Page 1 User Guide for CiscoWorks Common Services 3.0 CiscoWorks Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7816571 Text Part Number: 78-16571-01...
Page 2 DAMAGES. CCSP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,...
Page 3 Ordering Documentation xvii Documentation Feedback xviii Obtaining Technical Assistance xviii Cisco Technical Support Website xviii Submitting a Service Request Definitions of Service Request Severity Obtaining Additional Publications and Information Overview C H A P T E R New Features...
Page 4: Table Of Contents
Contents Interacting With CiscoWorks Homepage C H A P T E R Invoking CiscoWorks Homepage Invoking CWHP in Normal Mode (HTTP) Invoking CWHP in SSL Enabled Mode (HTTPS) Logging Into CiscoWorks Using CWHP Common Services Panel Application Panels Supporting Applications on Another Server Supporting Traditional Applications With New Navigation Device Troubleshooting Panel Resources Panel...
Page 5 Changing the Single Sign-On Mode 3-18 Setting up the AAA Mode 3-20 About Common Services Authentication 3-21 Cisco Secure ACS Support for Common Services Client Applications 3-22 Setting the Login Module to Non-ACS 3-24 Changing Login Module to CiscoWorks Local 3-25...
Page 6 Creating and Modifying Roles in ACS 3-39 Resetting Login Module 3-42 Understanding Fallback Options for ACS Mode 3-43 Managing Cisco.com Connection 3-44 Setting up Cisco.com User Account 3-44 Setting Up the Proxy Server 3-44 Generating Reports 3-45 Log File Status Report 3-45...
Page 7 Contents Backing Up Data 3-55 Backing up Using CLI 3-57 Data Backed up During CS 3.0 Backup 3-57 Restoring Data 3-58 Restoring Data on UNIX 3-59 Restoring Data on Windows 3-60 Data Restored from Common Services 3.0 Backup Archive 3-61 Data Restored from Common Services 2.2 Backup Archive 3-62 Data Restored from CD One 5th Edition Backup Archive...
Page 8 Contents Managing Device and Credentials C H A P T E R DCR Architecture Master DCR Slave DCR Standalone DCR Using the Device and Credential Admin Managing Devices Adding Devices Standard Type Auto Update Type 4-10 Cluster Managed Type 4-11 Deleting Devices 4-12 Editing Device Credentials...
Page 9 Contents Administering Device and Credential Repository 4-26 Changing DCR Mode 4-26 Master-Slave Configuration Prerequisites 4-27 Changing the Mode to Standalone 4-27 Changing the Mode to Master 4-28 Changing the Mode to Slave 4-28 Adding User-defined Fields 4-29 Renaming User-defined Fields 4-30 Deleting User-defined Fields 4-31...
Page 10 Contents Implications of ACS Login Module on DCR 4-45 Custom Roles and DCR 4-45 Administering Groups C H A P T E R Group Concept Group Hierarchy Dynamic Group Static Group Container Groups System-defined and User-defined Groups Common Groups and Shared Groups Secure Views Groups in a Single-Server Setup Groups in Multi-Server Setup...
Page 11 Contents Using Device Center C H A P T E R Launching Device Center Invoking Device Center Using Device Center Functions Device Selector Device Summary Management Functions Enabling Debugging Tools Checking Device Connectivity Using Ping Using Traceroute Using SNMP Walk Using SNMP Set 6-11 Using Packet Capture...
Page 12 Contents Diagnosing Problems With CiscoWorks Server C H A P T E R Verifying Server Status Testing Device Connectivity Troubleshooting the CiscoWorks Server Frequently Asked Questions Troubleshooting Suggestions 8-33 Understanding CiscoWorks Security A P P E N D I X General Security Server Security Server–Imposed Security...
Page 13 Preface This document describes CiscoWorks Common Services 3.0 and gives an overview of the features and functions provided by CiscoWorks Common Services. Audience This manual is for network administrators who need to configure and maintain CiscoWorks Common Services. Most of the tools and applications described are available only to systems administrators.
Page 14 Product Documentation We sometimes update the printed and electronic documentation after original Note publication. Therefore, you should also review the documentation on Cisco.com for any updates. Table 1 describes the product documentation that is available.
Page 15 Product Documentation Document Title Available Formats Release Notes for CiscoWorks Printed document that was included with the product. • Common Services 3.0 On Cisco.com at: • http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/c w2000/cw2000_d/comser30/relnotes/index.htm Installation Guide for CiscoWorks PDF on the product CD-ROM. • Common Services 3.0 on Windows On Cisco.com at:...
Page 16 Obtaining Documentation Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems. User Guide for CiscoWorks Common Services...
Page 17 Preface Obtaining Documentation Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml Ordering Documentation You can find instructions for ordering documentation at this URL: http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm...
Page 18 URL: http://www.cisco.com/techsupport Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL: http://tools.cisco.com/RPF/register/register.do...
Page 19 For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Page 20 Obtaining Additional Publications and Information Definitions of Service Request Severity To ensure that all service requests are reported in a standard format, Cisco has established severity definitions. Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations.
Page 21 You can access Packet magazine at this URL: http://www.cisco.com/packet iQ Magazine is the quarterly publication from Cisco Systems designed to • help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services.
Page 22 Preface Obtaining Additional Publications and Information User Guide for CiscoWorks Common Services xxii 78-16571-01...
Page 23 C H A P T E R Overview CiscoWorks Common Services (Common Services) represents a common set of management services that are shared by CiscoWorks applications. CiscoWorks is a family of products based on Internet standards for managing networks and devices.
Page 24 Chapter 1 Overview New Features New Features The major new features in this release: • CiscoWorks Homepage Provides launch points for CiscoWorks family of products and other resources. The HTML based CiscoWorks Homepage replaces the Java applet based Desktop. Device and Credential Repository (DCR) •...
Page 25 Chapter 1 Overview Understanding Time Zone Settings Support for IPv6. • HTML based Online help. • Understanding Time Zone Settings Common Services and associated CiscoWorks application suites support many time zones. However, applications that have scheduling and reporting functions, and applications that produce or use time stamps vary based on: Server and client—Time stamps can differ between server and client if they •...
Page 26 Chapter 1 Overview Learning More About the Common Services For tips about accessing Online help, see Using Online Help. You can check the version details and licensing information about Common Services by clicking the About button on top of the right hand side of the CiscoWorks Homepage.
Page 27: Chapter 2 Interacting With Ciscoworks Homepage
C H A P T E R Interacting With CiscoWorks Homepage CiscoWorks Homepage (CWHP) provides launch points for all Common Services features. It also provides launch points for applications installed on the same server or a remote server, and their major functions. CWHP also provides launch points for other web-based products (Non-CiscoWorks products and third party/home-grown tools) residing on the same or a different server.
Page 28: Invoking Ciscoworks Homepage
Chapter 2 Interacting With CiscoWorks Homepage Invoking CiscoWorks Homepage Software Center • Device Center • The following sections explain the CWHP features, in detail: Invoking CiscoWorks Homepage • Logging Into CiscoWorks • Using CWHP • Configuring CWHP • Using Online Help •...
Page 29: Invoking Cwhp In Ssl Enabled Mode (Https)
Chapter 2 Interacting With CiscoWorks Homepage Invoking CiscoWorks Homepage For more information, see the “Logging Into CiscoWorks” section on page 2-4. See also, Installation and Setup Guide for CiscoWorks Common Services on Solaris. Invoking CWHP in SSL Enabled Mode (HTTPS) To invoke CWHP in the SSL enabled mode (HTTPS): Enter the URL for your CiscoWorks Server in your browser.
Page 30: Logging Into Ciscoworks
Chapter 2 Interacting With CiscoWorks Homepage Logging Into CiscoWorks In the New Site Certificate wizard you can accept the certificate for the current session or accept it till the certificate expires. To avoid going through the New Site Certificate wizard every time you invoke CWHP, you may accept the certificate till it expires.
Page 31: Using Cwhp
Chapter 2 Interacting With CiscoWorks Homepage Using CWHP The Login screen replaces the current page of the current browser window. After you log in, the page you were on before re-logging in, appears. Using CWHP CiscoWorks Homepage is the primary user interface and the launch point for all features.
Page 32: Application Panels
Chapter 2 Interacting With CiscoWorks Homepage Using CWHP Application Panels Each Application Panel in the CWHP serves as a top-level launch point for all Common Services applications installed on the local/remote server. Applications appear in the CWHP in three columns. By default, only the first level items are displayed when you login.
Page 33: Supporting Traditional Applications With New Navigation
CiscoWorks Product Updates panel is on the right hand side of the page. It displays informative messages about CiscoWorks product announcements, and help related topics. If you click the More Updates link, a popup window appears with all the Cisco Product Update details. User Guide for CiscoWorks Common Services...
Page 34: Tool Bar Items
Configuring CWHP In case the CiscoWorks Server is behind a firewall, the proxy settings are used to download messages from Cisco.com. CWHP provides an Admin UI to accept the proxy settings. CWHP alerts you if any urgent messages are found.
Page 35: Registering A New Application
Chapter 2 Interacting With CiscoWorks Homepage Configuring CWHP During registration you are prompted to select an application template and then register with CiscoWorks Server. The registration enables the application to be integrated with other applications based on the template definition. It also helps application launch points to be displayed on CWHP.
Page 36: Importing From Other Servers
Chapter 2 Interacting With CiscoWorks Homepage Configuring CWHP Enter the Server attributes in the Server attributes dialog box and click Next. Step 3 The Registration Summary page displays the Application Registration summary window. It displays a summary the information you entered. Click Finish.
Page 37: Unregistering An Application
Chapter 2 Interacting With CiscoWorks Homepage Configuring CWHP Unregistering an Application To unregister an application: Step 1 Select Common Services > HomePage > Application Registrations. The Application Registration Status page appears. You can view the list of registered applications in the Registered Applications dialog box. Select the radio button corresponding to the Application you want to unregister, Step 2 and click Unregister.
Page 38: Unregistering A Link
Chapter 2 Interacting With CiscoWorks Homepage Configuring CWHP Unregistering a Link To unregister a link: Step 1 Select Common Services > HomePage > Links Registration. The Links Registration Status page appears. Select the check box corresponding to the link you need to unregister. Step 2 Click Unregister.
Page 39: Using Online Help
Chapter 2 Interacting With CiscoWorks Homepage Using Online Help Select a value from the Urgent Messages Polling Interval drop-down list to set the Step 6 polling interval for messages. The time you set here decides the polling interval for disk watcher messages and messages you want to broadcast using the Notify Users features.
Page 40: Changing Web Server Port Numbers
Chapter 2 Interacting With CiscoWorks Homepage Changing Web Server Port Numbers To access Online help, click the Help button on the top-right corner. This opens a window that displays help contents. From this window, you can access help for all the CiscoWorks applications installed.
Page 41 Chapter 2 Interacting With CiscoWorks Homepage Changing Web Server Port Numbers If you change the port after installation, CiscoWorks will not launch from Start menu (Start > Programs > Ciscoworks > Ciscoworks). You have to manually invoke the browser, and specify the URL, with the changed port number. The restrictions that apply to the specified port number are: •...
Page 42 Chapter 2 Interacting With CiscoWorks Homepage Changing Web Server Port Numbers A sample backup may be similar to: /opt `--/CSCOpx `--/conf `--/backup |--README.txt (Note the purpose of this directory as it is initially empty) `--/AAAtpaG03_Ciscobak (Autogenerated unique backup directory). |--index.txt (The backup file list) |--httpd.conf (Webserver config file) |--md.properties (CiscoWorks config elements) |--mdc_web.xml (Common Services application...
Page 43 Chapter 2 Interacting With CiscoWorks Homepage Changing Web Server Port Numbers On Windows: You can change the web server port numbers (for HTTP and HTTPS) for the CiscoWorks Webserver. To change the port numbers you must have administrative privileges. Run the following command at the prompt: CSCOpx\MDC\Apache\changeport.exe If you run this utility without any command line parameter, CiscoWorks displays...
Page 44 Chapter 2 Interacting With CiscoWorks Homepage Changing Web Server Port Numbers The restrictions that apply to the specified port number are: Port numbers less than 1025 are not allowed except 80 (HTTP) and • 443 (HTTPS). Also port 80 is not allowed for HTTPS port and port 443 is not allowed for HTTP port.
Page 45 Chapter 2 Interacting With CiscoWorks Homepage Changing Web Server Port Numbers A sample backup may be similar to: [drive:] `--\Program Files `--\CSCOpx `--\conf `--\backup |--README.txt (Notes the purpose of this dir as it is initially empty) `--\skc03._Ciscobak (Autogenerated unique backup directory). |--index.txt (The backup file list) |--httpd.conf...
Page 46 Chapter 2 Interacting With CiscoWorks Homepage Changing Web Server Port Numbers User Guide for CiscoWorks Common Services 2-20 78-16571-01...
Page 47: Chapter 3 Configuring The Server
Common Services provides features for managing security when operating in single-server and multi-server modes. You can specify the user authentication mode using the AAA Mode Setup. You can create user accounts on Cisco.com using the Cisco.com Connection Management UI. Managing Security in Single Server Mode...
Page 48: Setting Up Browser-Server Security
Chapter 3 Configuring the Server Setting up Browser-Server Security For details, see: Setting up Browser-Server Security • Setting up Local Users • Creating Self Signed Certificate • Setting up Browser-Server Security Common Services provides secure access between the client browser and management server, and also between the management server and devices.
Page 49 Chapter 3 Configuring the Server Setting up Browser-Server Security Log out from your CiscoWorks session, and close all browser sessions. Step 4 Restart the Daemon Manager from the CiscoWorks Server CLI: Step 5 On Windows: Enter net stop crmdmgtd Enter net start crmdmgtd On Solaris: Enter...
Page 50: Enabling Browser-Server Security From The Command Line Interface (Cli)
Chapter 3 Configuring the Server About User Accounts Enabling Browser-Server Security From the Command Line Interface (CLI) To enable Browser-Server Security from CLI: Go to the command prompt. Step 1 Navigate to the directory NMSROOT\MDC\Apache. Step 2 Enter NMSROOT Step 3 \bin\perl ConfigSSL.pl -enable Press Enter.
Page 51: Understanding Security Levels
Chapter 3 Configuring the Server Understanding Security Levels However, as an administrator, you can create additional unique login IDs for users at your company. The CiscoWorks Server administrator can set the passwords for admin and guest Note users during installation. Contact the CiscoWorks Server administrator if you do not know the password for admin.
Page 52: Setting Up Local Users
Chapter 3 Configuring the Server Setting up Local Users Setting up Local Users Local User Setup feature helps you in: • Modifying Your Profile Adding a User • Editing User Profiles. • Deleting a User • For information on tasks that can be performed with each role, see the “Permissions Report”...
Page 53 Chapter 3 Configuring the Server Setting up Local Users Adding a User You can add further users into CiscoWorks as required. To add a user: In the CiscoWorks Homepage, select Common Services > Server > Security > Step 1 Local User Setup. The Local User Setup page appears.
Page 54 Chapter 3 Configuring the Server Setting up Local Users Editing User Profiles You can edit the user profiles to modify the roles assigned to the users. To edit user profiles: In the CiscoWorks Homepage, select Common Services > Server > Security > Step 1 Local User Setup.
Page 55: Creating Self Signed Certificate
Chapter 3 Configuring the Server Creating Self Signed Certificate Creating Self Signed Certificate CiscoWorks allows you to create security certificate used to enable SSL communication between your client browser and management server. Self signed certificates are valid for five years from the date of creation. When the certificate expires, the browser prompts you to install the certificate again from the server where you have installed CiscoWorks.
Page 56: Managing Security In Multi-Server Mode
Chapter 3 Configuring the Server Managing Security in Multi-Server Mode Field Usage Notes Host Name DNS name of the computer or the IP address of the computer. Enter the Host Name with a proper domain name. This is displayed on your certificate (whether self-signed or third party issued).
Page 57: Setting Up Peer Server Account
Chapter 3 Configuring the Server Setting up Peer Server Account See the following sections to understand more about the features that enables secure communication between peer servers part of a multi-server domain: • Setting up Peer Server Account Setting up System Identity Account •...
Page 58 Chapter 3 Configuring the Server Setting up Peer Server Account To edit User information: In the CiscoWorks Homepage, select Common Services > Server > Security > Step 1 Peer Server Account Setup. Click Edit. Step 2 The Peer Server Account Setup page appears. Enter the password in the Password field.
Page 59: Setting Up System Identity Account
Chapter 3 Configuring the Server Setting up System Identity Account Setting up System Identity Account Communication between multiple CiscoWorks Servers is enabled by a trust model addressed by certificates and shared secrets. System Identity setup helps you to create a “trust” user on servers that are part of a multi-server setup. This user enables communication between servers that are part of a domain.
Page 60: Setting Up Peer Server Certificate
Chapter 3 Configuring the Server Setting up Peer Server Certificate “Master-Slave Configuration Prerequisites” section on page 4-27 “Enabling Single Sign-On” section on page 3-15 to know more on the usage of this features. To add a System Identity user: In the CiscoWorks Homepage, select Common Services > Server > Security > Step 1 System Identity Setup Enter the username in the Username field.
Page 61: Deleting Peer Certificates
Chapter 3 Configuring the Server Enabling Single Sign-On Enter the value of the Non-SSL(HTTP) Port of the peer CiscoWorks Server. Step 4 Click OK. Step 5 The default Non-SSL(HTTP) Port of the peer CiscoWorks Server is 1741. Deleting Peer Certificates To delete peer certificates: Select the check box corresponding to the certificate you want to delete.
Page 62: Navigating Through The Sso Domain
Chapter 3 Configuring the Server Navigating Through the SSO Domain The following tasks should be performed if the server is either configured as Master or Slave. • Configure the System Identity User and password in both Master and Slave. The System Identity User name and password you specify in Master and Slave should be the same.
Page 63: Registering Server Links
Chapter 3 Configuring the Server Navigating Through the SSO Domain Registering Server Links You can register the links of servers part of the SSO domain, in any of the servers, using the Link registration feature. See “Registering Links With CWHP” section on page 2-11.
Page 64: Changing The Single Sign-On Mode
Chapter 3 Configuring the Server Changing the Single Sign-On Mode Suppose ABC and XYZ are part of an SSO domain. Login to ABC. Step 1 Launch a new browser instance (File > New > Window, in Internet Explorer) Step 2 from the same browser window.
Page 65 Chapter 3 Configuring the Server Changing the Single Sign-On Mode To change the SSO mode to Standalone: In the CiscoWorks Homepage, select Common Services > Server > Security > Step 1 Single Sign-On. The Single Sign-On Configuration page shows the current Single Sign-On mode. Click Change Mode Step 2 Select Standalone (Normal) radio button.
Page 66: Setting Up The Aaa Mode
CiscoWorks login modules allow administrators to add new users using a source of authentication other than the native CiscoWorks Server mechanism (that is, the CiscoWorks Local login module). You can use Cisco Secure ACS services for this purpose (see Setting the Login Module to ACS).
Page 67: About Common Services Authentication
CiscoWorks Common Services supports two AAA modes: Non-ACS • • To use this mode, you must have a Cisco Secure ACS (Access Control Server), installed on your network. Common Services 3.0 supports the following versions of Cisco Secure ACS for Windows Server: Cisco Secure ACS 3.2 –...
Page 68 Chapter 3 Configuring the Server About Common Services Authentication The CiscoWorks Server authentication scheme has five default roles. They are listed here from the least privileged to most privileged: • Help Desk Can access network status information only. Can access persisted data on the system and cannot perform any action on a device or schedule a job which will reach the network.
Page 69: Cisco Secure Acs Support For Common Services Client Applications
For more information about configuring Cisco Secure ACS administrators, users, and command authorization sets, see the User Guide for Cisco Secure ACS for Windows Server Version 3.3 on Cisco.com, or the CiscoSecure ACS Online Help.
Page 70: Setting The Login Module To Non-Acs
Configuring the Server Setting the Login Module to Non-ACS Detailed information about the various configuration options appear in the Cisco Secure ACS documentation. Setting the Login Module to Non-ACS The Login Module defines how authorization and authentication are performed. To set the login module to Non-ACS mode: In the CiscoWorks Homepage, select Common Services >...
Page 71: Changing Login Module To Ciscoworks Local
If the user is not found, then the Distinguished name is created by appending Prefix + login name + Usersroot. For example, a Distinguished name could be represented as: uid=John ou=embu o=cisco.com, where the Prefix is uid=, the login name is John, and the Usersroot ou=embu, o=cisco.com). User Guide for CiscoWorks Common Services...
Page 72 Chapter 3 Configuring the Server Setting the Login Module to Non-ACS To change the login module to IBM SecureWay Directory: Select the IBM SecureWay Directory radio button. Step 1 Click Change. Step 2 The Login Module Options popup window appears with the following details: Field Description Selected Login Module...
Page 73: Changing Login Module To Kerberoslogin
Chapter 3 Configuring the Server Setting the Login Module to Non-ACS Changing Login Module to KerberosLogin Kerberos provides strong authentication for client/server applications by using secret-key cryptography. To change the Login Module to KerberosLogin: Select the KerberosLogin radio button. Step 1 Click Change.
Page 74: Changing Login Module To Local Unix System
Chapter 3 Configuring the Server Setting the Login Module to Non-ACS Changing Login Module to Local Unix System This option is available only on Unix systems. To change the login module to Local Unix System: Select the Local Unix System radio button. Step 1 Click Change.
Page 75: Changing Login Module To Local Nt System
Chapter 3 Configuring the Server Setting the Login Module to Non-ACS Changing Login Module to Local NT System This option is available only on Windows To change the login module to Local NT System: Select Local NT System radio button. Step 1 Click Change.
Page 76 Setting the Login Module to Non-ACS For example, a Distinguished name could be represented as: cn=John dc=embu dc=cisco, where the Prefix is cn=, the login name is John, and the Usersroot dc=embu, dc=cisco). To change login module to MS Active Directory: Select MS Active Directory radio button.
Page 77: Changing Login Module To Netscape Directory
Prefix + login name + Usersroot. For example, a Distinguished name could be represented as: uid=John ou=embu o=cisco.com, where the Prefix is uid=, the login name is John, and the Usersroot ou=embu, o=cisco.com). To change login module to Netscape Directory: Select Netscape Directory radio button.
Page 78: Changing Login Module To Radius
Chapter 3 Configuring the Server Setting the Login Module to Non-ACS Changing Login Module to Radius To change login module to Radius: Select Radius radio button. Step 1 Click Change. Step 2 The Login Module Options popup window appears with the following details: Field Description Selected Login Module...
Page 79: Changing Login Module To Tacacs
Chapter 3 Configuring the Server Setting the Login Module to Non-ACS Changing Login Module to TACACS+ To change login module to TACACS+: Select TACACS+ radio button. Step 1 Click Change. Step 2 The Login Module Options popup window appears with the following details: Field Description Selected Login Module...
Page 80 Chapter 3 Configuring the Server Setting the Login Module to Non-ACS Field Description Debug Set to False. Set to True for debugging purposes, when requested by your customer service representative. Login fallback options Set the option for fallback to the CiscoWorks Local module if the alternative service fails.
Page 81: Understanding Fallback Options For Non-Acs Mode
Common Services uses. By default, the login module is set to local authentication and authorization. You can change this default value to use Cisco Secure ACS for user authentication and authorization. When you change login module to ACS ensure that: The CiscoWorks Server is added as an AAA client in the ACS server.
Page 82 Chapter 3 Configuring the Server Setting the Login Module to ACS To set login module to ACS: In the CiscoWorks Homepage, select Common Services > Server > Security > Step 1 AAA Mode Setup. The AAA Mode Setup page appears with the AAA Mode Setup dialog box. Select the ACS radio button.
Page 83 Chapter 3 Configuring the Server Setting the Login Module to ACS Restart the Daemon Manager: Step 7 On Windows: Enter net stop crmdmgtd Enter net start crmdmgtd On Solaris: Enter /etc/init.d/dmgtd stop Enter /etc/init.d/dmgtd start Select the Connect to ACS in HTTPS mode check box in the Login Module dialog box, if ACS is in HTTPS mode.
Page 84: Assigning Privileges In Acs
To assign the privileges to the user if ACS is configured to use group authentication: In Cisco Secure ACS, go to Group Setup. Step 1 Select the group to which the user belongs, from the Group drop-down list. Step 2 Click Edit Settings.
Page 85: Creating And Modifying Roles In Acs
Creating and Modifying Roles in ACS In ACS, you can create new roles or modify existing roles. To create a new role: Go to Cisco Secure ACS. Step 1 Select Shared Profile Components > CiscoWorks Common Services. The Step 2 Shared Profile Components page appears.
Page 86 • checklist tree are selected. Click Submit. Step 6 To edit an existing role: Go to Cisco Secure ACS. Step 1 Select Shared Profile Components > CiscoWorks Common Services. The Step 2 Shared Profile Components page appears. Select the role you need.
Page 87 Chapter 3 Configuring the Server Setting the Login Module to ACS To delete a role: Go to Cisco Secure ACS. Step 1 Select Shared Profile Components > CiscoWorks Common Services. Step 2 The Shared Profile Components page appears. Select the role you need to delete.
Page 88: Resetting Login Module
Chapter 3 Configuring the Server Setting the Login Module to ACS Resetting Login Module If there is an authorization failure with ACS server, most of the Common Services features will be disabled. To recover, you have to reset the login module. To do this: Stop the Daemon Manager using: Step 1...
Page 89: Understanding Fallback Options For Acs Mode
Chapter 3 Configuring the Server Setting the Login Module to ACS Understanding Fallback Options for ACS Mode Fallback option in ACS mode is different from Non-ACS mode. Here, fallback is provided only for authentication. If authentication with ACS fails, authentication is tried with CiscoWorks local mode.
Page 90: Managing Cisco.com Connection
Managing Cisco.com Connection Managing Cisco.com Connection Certain Software Center features require Cisco.com access. This means that CiscoWorks must be configured with a Cisco.com account which is to be used when downloading new and updated packages. Setting up Cisco.com User Account To set up Cisco.com login account:...
Page 91: Generating Reports
Chapter 3 Configuring the Server Generating Reports Generating Reports Common Services includes a Report Generator that provides detailed reports on log file status, roles and privileges, users currently logged in, and processes that are currently running. The following reports are available: Log File Status Report •...
Page 92: Permissions Report
Chapter 3 Configuring the Server Generating Reports Click Generate Report. Step 3 The Log File Status Report appears. The Log File Status Report appears with the following details: Item Description Log File Name of the log file. Location Location of the log file. File Size Current size of the log file.
Page 93: Users Logged In Report
Chapter 3 Configuring the Server Generating Reports Click Generate Report. Step 3 The Permissions Report appears. The Permissions Report appears with the following details: Item Description Last Run Time Last time the report was run. Duration Duration for which the report was run. Device Scanned Devices that were scanned.
Page 94: Process Status Report
Chapter 3 Configuring the Server Generating Reports Click Generate Report. Step 3 The Users Logged In report appears. The Users Logged In report appears with the following information: Item Descriptions Status Whether the user is online or offline. User Name User name Roles Shows the roles of the user.
Page 95: Viewing Audit Log Report
Chapter 3 Configuring the Server Generating Reports Click Generate Report. Step 3 The Process Status report is displayed. The Process Status Report appears with the following information: Item Description Process Name Name of the process. State Current state of the process. Process ID.
Page 96 Chapter 3 Configuring the Server Generating Reports Click an Audit Log file link to view the audit log details. Step 3 Audit log report in Non-ACS mode: Item Description Date Date on which the activity is carried out. Time Time at which the activity is carried out. User The user who performed the activity.
Page 97: Administering Common Services
Chapter 3 Configuring the Server Administering Common Services If you are using local authentication, the files are stored on the local server. If you are using ACS authentication, the files are stored on the ACS server and you can view them from within both ACS, and Common Services. In ACS, you can add additional fields to be logged in the Report.
Page 98: Using Daemon Manager
Chapter 3 Configuring the Server Using Daemon Manager Using Daemon Manager The Daemon Manager provides the following services: • Maintains the startup dependencies among processes. Starts and stops processes based on their dependency relationships. • Restarts processes if an abnormal termination is detected. •...
Page 99: Restarting Daemon Manager On Windows
Chapter 3 Configuring the Server Managing Processes Restarting Daemon Manager on Windows To restart Daemon Manager on Windows: Go to Command Prompt. Step 1 To stop the Daemon Manager, enter: Step 2 net stop CRMdmgtd To start the Daemon Manager, enter: Step 3 net start CRMdmgtd Do not start the Daemon Manager immediately after you stop it.
Page 100: Viewing Process Details
Chapter 3 Configuring the Server Managing Processes Viewing Process Details To view Process details: In the CiscoWorks Homepage, select Common Services > Server > Admin > Step 1 Process. The Process page appears. Click the Process link. Step 2 The Process Details popup window appears. The window provides information on the path, flags, startup, and dependencies.
Page 101: Stopping A Process
Chapter 3 Configuring the Server Backing Up Data Stopping a Process To stop a Process: In the CiscoWorks Homepage, select Common Services > Server > Admin > Step 1 Process. The Process page appears. Select the check box corresponding to the process. Step 2 Click Stop.
Page 102 Chapter 3 Configuring the Server Backing Up Data To schedule a backup: In the CiscoWorks Homepage, select Common Services > Server > Admin > Step 1 Backup. The Backup page appears. Enter the appropriate information in the following fields: Step 2 Field Description Backup Directory...
Page 103: Backing Up Using Cli
• Licence data • Core client Registry • System Identity Account configuration • Cisco.com User Configuration • Proxy User configuration • Database. Jobs and Resources data, DCR data, Groups data, and other data • stored in the database User Guide for CiscoWorks Common Services...
Page 104: Restoring Data
Chapter 3 Configuring the Server Restoring Data Restoring Data The new restore framework supports restore across versions. This enables you to restore data from versions 2.1, and 2.2, in addition to Common Services 3.0. The restore framework checks the version of the archive. If the archive is of current version, then the restore from current version is executed.
Page 105: Restoring Data On Unix
Chapter 3 Configuring the Server Restoring Data Restoring Data on UNIX To restore the data on UNIX: Log in as the superuser, and enter the root password. Step 1 Stop all processes by entering: Step 2 /etc/init.d/dmgtd stop Restore the database by entering: Step 3 $NMSROOT $NMSROOT...
Page 106: Restoring Data On Windows
Chapter 3 Configuring the Server Restoring Data Restoring Data on Windows To restore the data on Windows: Make sure you have the correct permissions. At the command line: Stop all processes by entering: Step 1 net stop crmdmgtd Restore the database by entering: Step 2 NMSROOT\bin\perl NMSROOT\bin\restorebackup.pl [-t temporary directory] [-gen generationNumber] [-d backup directory] [-h]...
Page 107: Data Restored From Common Services 3.0 Backup Archive
ACS credentials. • System Identity Account configuration. • Cisco.com User Configuration. • Proxy User configuration. • Database. Jobs data, DCR data, Groups data, and other data stored in the •...
Page 108: Data Restored From Common Services 2.2 Backup Archive
Chapter 3 Configuring the Server Restoring Data Data Restored from Common Services 2.2 Backup Archive The following data will be restored from Common Services 2.2 backup archive: CiscoWorks user information. • Self Signed certificate (based on your confirmation). • Login Module settings. •...
Page 109: Effects Of Backup-Restore On Dcr
Chapter 3 Configuring the Server Effects of Backup-Restore on DCR Effects of Backup-Restore on DCR Data changes are a normal part of any restore from a backup. However, because Device and Credential Repository (DCR) is a distributed system with varying modes, it is also possible for any restored DCR to: Change modes.
Page 110 Chapter 3 Configuring the Server Effects of Backup-Restore on DCR Restoring data from S1 on S1 Suppose you take a backup from S1. After sometime, you restore the backed up data, say S1b, on S1. S1 will look for its Master M1, and the Master-Slave relation between S1 and M1 will be intact, since M1 is available.
Page 111 Chapter 3 Configuring the Server Effects of Backup-Restore on DCR Now, say you restore the backed up data M1b, on M1 itself. The Master M1 will now have data that is older than that in the Slaves, S1, and S2. In other words, the Slaves will be having more recent data than that on the Master.
Page 112: Master -Slave Configuration Prerequisites And Restore Operations
Chapter 3 Configuring the Server Effects of Backup-Restore on DCR Master -Slave Configuration Prerequisites and Restore Operations DCR Master Slave setup requires you to perform certain tasks prior to Master-Slave configuration, to enable proper, and secure communication between them. This involves copying certificates, and setting up a valid system identity user.
Page 113: Effects Of Backup-Restore On Groups
Chapter 3 Configuring the Server Effects of Backup-Restore on Groups Effects of Backup-Restore on Groups Backup- Restore operations have an implication on the way Groups will be displayed in the Common Services (CS) UI. The changes in Groups behavior is discussed in relation with the Device and Credential Repository (DCR) mode changes explained in the above section.
Page 114: Licensing Ciscoworks Applications
Chapter 3 Configuring the Server Licensing CiscoWorks Applications Restoring Data from S1 on M1 After restore, both S1 and M1 will switch to Standalone mode. Both will have only those groups pertaining to Common Services and Applications installed on the individual machines. Groups UI is enabled on S1. Also, the other slaves of M1 will switch to Standalone mode.
Page 115: Licensing The Application
Licensing CiscoWorks Applications If you are a registered user of Cisco.com, use this website: http://www.cisco.com/go/license If you are not a registered user of Cisco.com, use this website: http://www.cisco.com/go/license/public The product license will be sent to the e-mail address you provide during registration.
Page 116: Viewing License Information
Chapter 3 Configuring the Server Licensing CiscoWorks Applications Viewing License Information To view details of your current software license select Common Services > Server > Admin > Licensing. The License Information page appears. The license name, license version, size (device limit for the licensed application), status of the license, and the expiration date of the license appear under License Information.
Page 117: Collecting Server Information
Chapter 3 Configuring the Server Collecting Server Information Collecting Server Information This feature helps you to get information about the server. It provides system information, environment, configuration, logs, and web server information. This information can be used for trouble shooting. To collect server information: In the CiscoWorks Homepage, select Common Services >...
Page 118: Collecting Self Test Information
Chapter 3 Configuring the Server Collecting Self Test Information Collecting Self Test Information You can view self test reports using this option. Selftest feature helps to test certain basic functions of the server. Select Common Services > Server > Admin > Selftest. Step 1 Click Create to perform a self test and view the report.
Page 119: Managing Jobs
Chapter 3 Configuring the Server Managing Jobs Managing Jobs Common Services provides a Job Browser for managing jobs. From the Job browser you can view a listing of jobs, view details of each job, stop a job, and also delete a job from the list. Users in Help Desk, Approver, and Network Operator roles are not allowed to stop and delete jobs.
Page 120 Chapter 3 Configuring the Server Managing Jobs Item Description Job ID Unique number assigned to this task at creation time. This number is never reused. There are two formats: Job ID: • Identifies the task. This does not maintain a history.
Page 121 Chapter 3 Configuring the Server Managing Jobs Item Description Sched Type How often this job will run. This can be: Run immediately • • Run once Run on a calendar basis (periodic) • Run on a time-start basis • Run on a time-stop basis. •...
Page 122: Managing Resources
Chapter 3 Configuring the Server Managing Resources To stop a Job: In the CiscoWorks HomePage, select Common Services > Server > Admin > Step 1 Job Browser. The Job Browser page appears. Select the check box corresponding to the Job you want to stop. Step 2 Click Stop.
Page 123 Chapter 3 Configuring the Server Managing Resources To view Resource details: In the CiscoWorks Homepage, select Common Services > Server > Admin > Step 1 Resource Browser. The Resource Browser page displays the following details: Item Description Resource Name of the resource currently locked. Job ID / Owner Number assigned to this task at creation time.
Page 124: Maintaining Log Files
Chapter 3 Configuring the Server Maintaining Log Files Maintaining Log Files Log files can grow and fill up disk space. CiscoWorks includes a script that enables you to control this growth. Files maintained by this script include the following log files: Daemon manager •...
Page 125 Chapter 3 Configuring the Server Maintaining Log Files Perform log maintenance by entering: Step 4 $NMSROOT $NMSROOT /bin/perl /cgi-bin/admin/logBackup.pl destination directory [-force][-dir where $NMSROOT is the CiscoWorks installation directory, allows [-force] backup regardless of log file size, and destination directory specifies the [-dir full path of the destination directory.
Page 126: Maintaining Log Files On Windows
Chapter 3 Configuring the Server Maintaining Log Files Maintaining Log Files on Windows To maintain log files on Windows: Make sure the new location has sufficient disk space. Step 1 At the command line, make sure you have the correct permissions. Step 2 Stop all processes by entering: Step 3...
Page 127: Using Logrot
Chapter 3 Configuring the Server Maintaining Log Files Using Logrot The logrot utility helps you manage the log files in a better fashion. Logrot is a log rotation program that can: Rotate log when CiscoWorks is running. • Optionally archive and compress rotated logs. •...
Page 128: Running Logrot
Chapter 3 Configuring the Server Maintaining Log Files Specify the maximum file size. The log will not be rotated until this size is Step 5 reached. The unit is in kilobytes (KB). The default is 1024 KB or 1 MB. Step 6 Specify the file compression type to be used.
Page 129: Modifying System Preferences
Chapter 3 Configuring the Server Modifying System Preferences The following command line flags are accepted: options to get verbose messages. • option shuts down dmgtd before rotating logs. • The Restart Delay variable controls the waiting duration (in seconds) before proceeding, after dmgtd is shutdown.
Page 130 Chapter 3 Configuring the Server Modifying System Preferences To edit system preferences, Select Common Services > Server > Admin > System Preferences. Step 1 The System Preferences dialog box appears. Step 2 Select one of the following tabs to enter information or to verify that the configured information is correct: HTTP Proxy •...
Page 131: Chapter 4 Managing Device And Credentials
Easier and faster access to device and credential data. • Secure data persistence, access and transport. • Rationalized and controlled replication, with less user-level data • reconciliation. Better integration with third-party and Cisco network-management • applications. User Guide for CiscoWorks Common Services 78-16571-01...
Page 132 Chapter 4 Managing Device and Credentials DCR also: Stores device attributes and credentials, permits dynamic creation of attribute • types, and permits default grouping and filtering. Supports proxy device attributes, unreachable devices, and pre-provisioning • of devices. Allows you to populate the repository via import from many sources, and to •...
Page 133 Normative name for the device type as described in Cisco’s Meta Data Framework (MDF) database. Each device type has a unique normative name defined in MDF. DCR Device ID Internally generated unique sequential number that identifies the device record in the DCR database.
Page 134 Chapter 4 Managing Device and Credentials Table 4-2 Credentials and Description (continued) Credential Description primary_enable_password Console-enabled password for the device. Allows you to make configuration changes and provides access to a larger set of commands. Without the enable password, users are restricted to read-only operations.
Page 135: Dcr Architecture
Chapter 4 Managing Device and Credentials DCR Architecture DCR supports Cisco Cluster Management Suites, Auto Update Servers and the managed devices using a mix of standard and additional attributes and credentials. • Clusters: All the attributes of the Cluster are the same as a normal DCR device.
Page 136: Master Dcr
Chapter 4 Managing Device and Credentials DCR Architecture Master DCR The Master DCR server refers to the master repository of device list and credential data. The Master hosts the authoritative, or a master-list of all devices and their credentials. All other DCRs in the same management domain which are running in Slave mode normally shares this list.
Page 137: Using The Device And Credential Admin
Chapter 4 Managing Device and Credentials Using the Device and Credential Admin Using the Device and Credential Admin Device and Credential Admin (DCA) helps you in: • Managing Devices Generating Reports in DCA • Managing Auto Update Servers • Administering Device and Credential Repository •...
Page 138: Adding Devices
Chapter 4 Managing Device and Credentials Managing Devices Adding Devices You can use this feature to add devices, device properties or attributes, and device credentials to the DCA. To add devices to the device list: In the CiscoWorks Homepage, select Common Services > Device and Step 1 Credentials >...
Page 139: Standard Type
DCR uses a device record to represent a Cluster. A Cluster can be added in the Standard Management option by selecting the Device Type field as Cisco Cluster Management Suite. DSBU Clusters added this way, can then be selected in...
Page 140: Auto Update Type
Chapter 4 Managing Device and Credentials Managing Devices Click Next. Step 6 The Standard UDF dialog box appears. Enter your choices for User Defined Fields and click Finish. Step 7 DCA provides the option to define four attribute fields for a device. These fields are used to store additional user-defined data for the device.
Page 141: Cluster Managed Type
The attribute fields that appear here can be changed at Device and Credentials > Admin> User Defined Fields. Cluster Managed Type DCR supports Cisco Clusters and their member devices using a mix of standard and additional attributes and credentials. To add devices and credentials using Cluster Managed type: Select the Cluster Managed radio button.
Page 142: Deleting Devices
Chapter 4 Managing Device and Credentials Managing Devices Click Add to List. Step 3 The device is added to the Added Device List in the window. To remove a device from the Device List select the device and click Remove from List. Click Next.
Page 143: Editing Device Credentials
Chapter 4 Managing Device and Credentials Managing Devices Editing Device Credentials You can edit device information using this feature. To edit device information: In the CiscoWorks Homepage, select Common Services > Device and Step 1 Credentials > Device Management. The Device Management page appears. Select one or more devices from the Device Summary List and click Edit.
Page 144: Importing Devices And Credentials
Chapter 4 Managing Device and Credentials Managing Devices If in Step 2, devices belonging to different device management types are selected, the changes made will apply only to devices of the appropriate type. That is, if a standard-device credential is changed, only the standard devices selected in Step 2 are affected.
Page 145: Import Using Dca Interface
Chapter 4 Managing Device and Credentials Managing Devices Import Using DCA Interface To import devices using DCA Interface: Step 1 In the CiscoWorks Homepage, select Common Services > Device and Credentials > Device Management. The Device Management page appears. Click Bulk Import. Step 2 The Import Devices popup window appears.
Page 146 Chapter 4 Managing Device and Credentials Managing Devices Schedule the task. To do this: Step 4 Select the RunType from the drop-down list. You can schedule importing the devices immediately or schedule the import for a later time. The scheduling can be periodic (daily, weekly, or monthly) or for a single instance.
Page 147 Chapter 4 Managing Device and Credentials Managing Devices Importing From Remote NMS You should have permissions to log into the remote network management system (NMS), without a password. Common Services uses remote login to log into the Server and get device details. The rhosts file should be modified to enable you to login without a password.
Page 148: Exporting Devices And Credentials
Chapter 4 Managing Device and Credentials Managing Devices Exporting Devices and Credentials You can use this feature to export a list of device and their credentials into a file. The device list can be obtained from the device selector, or from a CSV file. You can edit the Export Format file located at NMSROOT\objects\dcrimpexp\conf\Export_Format_CSV.xml or Export_Format_XML.xml to specify the credentials you need to export.
Page 149: Export Using Dca Interface
Chapter 4 Managing Device and Credentials Managing Devices Export Using DCA Interface To export device credentials using DCA Interface: Step 1 In the CiscoWorks Homepage, select Common Services > Device and Credentials > Device Management. The Device Management page appears. Click Export.
Page 150 Chapter 4 Managing Device and Credentials Managing Devices From the Device Selector, select the devices for which you need to export Step 3 credentials. Step 4 Schedule the task. To do this: Select the RunType from the drop-down list. You can schedule export immediately or schedule the export for a later time. The scheduling can be periodic (daily, weekly, or monthly) or for a single instance.
Page 151: Excluding Devices
Click Apply to upload the file. Step 4 A Sample CSV Exclude File ; This file is generated by DCR Export utility Cisco Systems NM Data import, Source=DCR Export; Type=DCRCSV; Version=3.0 ;Start of section 0 - Basic Credentials ;HEADER: management_ip_address,host_name,domain_name,device_identity,display_na...
Page 152: Viewing Devices List
Chapter 4 Managing Device and Credentials Managing Devices ,,,AUSID1 ,Dev2Hostname,cisco.com, ;Start of section 2 - AUS managed; ;HEADER: aus_device_identity,parent_aus_id ;End of CSV file Viewing Devices List You can view the devices in the Device List Report using this feature. To view devices in the Device List Report: In the CiscoWorks Homepage, select Common Services >...
Page 153: Generating Reports In Dca
Chapter 4 Managing Device and Credentials Generating Reports in DCA Generating Reports in DCA You can use this feature to generate and view Device and Credential Admin reports. To generate reports: In the CiscoWorks Homepage, select Common Services > Step 1 Device and Credentials >...
Page 154: Managing Auto Update Servers
Chapter 4 Managing Device and Credentials Managing Auto Update Servers Managing Auto Update Servers Auto Update Servers have the following credentials: • Auto Update Server URL Username • Password • Auto Update Server management feature helps you in: Adding Auto Update Server •...
Page 155: Editing Auto Update Server
Chapter 4 Managing Device and Credentials Managing Auto Update Servers Editing Auto Update Server To edit Auto Update Server: In the CiscoWorks Homepage, select Common Services > Device and Step 1 Credentials > Auto Update Server Management. The Auto Update Server Management page appears. Select the device you want to edit from the list and click Edit.
Page 156: Administering Device And Credential Repository
Chapter 4 Managing Device and Credentials Administering Device and Credential Repository Administering Device and Credential Repository The DCA Admin feature allows you to do the following tasks: • Changing DCR Mode Adding User-defined Fields • Renaming User-defined Fields • Deleting User-defined Fields •...
Page 157: Master-Slave Configuration Prerequisites
Chapter 4 Managing Device and Credentials Administering Device and Credential Repository Master-Slave Configuration Prerequisites Before you set up the Master and Slave, you have to perform certain tasks to ensure that secure communication takes place between the Master and Slave. If machine M is to be the Master and S is to be the Slave: In M add a Peer Server User and password.
Page 158: Changing The Mode To Master
Chapter 4 Managing Device and Credentials Administering Device and Credential Repository Changing the Mode to Master Before you change the mode to Slave, ensure that Master-Slave Configuration Prerequisites are in place. Select the Master radio button. Step 1 Click Apply to change mode. Step 2 Changing the Mode to Slave Before you change the mode to Slave, ensure that...
Page 159: Adding User-Defined Fields
Chapter 4 Managing Device and Credentials Administering Device and Credential Repository Changing the hostname of a Master Changing the hostname of a Master is equivalent to pointing Slaves to a new Master. When you point a Slave/Standalone to a new Master, DCR checks whether the new Master has the same Domain ID as the current machine.
Page 160: Renaming User-Defined Fields
Chapter 4 Managing Device and Credentials Administering Device and Credential Repository Enter the field label and description in the corresponding fields. Step 4 Click Apply to add the User-defined Field. Step 5 Renaming User-defined Fields To rename a user-defined field: In the CiscoWorks Homepage, select Common Services >...
Page 161: Deleting User-Defined Fields
; This file is generated by the export utility ; If you edit this file, be sure you know what you are doing Cisco Systems NM data import, source = export utility; Version = 2.0; Type = Csv ; Here are the columns of the table.
Page 162: A Sample Csv 3.0 File
; Here are the rows of data. 172.20.118.156,public,,FHH080600dg,,,,,,,,,,,,,,, 172.20.118.150,public,,FHH0743W022,,,,,,,,,,,,,,, A Sample CSV 3.0 File ; This file is generated by DCR Export utility Cisco Systems NM Data import, Source=DCR Export; Type=DCRCSV; Version=3.0 ;Start of section 0 - Basic Credentials ;HEADER: management_ip_address,host_name,domain_name,device_identity,display_na...
Page 163: Sample Csv 3.0 File For Auto Update Server Managed Devices
Managing Device and Credentials Sample CSV File Sample CSV 3.0 File for Auto Update Server Managed Devices ; This file is generated by DCR Export utility Cisco Systems NM Data import, Source=DCR Export; Type=DCRCSV; Version=3.0 ;Start of section 0 - Basic Credentials ;HEADER:...
Page 164: Sample Csv 3.0 File For Cluster Managed Devices
Managing Device and Credentials Sample CSV File Sample CSV 3.0 File for Cluster Managed Devices ; This file is generated by DCR Export utility Cisco Systems NM Data import, Source=DCR Export; Type=DCRCSV; Version=3.0 ;Start of section 0 - Basic Credentials ;HEADER:...
Page 165: Mapping Csv 2.0 To Csv 3.0 Fields
Chapter 4 Managing Device and Credentials Sample CSV File Mapping CSV 2.0 to CSV 3.0 Fields The following table provides a mapping between the fields in CSV 2.0 and CSV 3.0: CSV 2.0 CSV 3.0 Name (including domain or host_name and display_name simply an IP) RO community string snmp_v2_ro_comm_string...
Page 166: Sample Xml File
Enable Password, and Enable Secret). Sample XML File Sample XML File (Standard) 10.77.202.40 Switch6009 cisco.com Switch2 1.3.6.1.4.1.9.1.281 0 268438100 public private lab...
Page 167: Sample Xml File For Auto Update Server Managed Devices
Credentials and Description. Sample XML File for Auto Update Server Managed Devices 1.1.1.1 ons_host1 cisco.com AUS_ID ONS1 1.3.6.1.4.1.9.1.406 0 273612892 admin...
Page 168: Sample Xml File For Cluster Managed Devices
Sample XML File for Cluster Managed Devices 1.1.1.1 ons_dev_1 cisco.com ONS1 1.3.6.1.4.1.9.1.406 0 273612892 1 display_name=cluster1 ...
Page 169: Using Dcr Features Through Cli
Enter either the IP address (ip), Hostname (hn), or Device Identity (di). Enter the Display Name (dn) and the Attribute name (-a attname). The attribute sysObjectID is mandatory. You can add multiple attributes. For example, add ip=1.1.1.1 hn=device1 dn=cisco.com -a sysObjectID=1.3.6.1.4.1.9.1.6 Deleting Devices Using dcrcli...
Page 170: Editing Devices Using Dcrcli
Enter either the IP Address (ip), Hostname (hn), or Device Identity (di). Enter the Display Name (dn) and the Attribute name (-a attname). You can add multiple attributes. For example, mod id=54341 ip=2.2.2.2 dn=cisco.com -a display_name=new_name Listing the Attributes To view the list of all attributes: Enter NMSROOT -u username.
Page 171: Viewing The Current Dcr Mode Using Dcrcli
Chapter 4 Managing Device and Credentials Using DCR Features Through CLI Viewing the Current DCR Mode Using dcrcli To view the current DCR mode: Enter NMSROOT -u username. Step 1 /bin/dcrcli Enter the password corresponding to the username Step 2 Enter Step 3 lsmode...
Page 172: Changing Dcr Mode Using Dcrcli
Chapter 4 Managing Device and Credentials Using DCR Features Through CLI Changing DCR Mode Using dcrcli To change mode to Master: Enter NMSROOT -u username. Step 1 /bin/dcrcli Enter the password corresponding to the username Step 2 Enter Step 3 setmaster The DCR mode gets changed to Master.
Page 173: Import Using Cli
Chapter 4 Managing Device and Credentials Using DCR Features Through CLI Import Using CLI You can import using the Command Line Interface. Enter NMSROOT -u username. Step 1 /bin/dcrcli Enter the password corresponding to the user name. Step 2 To Import from file: •...
Page 174: Export Using Cli
Chapter 4 Managing Device and Credentials Using DCR Features Through CLI To import from ACS: • Enter OS Type ACS Server Name or IP address ACS admin ImpACS ot= user name ACS admin password port number pwd= prt= ot— Operating System Type hn —...
Page 175: Implications Of Acs Login Module On Dcr
Chapter 4 Managing Device and Credentials Implications of ACS Login Module on DCR Implications of ACS Login Module on DCR When Common Services is in ACS mode, you can perform operations in Device and Credential Repository (DCR) based on role assignment in ACS. Setting the Login Module to ACS for details on ACS login module.
Page 176 DCR device-selector. This needs to be assigned for all tasks which require device selection. View Devices task is necessary for seeing AUS or Cisco Cluster in Add wizard. Edit View Devices task is necessary to see a device's details in Edit wizard.
Page 177: Chapter 5 Administering Groups
C H A P T E R Administering Groups The Groups feature in Common Services helps you to group devices managed by CiscoWorks applications. It helps in creating, managing, and sharing groups of devices. The groups created using this feature are shared across applications. The groups created in applications can also be viewed from Common Services too.
Page 178: Group Concept
Chapter 5 Administering Groups Group Concept Basic Concepts: Group Class: • Representation of a set of devices belonging to DCR. • Group Object: Device in a group class. Each device in the group will have a set of attributes stored in DCR. Associated with every device is a unique and immutable device ID.
Page 179: Dynamic Group
Chapter 5 Administering Groups Group Concept Dynamic Group A dynamic group is a group for which the membership list is always up-to-date. Whenever you view a dynamic group, it always displays the latest group membership list. Static Group A static group is a group for which the membership is refreshed only when you explicitly request it.
Page 180: Common Groups And Shared Groups
Chapter 5 Administering Groups Group Concept These pre-defined groups come under the Provider group (or the root group), which, by default, is of the format CS@hostname. This Provider group is the parent of all Common Services groups found in the server. You can change the Provider group name by changing the CiscoWorks Home Page Server Name.
Page 181 Chapter 5 Administering Groups Group Concept The group CS@hostname is the local group. The groups RME@hostname and Campus@hostname are shared groups. If you invoke the Groups UI from RME, you will find three provider groups: CS@hostname • RME@hostname • Campus@hostname •...
Page 182: Secure Views
Chapter 5 Administering Groups Secure Views In the Group Selector pane in the Group Administration page, you can see: CS@bundle-pc3 • Campus@bundle-pc3 • RME@bundle-pc3 • DFM@bundle-pc • Here, CS@bundle-pc3 is the local group, and the rest are shared groups. Secure Views Secure Views allow access to devices of a group to be restricted.
Page 183: Groups In A Single-Server Setup
Chapter 5 Administering Groups Groups in a Single-Server Setup Groups in a Single-Server Setup The devices you see in the Group Administration UI in applications depends on whether the devices are being managed by that particular application or not. For example, if we have Common Services, Campus Manager, and RME installed on a server.
Page 184 Chapter 5 Administering Groups Groups in Multi-Server Setup But, in the Master server, if you create a subgroup under application@master hostname, it will always appear under application@\master hostname\, in the Slave. That is, the subgroup created in the Master appear under the application's shared group in the Slave.
Page 185 Chapter 5 Administering Groups Groups in Multi-Server Setup Note that the machine bundle-pc12 is the Master, and the machine bundle-sun280r1 is the Slave, in the figure. In the CS groups UI you can see: CS@bundle-pc12 (The local CS group of the Master) •...
Page 186: Dcr Mode Changes And Group Behavior
Chapter 5 Administering Groups DCR Mode Changes and Group behavior You can see: CS@bundle-sun280r1 (The local CS group of the Slave) • RME@bundle-pc12 (Application group pertaining to the Master) • RME@bundle-sun280r1 (Application group pertaining to the Slave) • Say you create a sub group under CS@master hostname. In S, you can see this subgroup under CS@slave hostname.
Page 187 Chapter 5 Administering Groups DCR Mode Changes and Group behavior Table 5-1 DCR Mode Changes and Group Behavior Mode Changed to: The initial Standalone Slave Master mode Standalone Not applicable. Master will get all the No change in the Group Slave groups.
Page 188 Chapter 5 Administering Groups DCR Mode Changes and Group behavior Table 5-1 DCR Mode Changes and Group Behavior (continued) Mode Changed to: The initial Standalone Slave Master mode Slave Groups UI gets enabled. The Not applicable. Groups UI gets enabled. groups pertaining to Master and Groups pertaining to the Slaves will be removed.
Page 189: Unregistering A Slave
Chapter 5 Administering Groups Unregistering a Slave Unregistering a Slave The Unregister Slave utility helps you unregister a Slave which is no longer part of the domain. The utility is useful in the following scenarios: Change in Slave’s mode due to backup and restore. That is, if data is restored •...
Page 190: Group Administration
Chapter 5 Administering Groups Group Administration Group Administration The Group Administration and Configuration UI helps you to create, manage, view, and delete groups. Group Administration UI will be enabled only on servers in which DCR is in Note Master or Standalone mode. The groups created in DCR master will be copied to Group Administration instances on servers where DCR is in Slave mode.
Page 191: Specifying Group Properties
Chapter 5 Administering Groups Group Administration From the groups listed in Group Selector, select the group under which you want Step 2 to create the new group. The group you select here is the parent group for the new group you are about to create.
Page 192 Chapter 5 Administering Groups Group Administration For example, if you have a group /CS@servername/User Defined Groups/MyView, you cannot create another group with the same name “MyView” under /CS@servername/User Defined Groups. Click Select Group, if you want to copy attributes of an existing group. Step 3 The Replicate Attributes dialog box appears.
Page 193: Defining Group Rules
Chapter 5 Administering Groups Group Administration Defining Group Rules In the Rules:Create dialog box, you can define the rules for the group. The rules you define in this phase determine the contents of the group. The rules you specify here determine the devices to be included in the group. If you have created the group copying the attributes of another group, the rules specified for that group appears in the Rule Text field.
Page 194: Assigning Group Membership
Chapter 5 Administering Groups Group Administration The Rules:Create dialog box refreshes and displays the Boolean operator field before the Object Type field in Rules Expression. You can form composite rules using the OR, AND, or EXCLUDE options in the Boolean operator field. The OR, AND, EXCLUDE drop down list appears only when there is at least one rule expression in the text area.
Page 195: Removing Devices
Chapter 5 Administering Groups Group Administration Removing Devices To remove devices from the group: Step 1 Select one more devices in Object Matching Membership Criteria column. To select multiple devices, hold the Ctrl or Shift keys down and click. Click Remove. Step 2 The selected devices are removed from the Object Matching Membership Criteria column and added to Available Objects From Parent Group.
Page 196: Modifying Group Details
Chapter 5 Administering Groups Group Administration Click Details. Step 3 The Group Administration wizard displays the details of the group in Properties:Details window. Click View Parent Rules to display the rules set for the parent group. • The rules set for the parent group are displayed in the Show Parent Rules window.
Page 197 Chapter 5 Administering Groups Group Administration Change the Group Name, Description, Membership Update, and Visibility Scope Step 4 in the Properties:Edit dialog box. You cannot change the parent group or copy attributes from a different group in Edit mode. Step 5 Click Next.
Page 198: Refreshing Groups
Chapter 5 Administering Groups Group Administration Refreshing Groups You can recompute the membership of a group by re-evaluating the group's rule. The membership of Automatic groups is recomputed dynamically. The membership of Only-upon-user-request groups is recomputed only when explicitly refreshed with this option. To refresh a group: In the CiscoWorks Homepage, select Common Services >...
Page 199: System Defined And User Defined Attributes
Chapter 5 Administering Groups System Defined and User Defined Attributes Click Delete. Step 3 The Group Administration and Configuration dialog box prompts you for confirmation. Click Yes. Step 4 The selected group is deleted. System Defined and User Defined Attributes The following table provides details on the System Defined attributes that are available in Common Services.
Page 200 Routers MDFId Normative name for the device type as described in Cisco’s Meta Data Framework (MDF) database. Each device type has a unique normative name defined in MDF. The User Defined Fields available in the Variable drop-down list is taken from DCR.
Page 201: Chapter 6 Using Device Center
C H A P T E R Using Device Center Device Center provides a one stop place where you can see a summary for a device, and launch troubleshooting tools, management tasks, and reports for the selected device. Since Device Center is based on a device-centric navigation paradigm, it helps you to concentrate on device centric features and information from a single location.
Page 202: Launching Device Center
Chapter 6 Using Device Center Launching Device Center The following sections of this chapter provide information on: Launching Device Center • Invoking Device Center • Using Device Center Functions • Launching Device Center You can launch Device Center using any of the following options: From CiscoWorks Homepage.
Page 203: Invoking Device Center
Chapter 6 Using Device Center Invoking Device Center Invoking Device Center To invoke Device Center: Step 1 Select CiscoWorks Homepage > Device Troubleshooting > Device Center. The Device Center page appears with the Device Selector on the left pane and Device Center overview information on the right pane.
Page 204: Device Selector
Chapter 6 Using Device Center Using Device Center Functions Device Selector Device Selector displays the list of devices managed by applications installed on Common Services. Device Selector populates the devices for device selection in Device Center. The devices shown in the Device Selector are those managed locally by applications that are installed in local server have some information that can be shown in Device Center.
Page 205: Management Functions
Chapter 6 Using Device Center Enabling Debugging Tools Management Functions The Management Functions dialog box in the Device Center Functions Available page helps you to get the list of Debugging Tools, the list of Reports, and the list of Management Tasks on a selected device. You can launch the management functions (Tools, Tasks, Reports) by: Selecting a device from device selector.
Page 206: Checking Device Connectivity
Chapter 6 Using Device Center Enabling Debugging Tools Checking Device Connectivity To troubleshoot problems with un-managed or non-responding devices, you can check the device connectivity by protocol. The Management Station to Device tool helps you diagnose Layer 4 (application) connectivity problems. Layer 4 tests include the key services Essentials needs to manage network devices: debugging and measurement tools (UDP and TCP), the web server (HTTP), file transfer (TFTP), the terminal (Telnet), and read-write access...
Page 207 Chapter 6 Using Device Center Enabling Debugging Tools SNMP (service test, port 161) • Sends an snmp get request to the destination device for an SNMP read test (SNMPR). It also sends an snmp set request to the device to test SNMP write (SNMPW).
Page 208: Using Ping
Chapter 6 Using Device Center Enabling Debugging Tools If you select SNMP v3, enter the following. The Read User name. • The Read Auth PassPhrase. • The Read Auth Protocol. Select MD5 or SHA from the drop-down list. • The Write Username. •...
Page 209: Using Traceroute
Chapter 6 Using Device Center Enabling Debugging Tools Using Traceroute Use the Traceroute tool to detect routing errors between the network management station and the target device. Traceroute helps you understand why ping fails or why applications time out. It does this by diagnosing TCP/IP Layer 3 (transport) problems.
Page 210 Chapter 6 Using Device Center Enabling Debugging Tools From the Functions Available pane, click SNMP Walk. Step 3 The SNMP Walk dialog box appears. Enter the IP address or DNS name. Step 4 For SNMP Version 1 and 2c (if it is a 64-bit counter, use SNMP v2): Step 5 Enter the Read community string.
Page 211: Using Snmp Set
Chapter 6 Using Device Center Enabling Debugging Tools Using SNMP Set You can use this option to set an SNMP object or multiple objects on a device for controlling the device. You should have System Administrator privileges to use this feature. Select Device Troubleshooting >...
Page 212: Using Packet Capture
Chapter 6 Using Device Center Enabling Debugging Tools Select the Object Type from the drop-down list. • Enter a new value. This will depend on the Object Type you specify • Enter the SNMP Timeout. The default is 10 seconds. •...
Page 213: Creating A New Packet Capture File
Chapter 6 Using Device Center Enabling Debugging Tools From the Functions Available pane, click Packet Capture. Step 3 The Packet Capture dialog box appears. A list of archived capture files is displayed. If no capture files are archived, then this screen will indicate that there are no records. Creating a New Packet Capture File Click Create in the Packet Capture dialog box.
Page 214 Chapter 6 Using Device Center Enabling Debugging Tools Select the protocols, TCP, UDP, or ICMP. Step 3 Then, if required, fill in the list of ports to capture for TCP and UDP. The Port(s) field accepts one or more TCP or UDP ports, separated by a single space. If you specify port but not the address, it provides an output for that port for all the active devices.
Page 215: Editing Device Credentials
Chapter 6 Using Device Center Displaying Reports Editing Device Credentials You can edit device information for the selected device, using this feature. You can select a device from the list-tree or enter the IP address or device name, and click Go. The Edit Device Credential link launches the Edit Credentials dialog box (Device and Credentials >...
Page 216 Chapter 6 Using Device Center Performing Management Tasks User Guide for CiscoWorks Common Services 6-16 78-16571-01...
Page 217: Chapter 7 Working With Software Center
Software Center allows you to look for software and device updates from Cisco.com, and download them to a server location. You can install the updates from this location. In the case of device updates, Software Center helps you to install the updates using a web based user interface, wherever possible.
Page 218: Performing Software Updates
Chapter 7 Working With Software Center Performing Software Updates Software Center helps in: Performing Software Updates • Performing Device Update • Scheduling Device Package Downloads • Viewing Activity Logs • Performing Software Updates The Software Updates link under Software Center takes you to the Software Updates page.
Page 219 Chapter 7 Working With Software Center Performing Software Updates Enter the location, or browse to the location using the Browse tab, then click Step 4 Next. The destination location should not be the location where CiscoWorks is installed. The Summary window shows a summary of your inputs. Step 5 Click Finish to confirm the download operation.
Page 220: Performing Device Update
Select the check box corresponding to the product for which you want to check Step 2 for updates, then click Check for Updates. The Source Location page appears. You can check for updates at Cisco.com or at a Server. Select the Cisco.com radio button to check for updates at Cisco.com.
Page 221 • installed version). Readme Details—Links to the Readme files associated with the update. • Posted date—Date on which the update was posted on Cisco.com. • Size—Size of the update. • Select the check box corresponding to the package that you wish to update, then Step 5 click Next.
Page 222: Deleting Packages
Chapter 7 Working With Software Center Performing Device Update If you choose any of the options other than Immediate, set the date and time. Select the date from the date picker. • Specify the time from the drop-down lists. • In the Job Description field, enter a description for the download job.
Page 223: Scheduling Device Package Downloads
Download newer versions of currently installed packages. • Download the specified packages (comma separated). • You have to provide your Cisco.com credentials and the location to which the packages should be downloaded. To schedule downloads: In the CiscoWorks Homepage, select Common Services > Software Center >...
Page 224 Chapter 7 Working With Software Center Scheduling Device Package Downloads Select the radio button corresponding to the download policy you require. Step 4 To set the frequency of downloads, select the run type from the Run Type drop-down list. The options are: Immediate •...
Page 225: Viewing Activity Logs
Chapter 7 Working With Software Center Viewing Activity Logs Viewing Activity Logs Activity Log logs the jobs in Scheduled Downloads and Device Updates. It displays the activities that are carried out using Software Center. In the CiscoWorks Homepage, select Common Services > Software Center > Activity Log.
Page 226 Chapter 7 Working With Software Center Viewing Activity Logs User Guide for CiscoWorks Common Services 7-10 78-16571-01...
Page 227: Chapter 8 Diagnosing Problems With Ciscoworks Server
C H A P T E R Diagnosing Problems With CiscoWorks Server Use these tools and suggestions to diagnose problems with the CiscoWorks server: Verifying Server Status • Testing Device Connectivity • Troubleshooting the CiscoWorks Server • • Troubleshooting Suggestions Verifying Server Status There are several tools that enable you to gather and analyze information about your CiscoWorks Server.
Page 228 Chapter 8 Diagnosing Problems With CiscoWorks Server Verifying Server Status Table 8-1 Server Status (continued) Task Purpose Action All Users Check process status. Checks whether back-end Select processes are in an interim Server > Admin > Processes. state. Collect server Provides system information, Select information.
Page 229 Chapter 8 Diagnosing Problems With CiscoWorks Server Verifying Server Status Table 8-1 Server Status (continued) Task Purpose Action MDC Support The MDC Support utility For Windows go to, collects log files, configuration NMSROOT\MDC\bin and execute the settings, memory info, command: complete system related info, MDCSupport.exe process status and host...
Page 230: Testing Device Connectivity
Chapter 8 Diagnosing Problems With CiscoWorks Server Testing Device Connectivity Table 8-1 Server Status (continued) Task Purpose Action MDCSupport If \etc directory is full, or if you want to (Continued) preserve the data collected previously by not over writing the tar file, you may create another directory by running the following command: Directory...
Page 231 Chapter 8 Diagnosing Problems With CiscoWorks Server Testing Device Connectivity Table 8-2 Connectivity Tools Tasks Task Purpose Action Traceroute. Detects routing errors between the Select network management station and a Device Center > Tools > Traceroute. target device. “Using Traceroute” section on page 6-9, for details.
Page 232: Troubleshooting The Ciscoworks Server
This section provides information on frequently asked questions (FAQs) and suggestions for troubleshooting the CiscoWorks Server components. If the suggestions do not resolve the error, check the Release Notes supporting your platform for possible workarounds, or contact the Cisco TAC or your customer support. Frequently Asked Questions When I connect to the CiscoWorks Server in the secure mode (HTTPS) using •...
Page 233 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions How do I change the port for osagent in Windows? • How do I change port for osagent in Solaris? • How do I change the ESS port in Solaris? •...
Page 234 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions When I connect to the CiscoWorks Server in the secure mode (HTTPS) using Netscape Navigator, the browser returns I/O errors and displays the message . Why does this Netscape has encountered bad data from the server happen? This problem occurs when you: Create a new server certificate using the same hostname...
Page 235 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions When I invoke CiscoWorks, I'm unable to get to the login page directly. Instead, I'm facing a security alert related to the site's security certificate. It asks for my input to proceed further. Why? CiscoWorks does not have any control over this behavior.
Page 236 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions My server certificate for CiscoWorks has expired. What should I do? If you are using a self-signed certificate, you can create a new certificate using the Create Self Signed Certificate option. For more information, see “Creating Self Signed Certificate”...
Page 237 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions Why do some CiscoWorks applications not appear in the product? The CiscoWorks Server represents a common set of management services which are shared by multiple network management applications. These services are enabled when a suite is installed and an application that relies on a particular service enables it.
Page 238 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions Table 8-3 Sample Backup Directory (continued) Directory Path Description Usage Notes /tmp/1/cmf/filebacku CiscoWorks Server Application data is stored in p.tar application tar files the datafiles.txt which are compiled into the tar file. /tmp/1/cmf/database CiscoWorks Server Includes files for each database directory...
Page 239 Click the Product Database Status link to get detailed database status. Step 5 Contact the Cisco TAC or your customer support to get the information you need Step 6 to access the database and find out details about the problem. After you have the required information, perform the following tasks for detecting and fixing database errors.
Page 240 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions Make sure no database processes are running and there is no database log file. For Step 3 example, if the database file is /opt/CSCOpx/databases/rme/rme.db, the database log file is /opt/CSCOpx/databases/rme/rme.log. This file is not present if the database process shuts down cleanly.
Page 241 Step 1 In the Registry Editor, navigate to HKEY_LOCAL_MACHINE > SOFTWARE Step 2 > Cisco > Resource Manager > Current Version > Daemon > RmeOrb Change the value of Args from to an unused port number, for example Step 3 -p 42342 -p 44444.
Page 242 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions Change the value of OSAGENT_PORT and PX_OSA_PORT from Step 7 42342 to 44444. Step 8 Open the file NMSROOT\lib\classpath\md.properties, in any plain text editor, such as Notepad. Step 9 Change the value of OSAGENT_PORT and PX_OSA_PORT from 42342 to 44444.
Page 243 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions Edit the file dmgtd.conf using a text editor. Step 6 Change the line: RmeOrb y - $NMSROOT/lib/vbroker/bin/osagent -p 42342 to RmeOrb y - $NMSROOT/lib/vbroker/bin/osagent -p 44444 Change the port number for RmeGatekeeper from: RmeGatekeeper y RmeOrb $NMSROOT/lib/vbroker/bin/rungk.sh 42342 RmeGatekeeper y RmeOrb $NMSROOT/lib/vbroker/bin/rungk.sh 44444 Open the file /etc/services in a plain text editor such as vi.
Page 244 To do this: Back up your Windows registry. Step 1 In the Registry Editor, navigate to HKEY_LOCAL_MACHINE >SOFTWARE Step 2 > Cisco > Resource Manager > Current Version > Daemon > ESS Change the value of Args from Step 3 NMSROOT -store \objects\ess\conf\rvrd.conf -logfile...
Page 245 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions I have configured the Active Directory Login Module but it does not work. How can I analyze the problem? To analyze the problem, enable the Debug mode for the Active Directory Login module.
Page 246 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions How do I change the IP Address of the CiscoWorks Server after installing it, or after running it for a while? You can change the IP address on the server, and then access it using the new IP address.
Page 247 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions How do I change the Hostname of the CiscoWorks Server after installing it, or after running it for a while? To change the hostname of the CiscoWorks Server, you need to update several files, and reboot the server: Change the hostname at My Computer >...
Page 248 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions Delete gatekeeper.ior file: Step 6 Windows—NMSROOT\www\classpath Solaris—/opt/CSCOpx/www/classpath Reboot the Machine. Step 7 If the hostname of the machine changes, the stability of the system is not guaranteed and it fails in some cases. See Release Notes for CiscoWorks Common Services for details.
Page 249 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions How to verify which version of SSH is running on my system? You can verify the SSH version that is running on your system using the commands: From the Command Line Interface, enter: show ip ssh show ssh Is it possible to have both CiscoWorks and ACS on the same machine?
Page 250 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions Confirm the password. Step 3 You must know the password policy. If the password entered does not Note match the password policy, it exits. How do I change the CiscoWorks user password? You can change the CiscoWorks user password using the CiscoWorks user password recovery utility.
Page 251 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions How do I enable/disable ACS Communication on HTTPS from CLI? To enable/disable ACS communication on HTTPS: Enter $NMSROOT NMSROOT Step 1 /bin/perl $ /bin/camssl.pl The following message is displayed: Usage:camssl.pl -enable | -disable To enable ACS communication on HTTPS: •...
Page 252 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions If you run this command without any command line parameter, CiscoWorks displays: *** CiscoWorks Webserver port change utility *** Usage: changeport [-s] [-f] where port number—The new port number that should be used —Changes the SSL port instead of the default HTTP port —Forces port change even if Daemon Manager detection FAILS.
Page 253 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions The main process which runs as root monitors the child processes. It does not accept any HTTP requests. Owing to this, Apache ensures that a root process is not exposed to the external world and thus ensures security. If you do not want CiscoWorks processes to run as root, do not use the ports •...
Page 254 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions The change port utility displays messages to the console during execution. These messages contain information about the directory where the backup files are being stored. These messages are also logged to a file, changeport.log This file is saved to the directory: /var/adm/CSCOpx/log/changeport.log This file contains the date and time stamps to indicate when the log entries were...
Page 255 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions For example, you can enter: —to change the CiscoWorks web server HTTP port to use 1744. changeport 1744 port number —Changes the CiscoWorks web server HTTPS port changeport to use the specified port number. If you change the port after installation, CiscoWorks will not launch from Start Note menu (Start >...
Page 256 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions A sample backup may be similar to: [drive:] `--\Program Files `--\CSCOpx `--\conf `--\backup |--README.txt (Notes the purpose of this dir as it is initially empty) `--\skc03._Ciscobak (Autogenerated unique backup directory). |--index.txt (The backup file list) |--httpd.conf...
Page 257 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions Ho do I increase Tomcat heap size? To increase Tomcat heap size: Stop Daemon Manager. Step 1 • On Solaris: /etc/init.d/dmgtd stop On Windows: • net stop CRMdmgtd Run $NMSROOT $NMSROOT/ max heap Step 2...
Page 258 Chapter 8 Diagnosing Problems With CiscoWorks Server Frequently Asked Questions How do I enable debugging in MICE? To enable debugging in MICE: Go to NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml. Step 1 You have to edit the following section of the file: DEBUG false mice debug enabling...
Page 259: Troubleshooting Suggestions
Chapter 8 Diagnosing Problems With CiscoWorks Server Troubleshooting Suggestions Troubleshooting Suggestions Use the suggestions in Table 8-4 to resolve errors or other problems with the CiscoWorks Server. Table 8-4 Troubleshooting Suggestions Symptom Probable Cause Possible Solutions Incompatible browser Verify that you have Accept all cookies enabled. Authorization causing cookie failure Refer to the installation documentation for...
Page 260 Chapter 8 Diagnosing Problems With CiscoWorks Server Troubleshooting Suggestions Table 8-4 Troubleshooting Suggestions (continued) Symptom Probable Cause Possible Solutions Error message in the Device is not SSH Check whether the device is up or not. logfile: enabled or the server is Connection Try connecting to the device with a commercial not authorized to...
Page 261 Chapter 8 Diagnosing Problems With CiscoWorks Server Troubleshooting Suggestions Table 8-4 Troubleshooting Suggestions (continued) Symptom Probable Cause Possible Solutions After installation, while Found Non-SSL Disable SSL from CLI and then start the daemon starting the daemon compliant products manager. manager, the following that do not function in error message is SSL enabled mode.
Page 262 Chapter 8 Diagnosing Problems With CiscoWorks Server Troubleshooting Suggestions User Guide for CiscoWorks Common Services 8-36 78-16571-01...
Page 263: Appendix
A P P E N D I X Understanding CiscoWorks Security The CiscoWorks Server provides some of the security controls necessary for a web-based network management system. It also relies heavily on the end user’s own security measures and controls to provide a secure computing environment for CiscoWorks applications.
Page 264: General Security
Appendix A Understanding CiscoWorks Security General Security General Security The CiscoWorks Server provides an environment that allows the deployment of web-based network management applications. Web access provides an easy-to-use and easy-to-access computing model that is more difficult to secure than the standard computing model that only requires a system login to execute applications.
Page 265: Files, File Ownership, And Permissions
Appendix A Understanding CiscoWorks Security Server Security Remote Connectivity • Access to Systems Other Than the CiscoWorks Server • Access Control • Files, File Ownership, and Permissions The following describes the file ownership and permissions. UNIX Systems—CiscoWorks must be installed by a user with root privilege. •...
Page 266: Runtime
Appendix A Understanding CiscoWorks Security Server Security The CiscoWorks Server relies on the security mechanisms of the NTFS filesystem to provide access control on Windows systems. If CiscoWorks is installed on a FAT filesystem, most security assumptions made about controlled access to files and network management data are not valid. Runtime This describes the runtime activities.
Page 267: Remote Connectivity
Appendix A Understanding CiscoWorks Security Server Security Windows—CiscoWorks back-end processes are executed with permissions • set to the user casuser. Some of the special CiscoWorks Server processes are run as a service under the localsystem user ID. These processes include: –...
Page 268: Access To Systems Other Than The Ciscoworks Server
Appendix A Understanding CiscoWorks Security Server Security Access to Systems Other Than the CiscoWorks Server The access details for Solaris and Windows are: • UNIX Systems—Systems used by the CiscoWorks Server as remote sources of device information for importing into the Resource Manager Essentials Inventory Manager application must allow the user casuser to perform remote shell operations on the user who owns the device information.
Page 269: System Administrator-Imposed Security
Appendix A Understanding CiscoWorks Security Server Security System Administrator-Imposed Security To maximize CiscoWorks Server security, follow these security guidelines: Do not allow users other than the systems administrator to have a login on the • CiscoWorks Server. Do not allow the CiscoWorks Server file systems to be mounted remotely •...
Page 270: Terms And Definitions
For example, a user's certificate verifies that the user owns a particular public key. The server certificate for the server named myserver.cisco.com verifies that a specific public key belongs to this server. Certificates can be issued for a variety of functions such as web user authentication, web server authentication, secure e-mail (S/MIME), IP Security, Transaction Layer Security (TLS), and code signing.
Page 271 Appendix A Understanding CiscoWorks Security Server Security Secure Socket Layer (SSL) Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data through privacy, authentication, and data integrity. It relies upon certificates, public keys, and private keys. Public Key, Private Key Public and private keys are the ciphers used to encrypt and decrypt information.
Page 272 Appendix A Understanding CiscoWorks Security Server Security Base64- Encoded X.509 Certificate Format X.509 certificate format is an emerging certificate standard. It is part of the OSI group of standards. X.509 certificates are very clearly defined using a notation called ASN.1 (Abstract Syntax Notation 1) which specifies the precise kinds of binary data that make up the certificate.
Page 273 Appendix A Understanding CiscoWorks Security Server Security Certificate Authority A certificate authority (CA) is an authority in a network that issues and manages security credentials and public keys for message encryption. As part of a public key infrastructure (PKI), a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate.
Page 274 Appendix A Understanding CiscoWorks Security Server Security User Guide for CiscoWorks Common Services A-12 78-16571-01...
Page 275: I N D E X
I N D E X applications Application panels in CWHP access applications on another server connection security, understanding traditional applications control, security and licensing 3-68 adding devices to the device list licensing information, viewing 3-70 for AUS management 4-10 licensing procedure 3-69 for cluster management 4-11...
Page 276 8-11 sample CMF backup directory 8-11 understanding restoring data 3-58 Cisco.com connection, managing 3-44 using CLI 3-57 CiscoWorks Homepage (see CWHP) Base64-encoded X.509 certificate format, CiscoWorks Server, troubleshooting definition A-10 collecting information on...
Page 277 Index Daemon Manager, using 3-52 connectivity restarting on Solaris 3-52 Connectivity Tools Tasks (table) restarting on Windows 3-53 tasks database checking process status inaccessible, troubleshooting 8-13 collecting server information path includes "cmf," explanation 8-12 MDC support DCA (Device and Credential Admin) performing a self-test administering 4-26...
Page 278 Index excluding Device Center 4-21 exporting debugging tools, enabling 4-18 importing device connectivity, checking 4-14 viewing the device list packet capture 4-22 6-12 reports, generating Ping, using 4-23 XML file sample SNMP Set 4-36 6-11 DCR (Device and Credential Repository) CLI SNMP Walk, using interface, using 4-39...
Page 279 Index deleting ESS (Event Service Software) 4-12 device list, viewing changing the port for 4-22 excluding in Solaris 4-21 8-17 exporting in Windows 4-18 8-18 using CLI excluding devices from the device list 4-44 4-21 using DCA user interface expired server certificate, how to handle 4-19 8-10 importing...
Page 280 Index deleting devices from groups 5-19 IBM SecureWay Directory, changing login groups 5-22 module to 3-25 details importing devices and credentials 4-14 modifying 5-20 using CLI 4-43 viewing 5-19 using DCA user interface 4-15 editing 5-20 Group Administration 5-14 membership, assigning 5-18 multi-server setup Java Plug-in, version to use...
Page 281 Index log files, maintaining 3-78 Log File Status report, generating 3-45 managing on UNIX 3-78 Common Services jobs 3-73 on Windows 3-80 Common Services resources 3-76 logrot utility, configuring 3-81 messaging online users 3-72 logrot utility, running 3-82 MS Active Directory, changing login module logrot utility, using 3-81 3-29...
Page 282 Process Status report, generating 3-48 server public key, definition security, setting up AAA mode, setting up 3-20 authentication, about 3-21 Cisco.com login, setting up 3-44 Radius, changing login module to 3-32 Cisco Secure ACS support 3-22 remote connectivity, security and login module reports...
Page 283 3-45 obtaining a license Permissions report 3-68 3-46 updating licenses Process Status 3-70 3-48 Cisco.com login, setting up Users Logged In 3-44 3-47 Cisco Secure ACS support security (see security, setting up) 3-22 Common Services, administering self-signed certificates, creating 3-51...
Page 284 Index user management Solaris, changing ports in adding for ESS 8-17 deleting for osagent 8-16 local user profile, modifying SSL, enabling on the server peer server, adding from the CiscoWorks Server 3-11 user profile, editing from the CLI users, local, setting up SSL, definition server certificate for CiscoWorks, expiration, SSO (Single Sign-On) mode...
Page 285 Server Tools Tasks (table) user accounts database about inaccessability 8-13 setting up path includes "cmf" 8-12 Cisco.com 3-44 devices, with the Device Troubleshooting local panel of CWHP Users Logged In report, generating 3-47 EDS not registered with daemon manager 8-10...
Page 286 Index web server port numbers, changing 2-14 what’s new in this release Windows 2000 or Windows NT systems changing the port for ESS 8-18 for osagent 8-15 ensuring that jrm is running 8-15 log files, maintaining on 3-80 User Guide for CiscoWorks Common Services IN-12 78-16571-01...

Cisco CISCOWORKS COMMON SERVICES 3.0 User Manual

Chapter 2 Interacting with Ciscoworks Homepage

Chapter 3 Configuring the Server

Chapter 4 Managing Device and Credentials

Chapter 5 Administering Groups

Chapter 6 Using Device Center

Chapter 7 Working with Software Center

Chapter 8 Diagnosing Problems with Ciscoworks Server

Appendix

Understanding Ciscoworks Security

I N D E X

Quick Links

Troubleshooting

Related Manuals for Cisco CISCOWORKS COMMON SERVICES 3.0

Summary of Contents for Cisco CISCOWORKS COMMON SERVICES 3.0