Cisco Systems OL-11390-01 User Manual
Administering DFM (Advanced)
These topics are intended for system administrators who will perform Device Fault Manager (DFM)
administrative functions. The topics include:
• Security Considerations, page 11-1
• Device Support, page 11-3
• System Administration, page 11-3
Security Considerations
These topics address some important DFM security issues:
• File Ownership and Protection, page 11-1
• Secure Socket Layer (SSL), page 11-2
• SNMPv3, page 11-2
• Working with Firewalls, page 11-2
CHAPTER
11
File Ownership and Protection
Security for DFM files is based on the same standards used for CiscoWorks.
Caution Do not change the protection of any file or directory to be less restrictive. You may, if you wish, make
the protections more restrictive.
All DFM files are installed with owner CASUSER. Only CASUSER can create, delete, or modify the
files installed in NMSROOT. NMSROOT is the directory where CiscoWorks is installed on your system.
If you selected the defaultdirectoryduring installation, on Windows it is C:\Program Files\CSCOpx. On
Solaris, it is /opt/CSCOpx.
When typing the Windows default installation directory, enter C:\Progra~1\CSCOpx.
Note File protections are not enforced on FAT partitions.
OL-11390-01
User Guide for Device Fault Manager
11-1
Security Considerations
Secure Socket Layer (SSL)
SSL is an application-level protocol that enables secure transactions of data through privacy,
authentication, and data integrity. It relies upon certificates, public keys, and private keys. You can
enable or disable SSL depending on the need to use secure access.
DFM supports SSL between clients and the server.Bydefault,DFMis not SSL-enabled. For information
on enabling SSL, refer to the Common Services online help.
SNMPv3
Like CiscoWorks Common Services, DFM supports SNMPv3 (authentication and access control but no
data encryption) between server and devices to eliminate leakage of confidential info. This provides
packet-level security, integrity protection, and replay protection, but does not encrypt the packets.
Working with Firewalls
Chapter 11 Administering DFM (Advanced)
DFM will work across firewalls, but you must perform the following two tasks:
• Configure the DFM server to use a specific port (outgoing connection)
• Configure the firewall to use an automatic established connection (incoming connection)
Step 1 Configure the DfmServer process so it binds to a privileged port, using the pdcmd --port option (see
Table 11-4 on page 11-16 for more pdreg options):
Note The ports and protocols used by CiscoWorks are listed in the Installation and Getting Started
Guide for LAN Management Solution 3.0.
a. Checktheflagsthat are currently set for the DfmServer process, and write them down (you will need
to reset them later):
#
NMSROOT
b. Unregister the DfmServer process:
#
NMSROOT
/bin/pdreg -l DfmServer
/bin/pdcmd -u DfmServer
11-2
User Guide for Device Fault Manager
OL-11390-01
Chapter 11 Administering DFM (Advanced)
c. Re-register the DfmServer process with all the flags found in Step a and the following sm_server
flags, as needed:
--port=port Specifies port (for example, on a firewall) on which DfmServer will run
--privopen=protocol:port Specifies privileged port to which DfmServer has access (for example,
UDP:162)
#
NMSROOT
--privopen=UDP:162 --bootstrap=DFM_bootstrap.conf --subscribe=default"
/bin/pdcmd -r DfmServer -e
NMSROOT
/objects/smarts/bin/sm_server --output -n DFM -c icf
Use the following command to list all sm_server flags:
NMSROOT/objects/smarts/bin/sm_server --help
Step 2 Configure the established connection keyword in the firewall to be automatic.
For additional information on using the privopen option, see Example 2: Configuring the DFM Server
to Use a Privileged Port, page 11-19.
Device Support
Device Support
When support for new devices becomes available for DFM, minor releases will be announced on the
planner page for DFM on Cisco.com. Visit the planner page for announcements, downloads, and
installation instructions for these releases as they become available.
When a new minor release becomes available, you can download it from Cisco.com by going to
http://www.cisco.com/cgi-bin/tablebuild.pl/cw2000-dfm
(You will be prompted to log into Cisco.com.)
System Administration
DFM system administration can be performed only by the following types of users:
• Users in a System Administrator role. These users can perform system administration tasks that can
be started from the CiscoWorks desktop. These tasks include:
–
Configuring users
–
Backing up and restoring data
–
Configuring logging
–
Starting and stopping CiscoWorks processes
• Users who log in as local administrator to the system where DFM is installed. These users can view
log files.
If the DFM server is using CiscoSecure Access Control Server (ACS) mode, these CiscoWorks roles are
mapped to ACS roles.
OL-11390-01
User Guide for Device Fault Manager
11-3
Chapter 11 Administering DFM (Advanced)
System Administration
Registering Additional DFM Servers with the LMS Portal
You can register additional DFM servers so that they appear on the LMS portal. There is no limit to the
number of serversyou can register, since devicelimits are enforced from the DFM server side; the LMS
portal is simply a portal for the different applications. However, you will probably want to limit your
home page to two or three DFM servers. The local DFM server name is always listed first on the LMS
Portal.
If you have multiple instances of DFM on your home page, you can always map a DFM instance to its
Common Services instance by the server hostname (DFM@server, CS@server).
Note When you use a remote version of DFM, CiscoWorks will prompt you to reauthenticate yourself.
Step 1 From the LMS portal, select Common Services > Server > HomePage Admin > Application
Registration. The Application Registration Status page appears.
Step 2 Click Registration. The Registration Location page opens.
Step 3 ActivatetheImportfromOtherServers radio button,andclickNext.TheImportServer’sAttributespage
opens.
Step 4 In the Import Server’s Attributes page, enter the following information:
• Server Name—Host name or IP address.
• Server Display Name—A user-specified name that will be displayed on the LMS portal, and as the
DFM home page title when you select that DFM instance.
• Port—1741.
Step 5 Click Next. CiscoWorks verifies that the remote server is reachable.
Step 6 When you select the new DFM server instance from the LMS portal, you will have to authenticate by
entering a user name and password for the remote host.
Configuring Users (ACS and Non-ACS)
The CiscoWorks serverprovidesthemechanismforauthenticatingandauthorizingusersforCiscoWorks
applications. What users can see and do is determined by their user role. System Administrators can
configureuserrolesbyselecting Server > Security > Single-ServerManagement > Local User Setup.
From here you can add, modify, or delete users.
The CiscoWorks server provides two different mechanisms or modes for authenticating users for
CiscoWorks applications:
• CiscoWorks Local Mode—By default, the CiscoWorks server uses CiscoWorks Local mode, or
non-ACS mode. In CiscoWorks Local mode, CiscoWorks assigns roles, along with privileges
associated with those roles, as described in the Common Services Permission Report. (You can
generate a Permission Report from the LMS portal by selecting Server > Reports > Permission
Report and clicking Help.) For more information, refer to Configuring Users Using CiscoWorks
Local Mode, page 11-5.
User Guide for Device Fault Manager
11-4
OL-11390-01
Chapter 11 Administering DFM (Advanced)
• CiscoSecure Access Control Server (ACS) Mode—ACS specifies the privileges associated with
roles; however, ACS also allows you to perform device-based filtering, so that users only see
authorized devices. Using ACS, which is called ACS mode, is supported when ACS is installed on
your network and DFM is registered with ACS. For more information, refer to Configuring Users
Using ACS Mode, page 11-5.
If Common Services is using ACS mode, DFM must also use ACS mode; otherwise, DFM users will not
have any permissions. However, if another instance of DFM is already integrated with ACS, the new
DFM will also be integrated with ACS.
You can also use the CiscoWorks Assistant Server Setup workflow to set the server login mode to ACS
mode, as described in User Guide for CiscoWorks Assistant 1.0.
Configuring Users Using CiscoWorks Local Mode
To add a user and specify their user role using CiscoWorks Local Mode, select Server > Security >
Single-Server Management > Local User Setup from the LMS portal. Click the Help button for
information on the configuration steps.
Use the CiscoWorks Permission Report to understand how each user role relates to tasks in DFM. From
the LMS portal, select Server > Reports > Permission Report and scroll down until you find Device
Fault Manager.
System Administration
Configuring Users Using ACS Mode
To use this mode for DFM, Cisco Secure ACS must be installed on your network, and DFM must be
registered with ACS.
Step 1 Verify which mode the CiscoWorks server is using. From the LMS portal, select Server > Security >
AAA Mode Setup and check what is listed in the Current Settings table. Either CiscoWorks Local or
TACACS (ACS) will be displayed.
Step 2 Verify whether DFM is registered with ACS (if ACS Mode is being used) by checking the ACS server.
Step 3 To modify ACS roles:
• Refer to the ACS online help (on the ACS server) for information on modifying roles.
• Refer to the Common Services online help for information on the implications of ACS on the DCR
(specifically, role dependencies).
Note If you modify DFM roles using ACS, your changes will be propagated to all other instances of
DFM that are using Common Services servers which are registered with the same ACS server.
See the following for other information related to ACS:
• To register applications with ACS, and for information on supported ACS versions, refer to
Installing and Getting Started with CiscoWorks LAN Management Solution 3.0.
• To understand CiscoSecure Groups, Users, and Command Authorization Sets, see User Guide for
CiscoSecure ACS.
• For information on the implications of ACS custom roles on the DCR, see the online help for
Common Services.
OL-11390-01
User Guide for Device Fault Manager
11-5
System Administration
Using DFM in ACS Mode
Before performing any tasks that are mentioned here, you must ensure that you have successfully
completed configuring Cisco Secure ACS with the CiscoWorks server. If you have installed DFM after
configuring the CiscoWorks Login Module to the ACS mode, then DFM users are not granted any
permissions. However, the DFM application is registered to Cisco Secure ACS.
CiscoWorks login modules allow you to add new users using a source of authentication other than the
native CiscoWorks server mechanism (that is, the CiscoWorks Local login module). You can use the
Cisco Secure ACSservices for this purpose. You can integrate the CiscoWorks server with CiscoSecure
ACS to provide improved access control using Authentication, Authorization, and Accounting.
The following topics provide information on how to use DFM in the ACS mode:
• Modifying CiscoWorks Roles and Privileges, page 11-7
• Device-Based Filtering, page 11-7
By default, the CiscoWorks server authentication scheme has six roles. They are listed here from least
privileged to most privileged:
Chapter 11 Administering DFM (Advanced)
Help Desk User with this role has the privileges to access network status information from the
persisted data. User does not have the privilege to contact any device or schedule a
job that will reach the network.
Approver User with this role has the privilege to approve all DFM tasks. User can also perform
all the Help Desk tasks.
Network
Operator
User with this role has the privilege to perform all tasks that involve collecting data
from the network. User does not have write access on the network. User can also
perform all the Approver tasks.
Network
Administrator
System
Administrator
User with this role has the privilege to change the network. User can also perform
Network Operator tasks.
User with this role has the privilege to perform all CiscoWorkssystem administration
tasks. See the Permission Report on the CiscoWorks server (Common Services >
Server > Reports > Permission Report).
Super Admin User with this role has full access rights to perform any CiscoWorks tasks, including
administration and approval tasks.
When you integrate your CiscoWorks server with your ACS server, you just need to
do the following:
1. Create a System Identity User in ACS.
2. Assign the Super Admin role to the user for all CiscoWorks applications.
You need not create a custom role with all the privileges and assign that role to the
user. You can assign this role to a user only on the CiscoSecure ACS server and only
when the login module is set to ACS. This role is not visible in CiscoWorks local
mode and during the local user setup in the CiscoWorks server.
11-6
Cisco Secure ACS allows you to modify the privileges to these roles. You can also create custom roles
and privileges that help you customize Common Services client applications to best suit your business
workflow and needs.
To modify the default CiscoWorks roles and privileges, see Modifying CiscoWorks Roles and Privileges,
page 11-7.
User Guide for Device Fault Manager
OL-11390-01
Loading...