Step 2 Enter the DNS name or IP address of the router to be accessed in the Address field located near the top of the web

browser window. Press Enter.

You must enter the DNS name or IP address in the Address field using the following format:

http://router-dns-name or http://ip-address

If SSL is enabled, use the following format:

https://router-dns-name or https://ip-address

Step 3 A router HTTP authentication dialog box appears. See Cisco IOS XR System Security Configuration Guide for

information on the AAA username and password.

a. Enter your AAA username and password in the User Name and Password fields.

b. Click OK. The Cisco Systems router home page appears.

Step 4 Click the Craft Works Interface link in the web browser to start the CWI installation.

7

Note You must install JRE 1.5 to proceed with the CWI installation.

Step 5 If this is the first time the CWI client has started CWI, the Java Plug-in must be installed and the CWI Cisco security

certificate must be accepted.

a. If the Java Plug-in installation is completed, a dialog box appears asking you to trust the security certificate distributed

by Cisco Systems. This dialog box differs depending on the client platform.

b. The security certificate must be accepted to run CWI. To choose the applicable option, follow the online instructions.

If applicable, the Craft Works Interface Launcher appears.

Step 6 If this is the first time you have started CWI or you have installed a new version of CWI, the CWI components start

downloading. Otherwise, a cached version of the CWI components is used, reducing CWI start time.

Launching CWI

This section describes how to select the devices for managing your CWI session before and after launch.

The CWI device tree is a graphical, user-customized hierarchy of devices to manage, which provides a very simple method to
select devices to manage on a daily basis. The device tree lets you add, delete, and edit devices. In addition, the device tree lets
you to define device groups to organize your devices into logical sets. Your customizations are automatically saved for the next
time you launch CWI.

Because CWI can manage multiple routers in a session, you can select one or more devices or device groups from the device tree
and have CWI automatically log in to all of them. The login credentials for all the devices must be the same; for example, they
must have the same username and password. When you login, the progress window displays the login activity for each device.
When the login has been completed for all the devices, the main desktop appears. The CWI Inventory Tree is populated with
the chosen devices, and from this tree you can launch various applications to manage them.

After launching CWI, you can continue to add or delete devices by choosing File > Login. The following list of attributes are
included:

• Device name or address

• Connection method

• Description (optional)

In addition, you can connect to a device without using the Device Tree by choosing the Login Information root node in the tree.
CWI provides the user and device credentials on the right-hand side of the CWI - Login window.

The following sections are presented:

• Scripted Login Capability Overview, page 8

• Launching CWI Without Using the Device Tree, page 9

• Launching CWI from the Device Tree, page 10

• Encountering an Error While Logging into Multiple Devices Simultaneously, page 14

• Specifying the User Login Script, page 15

Scripted Login Capability Overview

The Scripted Login capability allows CWI to access devices not directly accessible from the CWI workstation. The following
steps are performed through a Scripted Login connection:

1. Connect by using Telnet, Secure Shell Version 1 (SSHv1), and Secure Shell Version 2 (SSHv2) to an intermediate device; for
example, a UNIX server.

2. Execute a user-specified series of commands to open a character-based connection such as a Telnet or SSH connection to
the remote device.

Then, CWI logs in to the remote device and communicates over the end-to-end connection by using XML or CLI, as specified
by the user.

8

Launching CWI Without Using the Device Tree

To launch CWI with SSL either enabled or not enabled, perform the following steps:

Step 1 Double-click the CWI icon to launch the client desktop. The CWI - Login window appears (see Figure 1).

You have the option to add a device or device group and log in to multiple routers. See the “Launching CWI from the
Device Tree” section on page 10 for more information.

Figure 1 CWI - Login Window

Note Enter the same AAA username and password that you used in Step 4 to access the router that must be configured. See the

“Installing CWI” section on page 7.

Step 2 Enter the same AAA username.

Step 3 Enter the same AAA password.

Step 4 (Optional) Enter the enable password for IOS.

Note When you connect to an IOS device, you must enter the enable password.

Step 5 Choose one of the following connection categories from the drop-down menu:

• IP

• Console/Aux

• Scripted

Note If you choose the IP-based or Console/Aux connection categories, the scripted login fields are not displayed.

Step 6 Choose one of the following connection types from the drop-down menu:

• XML over CORBA. Choose the node name. Note that XML over CORBA is the default.

• CLI over Telnet/SSH. Choose the server name. Specifying the port is optional. If you specify a port, CWI tries to

connect using only that port. CWI does not automatically try to connect with other ports.

• Terminal Server. Choose the server name and port.

• Serial Port. Choose the Serial Port. You can also set the parameters for the serial port.

9

Step 7 (Optional) If you chose the Scripted connection category to log in to the intermediate or Scripted server:

a. Enter the Scripted username.

b. Enter the Scripted password.

c. Click the ellipsis button to display the Login Script Steps window (see Figure 7). Follow the procedure in the “Specifying

the User Login Script” section on page 15.

Note In addition, you must enter the applicable information in the Device Description field to uniquely identify the

connection. For example, if you are connecting to a device such as router_1 through the intermediate machine, enter
router_1 in the Description field.

Step 8 Enter the node name (DNS name or IP address) of the device that CWI is directly connecting to.

Step 9 (Optional) Check the Manage admin plane check box to enable the admin plane for the applicable device group or

device. If checked, the admin plane node appears above the corresponding device node in the Inventory Tree. For more
information, see “Understanding the Admin Planes and Device Planes” section on page 18.

Step 10 Click Login. Note that if you checked the Lite Mode check box, the XML option is disabled.

For SSL enabled: If you did not choose Always to automatically accept the SSL certificate from the “Installing CWI”
section on page 7, you must accept the SSL certificate.

Step 11 After the CWI initialization is completed, the CWI Desktop window appears. The chosen login mode is indicated in the

Inventory Tree. See the “CWI Desktop Window” section on page 19 for information on the CWI Desktop window.

Note CWI is automatically locked when there is no activity in the CWI session for 15 minutes. To unlock CWI, you

must provide the username and password used when logging in to the router. See Cisco Craft Works Interface
User Guide for CWI unlocking procedures.

If any of the minimum requirements of the initialization steps fails, a CWI dialog box appears allowing you to abort,
troubleshoot, or continue the initialization process.

Step 12 If necessary, complete the following steps to troubleshoot the initialization process.

a. To stop the initialization process, click Abort.

b. To troubleshoot the process, click Troubleshoot. The Troubleshooter application is started, and a Troubleshoot New

Device Launch problems dialog box appears. The Troubleshooter application runs fault isolation tests on the
client/server communication path between the CWI and router management agent. The Troubleshooter application
provides a window that describes the reason for the failure, possible cause, and recommended repair action. An
automatic repair option is provided in many instances. See Cisco
using the Troubleshooter feature.

c. To continue the initialization process, click Continue.

Craft Works Interface User Guide for information on

Launching CWI from the Device Tree

These sections describe how to launch CWI through configured devices or device groups:

• Adding or Editing a Device, page 11

• Adding or Editing a Device Group, page 12

• Removing a Device or Device Group, page 12

• Logging In to Multiple Network Elements, page 12

10