Cisco Wide Area Application Services Configuration Guide (Software Version 4.2.1)
Configuring Other System Settings
Downloads: This chapterpdf (PDF - 571.0KB) The complete bookPDF (PDF - 16.85MB) | Feedback

Configuring Other System Settings

Table Of Contents

Configuring Other System Settings

Modifying Device Properties

Managing Software Licenses

Enabling the Inetd RCP and FTP Services

Configuring Date and Time Settings

Configuring NTP Settings

Configuring Time Zone Settings

Configuring Secure Store Settings

Secure Store Overview

Enabling Secure Store Encryption on the Central Manager

Enabling Secure Store Encryption on a Standby Central Manager

Enabling Secure Store Encryption on a WAE Device

Changing the Secure Store Encryption Key and Password

Resetting Secure Store Encryption on a Central Manager

Disabling Secure Store Encryption on a WAE Device

Modifying the Default System Configuration Properties

Configuring Web Application Filter

Enabling Web Application Filter

Security Verification

Input Validation

Sanitization

Configuring Faster Detection of Offline WAAS Devices

About Faster Detection of Offline Devices

Configuring Alarm Overload Detection

Configuring the E-mail Notification Server


Configuring Other System Settings


This chapter describes how to perform other system tasks such as setting the system clock, modifying the default system configuration settings, and enabling alarm overload detection, after you have done a basic configuration of your WAAS device.


Note Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central Managers and WAEs in your network. The term WAE refers to WAE appliances, WAE Network Modules (the NME-WAE family of devices), and SM-SRE modules running WAAS.


This chapter contains the following sections:

Modifying Device Properties

Managing Software Licenses

Enabling the Inetd RCP and FTP Services

Configuring Date and Time Settings

Configuring Secure Store Settings

Modifying the Default System Configuration Properties

Configuring Web Application Filter

Configuring Faster Detection of Offline WAAS Devices

Configuring Alarm Overload Detection

Configuring the E-mail Notification Server

Modifying Device Properties

The WAAS Central Manager GUI allows you to make the following changes to the properties of a WAE device:

Rename the device

Assign a new location to the device

Assign an IP address to be used for management traffic to the device

Deactivate or activate the device

You can also use the WAAS Central Manager GUI to check the status of a device to determine if it is online, pending, or inactive.

You can only rename a WAAS Central Manager device from the GUI.

To modify a device's properties, follow these steps:


Step 1 From the WAAS Central Manager GUI navigation pane, choose My WAN > Manage Devices.

Step 2 Click the Edit icon next to the device that you want to modify.

The Device Dashboard window appears.

Step 3 In the navigation pane, choose Device Name > Activation.

The Device Activation window appears with fields for editing the properties of the selected device.

For a WAAS Central Manager device, the only fields that you can change in this window are the name and NetBIOS name of the device. In addition, the device IP address and role are displayed.

Step 4 Under the General Configuration heading, set or modify the following device properties:

To change the hostname of the device, enter a new name in the Name field. This name must conform to the following rules:

The name must use only alphanumeric characters and hyphens (-).

The first and last character must be a letter or a digit.

Maximum length is 30 characters.

Names are case insensitive.

The following characters are considered illegal and cannot be used when naming a device:
@, #, $,%, ^, &, *, (), |, \""/, <>.

To activate or deactivate the device, check or uncheck the Activate check box.When this box is checked, the device is activated for centralized management through the WAAS Central Manager GUI.

You can also click the Deactivate icon in the task bar to deactivate the device. Deactivating a device allows you to replace the device in the event of a hardware failure without losing all of its configuration settings.

To change the NetBIOS name of the device, enter the new NetBIOS name for the device in the provided field.


Note If the WAE is operating in nontransparent mode and print services is enabled, you must configure identical names for the NetBIOS name and the hostname of the device that you enter in the Name field.


Step 5 Under the Locality heading, set or change the location by choosing a new location from the Location drop-down list. To create a new location for this device, see the "Creating Locations" section on page 3-14.

Step 6 Under the NAT Configuration heading, configure the NAT settings using the following fields:

Check the Use WAE's primary IP Address check box to enable the WAAS Central Manager to use the IP address configured on the primary interface of the device to communicate with devices in the WAAS network that are behind a NAT firewall.

Allow the WAAS Central Manager to communicate with devices in the WAAS network that are behind the NAT firewall using an explicitly configured IP address, by entering the IP address of the device in the Management IP field. You also need to enter this address in scenarios where the primary interface for a WAE is set to an inline group interface and management traffic is configured on a separate IP address (either on a secondary IP address on the same inline group interface or on a built-in interface).

In the Port field, enter the port number for the management IP address.


Note If the WAAS Central Manager cannot contact a device using the primary IP address, it attempts to communicate using the Management IP address.


Step 7 In the Comments field, enter any comments that you want to appear for this device.

Step 8 Click Submit.


Managing Software Licenses

WAAS software version 4.1.1 introduces software licenses that enable specific WAAS optimization and acceleration features. A software license must be installed and configured before the features that it enables will operate.

Table 9-1 lists the software licenses that may be purchased and the features that each license enables.

Table 9-1 WAAS Software Licenses

License
Description

Transport

Enables basic DRE, TFO, and LZ optimization. Cannot be configured if the Enterprise license is configured.

Enterprise

Enables the EPM, HTTP, MAPI, NFS, SSL, CIFS (WAFS), and Windows Print application accelerators, the WAAS Central Manager, and basic DRE, TFO, and LZ optimization. Cannot be configured if the Transport license is configured.

Video

Enables the video application accelerator. Requires the Enterprise license to be configured first.

Virtual-Blade

Enables the virtualization feature. Requires the Enterprise license to be configured first.


Licenses are installed and managed only on individual WAE devices, not device groups. Not all licenses are supported on all devices.

To add a license to a WAE from the WAAS Central Manager, follow these steps:


Step 1 From the WAAS Central Manager GUI navigation pane, choose My WAN > Manage Devices.

Step 2 Click the Edit icon next to the WAE device that you want to modify. (Do not choose a Central Manager device because you must use the CLI to manage licenses on Central Managers.)

Step 3 In the navigation pane, choose Admin > License Management.

Step 4 Check the check box next to each license that you want to add.

Step 5 Click Submit.


To add licenses from the CLI, you can use the license add EXEC command.

To remove licenses from the CLI, you can use the clear license EXEC command.

To display the status of all licenses from the CLI, you can use the show license EXEC command.

The setup utility also configures licenses when you first set up a new WAAS device.

Enabling the Inetd RCP and FTP Services

Remote Copy Protocol (RCP) lets you download, upload, and copy configuration files between remote hosts and a switch. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection oriented. Inetd (an Internet daemon) is a program that listens for connection requests or messages for certain ports and starts server programs to perform the services associated with those ports. RCP copies files between devices.

RCP is a subset of the UNIX rshell service, which allows UNIX users to execute shell commands on remote UNIX systems. It is a UNIX built-in service. This service uses TCP as the transport protocol and listens for requests on TCP port 514. RCP service can be enabled on WAAS devices that use WAAS software.

To enable RCP and FTP services on a WAAS device, follow these steps:


Step 1 From the WAAS Central Manager GUI navigation pane, choose My WAN > Manage Devices (or Manage Device Groups).

Step 2 Click the Edit icon next to the device or device group for which you want to enable RCP services.

Step 3 In the navigation pane, choose Configure > Network > Network Services. The Network Services window appears.

Step 4 Check the Enable Rcp Service check box to enable Inetd RCP services. By default, this option is disabled.


Note The Inetd daemon listens for FTP, RCP, and TFTP services. For Inetd to listen to RCP requests, it must be explicitly enabled for RCP service.


Step 5 Check the Enable FTP Service check box to enable the Inetd FTP service. By default, this option is disabled.

Step 6 Click Submit to save your changes.

A "Click Submit to Save" message appears in red next to the Current Settings line when there are pending changes to be saved after you have applied default or device group settings. You can also revert to the previously configured settings by clicking the Reset button. The Reset button is visible only when you have applied default or group settings to change the current device settings but you have not yet submitted the changes.

If you try to leave this window without saving the modified settings, a warning dialog box prompts you to submit the changes. This dialog box only appears if you are using the Internet Explorer browser.


Configuring Date and Time Settings

This section explains how to configure date and time settings for your WAAS network devices and contains the following topics:

Configuring NTP Settings

Configuring Time Zone Settings

Configuring NTP Settings

The WAAS Central Manager GUI allows you to configure the time and date settings using a Network Time Protocol (NTP) host on your network. NTP allows the synchronization of time and date settings for the different geographical locations of the devices in your WAAS network, which is important for proper system operation and monitoring. On each WAAS device, be sure to set up an NTP server to keep the clocks synchronized.

To configure NTP settings, follow these steps:


Step 1 From the WAAS Central Manager GUI navigation pane, choose My WAN > Manage Devices (or Manage Device Groups).

Step 2 Click the Edit icon next to the device or device group that you want to configure.

Step 3 From the navigation pane, choose Configure > Date/Time > NTP. The NTP Settings window appears.

Step 4 Check the Enable check box to enable NTP settings. By default, this option is disabled.

Step 5 In the NTP Server field, enter a hostname or IP address.

Step 6 Click Submit.



Note Unexpected time changes can result in unexpected system behavior. We recommend reloading the system after configuring an NTP server or changing the system clock.


Configuring Time Zone Settings

If you have an outside source on your network that provides time services (such as a Network Time Protocol [NTP] server), you do not need to set the system clock manually. When manually setting the clock, enter the local time.


Note Two clocks exist in the system: the software clock and the hardware clock. The software uses the software clock. The hardware clock is used only at startup to initialize the software clock.


To configure the time zone on a device or device group, follow these steps:


Step 1 From the WAAS Central Manager GUI navigation pane, choose My WAN > Manage Devices (or Manage Device Groups).

Step 2 Click the Edit icon next to the device or device group for which you want to configure the time zone.

Step 3 In the navigation pane, choose Configure > Date/Time > Time Zone. The Time Zone Settings window appears.

Step 4 To configure a standard time zone, follow these steps:

a. Under the Time Zone Settings section, click the Standard Time Zone radio button. The default is UTC (offset = 0) with no summer time configured. When you configure a standard time zone, the system is automatically adjusted for the UTC offset, and the UTC offset need not be specified.

The standard convention for time zones uses a Location/Area format in which Location is a continent or a geographic region of the world and Area is a time zone region within that location.

b. From the drop-down list, choose a location for the time zone. (For an explanation of the abbreviations in this list, see Table 9-2.)

The window refreshes, displaying all area time zones for the chosen location in the second drop-down list.

c. Choose an area for the time zone. The UTC offset is automatically set for standard time zones.

Summer time is built-in for some standard time zones (mostly time zones within the United States), and will result an automatic change in the UTC offset during summer time. For a list of standard time zones that can be configured and their UTC offsets, see Table 9-3.

Step 5 To configure a customized time zone on the device, follow these steps:

a. Under the Time Zone Settings section, click the Customized Time Zone radio button.

b. In the Customized Time Zone field, specify the name of the time zone. The time zone entry is case-sensitive and can contain up to 40 characters including spaces. If you specify any of the standard time zone names, an error message is displayed when you click Submit.

c. For UTC Offset, choose the + or - sign from the first drop-down list to specify whether the configured time zone is ahead or behind UTC. Also, choose the number of hours (0-23) and minutes (0-59) offset from UTC for the customized time zone. The range for the UTC offset is from -23:59 to 23:59, and the default is 0:0.

Step 6 To configure customized summer time, follow these steps under the Customized Summer Time Savings section.


Note You can specify a customized summer time for both standard and customized time zones.


a. To configure absolute summer time, click the Absolute Dates radio button.

You can configure a start date and end date for summer time in absolute dates or recurring dates. Absolute date settings apply only once and must be set every year. Recurring dates apply repeatedly for many years.

b. In the Start Date and End Date fields, specify the month (January through December), day (1-31), and year (1993-2032) on which summer time must start and end in mm/dd/yyyy format. Make sure that the end date is always later than the start date.

Alternatively, click the Calendar icon next to the Start Date and End Date fields to display the Date Time Picker popup window. By default the current date is highlighted in yellow. In the Date Time Picker popup window, use the left or right arrow icons to choose the previous or following years, if required. Choose a month from the drop-down list. Click a day of the month. The chosen date is highlighted in blue. Click Apply. Alternatively, click Set Today to revert to the current day. The chosen date will be displayed in the Start Date and End Date fields.

c. To configure recurring summer time, click the Recurring Dates radio button.

d. From the Start Day drop-down list, choose a day of the week (Monday-Sunday) to start.

e. From the Start Week drop-down list, choose an option (first, 2nd, 3rd, or last) to set the starting week. For example, choose first to configure summer time to recur beginning the first week of the month or last to configure summer time to recur beginning the last week of the month.

f. From the Start Month drop-down list, choose a month (January-December) to start.

g. From the End Day drop-down list, choose a day of the week (Monday-Sunday) to end.

h. From the End Week drop-down list, choose an option (first, 2nd, 3rd, or last) to set the ending week. For example, choose first to configure summer time to end beginning the first week of the month or last to configure summer time to stop beginning the last week of the month.

i. From the End Month drop-down list, choose a month (January-December) to end.

Step 7 From the Start Time drop-down lists, choose the hour (0-23) and minute (0-59) at which daylight saving time should start. From the End Time drop-down lists, choose the hour (0-23) and minute (0-59) at which daylight saving time should end.

Start Time and End Time fields for summer time are the times of the day when the clock is changed to reflect summer time. By default, both start and end times are set at 00:00.

Step 8 In the Offset field, specify the minutes offset from UTC (0-1439). (See Table 9-3.)

The summer time offset specifies that the number of minutes that the system clock moves forward at the specified start time and backward at the end time.

Step 9 Click the No Customized Summer Time Configured radio button to not specify a summer or daylight saving time for the corresponding time zone.

Step 10 Click Submit to save the settings.

A "Click Submit to Save" message appears in red next to the Current Settings line when there are pending changes to be saved after you have applied default or device group settings. You can also revert to the previously configured settings by clicking the Reset button. The Reset button is visible only when you have applied default or group settings to change the current device settings but have not yet submitted the changes.

If you attempt to leave this window without saving the modified settings, a warning dialog box prompts you to submit the changes. This dialog box only appears if you are using the Internet Explorer browser.

Table 9-2 Timezone Location Abbreviations 

Time Zone
Expansion

CET

Central European Time

CST6CDT

Central Standard/Daylight Time

EET

Eastern European Time

EST

Eastern Standard Time

EST5EDT

Eastern Standard/Daylight Time

GB

Great Britain

GB-Eire

Great Britain/Ireland

GMT

Greenwich Mean Time

HST

Hawaiian Standard Time

MET

Middle European Time

MST

Mountain Standard Time

MST7MDT

Mountain Standard/Daylight Time

NZ

New Zealand

NZ-CHAT

New Zealand, Chatham Islands

PRC

People's Republic of China

PST8PDT

Pacific Standard/Daylight Time

ROC

Republic of China

ROK

Republic of Korea

UCT

Coordinated Universal Time

UTC

Coordinated Universal Time

WET

Western European Time

W-SU

Middle European Time


Table 9-3 Timezone—Offset from UTC 

Time Zone
Offset from UTC (in hours)

Africa/Algiers

+1

Africa/Cairo

+2

Africa/Casablanca

0

Africa/Harare

+2

Africa/Johannesburg

+2

Africa/Nairobi

+3

America/Buenos_Aires

-3

America/Caracas

-4

America/Mexico_City

-6

America/Lima

-5

America/Santiago

-4

Atlantic/Azores

-1

Atlantic/Cape_Verde

-1

Asia/Almaty

+6

Asia/Baghdad

+3

Asia/Baku

+4

Asia/Bangkok

+7

Asia/Colombo

+6

Asia/Dacca

+6

Asia/Hong_Kong

+8

Asia/Irkutsk

+8

Asia/Jerusalem

+2

Asia/Kabul

+4.30

Asia/Karachi

+5

Asia/Katmandu

+5.45

Asia/Krasnoyarsk

+7

Asia/Magadan

+11

Asia/Muscat

+4

Asia/New Delhi

+5.30

Asia/Rangoon

+6.30

Asia/Riyadh

+3

Asia/Seoul

+9

Asia/Singapore

+8

Asia/Taipei

+8

Asia/Tehran

+3.30

Asia/Vladivostok

+10

Asia/Yekaterinburg

+5

Asia/Yakutsk

+9

Australia/Adelaide

+9.30

Australia/Brisbane

+10

Australia/Darwin

+9.30

Australia/Hobart

+10

Australia/Perth

+8

Australia/Sydney

+10

Canada/Atlantic

-4

Canada/Newfoundland

-3.30

Canada/Saskatchewan

-6

Europe/Athens

+2

Europe/Berlin

+1

Europe/Bucharest

+2

Europe/Helsinki

+2

Europe/London

0

Europe/Moscow

+3

Europe/Paris

+1

Europe/Prague

+1

Europe/Warsaw

+1

Japan

+9

Pacific/Auckland

+12

Pacific/Fiji

+12

Pacific/Guam

+10

Pacific/Kwajalein

-12

Pacific/Samoa

-11

US/Alaska

-9

US/Central

-6

US/Eastern

-5

US/East-Indiana

-5

US/Hawaii

-10

US/Mountain

-7

US/Pacific

-8


UTC was formerly known as Greenwich Mean Time (GMT). The offset time (number of hours ahead or behind UTC) as displayed in the table is in effect during winter time. During summer time or daylight saving time, the offset may be different from the values in the table and is calculated and displayed accordingly by the system clock.


Configuring Secure Store Settings

Secure store encryption provides stronger encryption and key management for your WAAS system. The WAAS Central Manager and WAE devices use secure store encryption for handling passwords, managing encryption keys, and for data encryption.

This section contains the following topics:

Secure Store Overview

Enabling Secure Store Encryption on the Central Manager

Enabling Secure Store Encryption on a Standby Central Manager

Enabling Secure Store Encryption on a WAE Device

Changing the Secure Store Encryption Key and Password

Resetting Secure Store Encryption on a Central Manager

Disabling Secure Store Encryption on a WAE Device

Secure Store Overview

When you enable secure store encryption on the Central Manager or a WAE device, the WAAS system uses strong encryption algorithms and key management policies to protect certain data on the system. This data includes encryption keys used by applications in the WAAS system, CIFS passwords, user login passwords, and certificate key files.

To enable secure store encryption, you must enter a password on the Central Manager. This password is used to generate the key encryption key according to secure standards. The WAAS system uses the key encryption key to encrypt and store other keys generated on the Central Manager or WAE devices. These other keys are used for WAAS functions including disk encryption, SSL acceleration, or to encrypt and store CIFS accelerator credentials, the WAFS core password, and user passwords.

When secure store is enabled on the Central Manager, the data is encrypted using a 256-bit key encryption key generated from the password you enter and using SHA1 hashing and an AES 256-bit algorithm. When secure store is enabled on a WAE device the data is encrypted using a 256-bit key encryption key generated using SecureRandom, a cryptographically strong pseudorandom number generator.

To implement secure store your system must meet the following requirements:

You must have a Central Manager configured for use in your network.

Your WAE devices must be registered with the Central Manager.

Your WAE devices must be online (have an active connection) with the Central Manager. This requirement applies only if you are enabling secure store on WAE devices.

All Central Managers and WAE devices must be running WAAS software version 4.0.19 or higher.

To implement strong store encryption, follow these steps:


Step 1 Enable strong storage encryption on your primary Central Manager. See Enabling Secure Store Encryption on the Central Manager.

Step 2 Enable strong storage encryption on any standby Central Managers. See Enabling Secure Store Encryption on a Standby Central Manager.

Step 3 Enable strong storage encryption on WAE devices or WAE device groups. See Enabling Secure Store Encryption on a WAE Device. (Secure store must be enabled on the Central Manager before you enable it on the WAE devices.)

You can enable secure store independently on the Central Manager and on the WAE devices. To ensure full protection of your encrypted data, enable secure store on both the Central Manager and the WAE devices. You must enable secure store on the Central Manager first.



Note When you reboot the Central Manager, you must re-enable secure store encryption manually. Disk encryption and CIFS preposition features on the remote WAE devices will not operate properly until you enter the secure store password on the Central Manager to re-enable secure store encryption.


When secure store is enabled, the following system characteristics are affected:

Passwords stored in the Central Manager database are encrypted using strong encryption techniques.

CIFS prepositioning credentials are encrypted using the strong encryption key on the Central Manager and the WAE devices.

Certificate key files are encrypted using the strong encryption key on the Central Manager.

If a primary Central Manager fails, secure store key management will be handled by the standby Central Manager. (Secure store mode must be enabled manually on the standby Central Manager.)

Backup scripts will backup the secure store mode status of the device at the time of backup. Backup is supported only on the Central Manager.

Restore scripts will verify if the backup file has secure store mode enabled. If the backup file is in secure store mode, you must enter the pass phrase to verify and restore the device. Restore is supported only on the Central Manager.

When you enable secure store on a WAE device, the system initializes and retrieves a new encryption key from the Central Manager. The WAE uses this key to encrypt data such as CIFS prepositioning credentials and information on the disk (if disk encryption is also enabled).

When you reboot the WAE after enabling secure store, the WAE retrieves the key from the Central Manager automatically, allowing normal access to the data that is stored in WAAS persistent storage. If key retrieval fails, a critical alarm is raised and secure store should be reopened manually. Until secure store is reopened, the WAE rejects configuration updates from the Central Manager if the updates contain CIFS preposition, dynamic share, or user configuration. Also, the WAE will not include preposition configuration in the updates that it sends to the Central Manager.

If secure store is active, you cannot downgrade to an earlier version of WAAS software that does not support secure store mode. You must disable secure store mode before installing the previous version of WAAS software.

While secure store encrypts certain system information, it does not encrypt the data on the hard drives. To protect the data disks, you must enable disk encryption separately. See Enabling Disk Encryption, page 15-28.

Enabling Secure Store Encryption on the Central Manager

To enable secure store encryption on the Central Manager, follow these steps:


Step 1 From the WAAS Central Manager GUI, choose Admin > Secure Store. The Configure CM Secure Store window appears.

Step 2 Enter a password in the Enter passphrase and Confirm passphrase fields.

The password must conform to the following rules:

Be 8 to 64 characters in length

Contain characters only from the allowed set ([A-Za-z0-9~%'!#$^&*()|;:,\"<>/]*)

Contain at least one digit

Contain at least one lowercase and one uppercase letter

Step 3 Click the Initialize button.

The secure store is initialized and opened. Data is encrypted using the key derived from the password.


To enable secure store from the CLI, use the cms secure-store init EXEC command.


Note Whenever you reboot the Central Manager, you must reopen the secure store manually. Disk encryption and CIFS preposition features on the remote WAE devices will not operate properly until you enter the secure store password on the Central Manager to reopen the secure store. Use the same configuration screen as above, except you should use the Open Secure Store section. The secure store is already initialized, so the Initialize Secure Store section is not shown. Alternatively, you can use the cms secure-store open EXEC command.



Note When you enable secure store on the primary Central Manager, you should enable secure store on the standby Central Manager as well. See Enabling Secure Store Encryption on a Standby Central Manager.


You can check the status of secure store encryption by entering the show cms secure-store command.

Enabling Secure Store Encryption on a Standby Central Manager


Note A standby Central Manager provides limited encryption key management support. If the primary Central Manager fails the standby Central Manager provides only encryption key retrieval to the WAE devices, but does not provide new encryption key initialization. Do not enable disk encryption or secure store on WAE devices when the primary Central Manager is not available.


To enable secure store encryption on a standby Central Manager, first enable secure store on the primary Central Manager and then use the CLI to execute the cms secure-store open EXEC mode command on the standby Central Manager:


Step 1 Enable secure store encryption on the primary Central Manager. See Enabling Secure Store Encryption on the Central Manager.

Step 2 Wait until the standby Central Manager replicates the data from the primary Central Manager.

The replication should occur in 60 seconds (default) or as configured for your system.

Step 3 Enter the cms secure-store open command on the standby Central Manager to activate secure store encryption.

The standby Central Manager responds with the "please enter pass phrase" message.

Step 4 Type the password and press Enter.

The standby Central Manager encrypts the data using secure store encryption.


Note Repeat Steps 3 and 4 for each standby Central Manager on your system.



You can check the status of secure store encryption by entering the show cms secure-store command.

Enabling Secure Store Encryption on a WAE Device

To enable secure store encryption on a WAE device, follow these steps:


Step 1 From the WAAS Central Manager GUI, choose Manage Devices (or Manage Device Groups).

Step 2 Click the Edit icon next to the device or device group for which you want to enable secure store.


Note The secure store status must be the same for all WAE devices in a device group. Either all WAE devices in the group must have secure store enabled, or all must have secure store disabled. Before you add a WAE device to a device group, set its secure store status to match the others. See Working with Device Groups, page 3-2.


Step 3 From the navigation pane, choose Configure > Security > Secure Store. The Secure Store Settings window appears, as shown in Figure 9-1.

Figure 9-1 Example of Secure Store Settings Window

Step 4 Check the Initialize CMS Secure Store box. (The Open CMS Secure Store box will be checked automatically.)

Step 5 Click Submit to activate secure store encryption.

A new encryption key is initialized on the Central Manager, and the WAE encrypts the data using secure store encryption.


To enable secure store from the CLI, use the cms secure-store init EXEC command.


Note If you have made any other CLI configuration changes on a WAE within the datafeed poll rate time interval (5 minutes by default) before executing the cms secure-store command, those prior configuration changes will be lost and you will need to redo them.



Note When you enable or disable secure store on a device group, the changes do not take effect on all WAE devices simultaneously. When you view the WAE devices be sure to give the Central Manager enough time to update the status of each WAE device.


Changing the Secure Store Encryption Key and Password

The secure store encryption password is used by the Central Manager to generate the encryption key for the encrypted data.

To change the password and generate a new encryption key on the Central Manager, follow these steps:


Step 1 From the WAAS Central Manager GUI, choose Admin > Secure Store.

Step 2 In the Current passphrase field, enter the current password.

Step 3 In the Enter new passphrase field, enter the new password.

The password must conform to the following rules:

Be 8 to 64 characters in length

Contain characters only from the allowed set ([A-Za-z0-9~%'!#$^&*()|;:,\"<>/]*)

Contain at least one digit

Contain at least one lowercase and one uppercase letter

Step 4 In the Confirm passphrase field, enter the new password again.

Step 5 Click the Change button.

The WAAS device reencrypts the stored data using a new encryption key derived from the new password.


To change the password and generate a new encryption key on the Central Manager from the CLI, use the cms secure-store change EXEC command.

To generate a new encryption key for a WAE device use the WAAS Central Manager GUI and do the following:


Step 1 From the WAAS Central Manager GUI, choose Manage Devices (or Manage Device Groups).

Step 2 Click the Edit icon next to the device or device group for which you want to generate a new encryption key.

Step 3 From the navigation pane, choose Configure > Security > Secure Store.

Step 4 Check the Change CMS Secure Store box and then click Submit.

A new encryption key is generated in the Central Manager. The Central Manager replaces the encryption key in the WAE with the new key. The WAE re-encrypts the stored data using the new encryption key.


To configure the secure store encryption key from the CLI, use the cms secure-store change EXEC command.

Resetting Secure Store Encryption on a Central Manager

Use the cms secure-store reset command if you reload the Central Manager and you cannot open the secure store because you forget the secure store password. This command deletes all encrypted data, certificate and key files, and key manager keys. The secure store is left in the uninitialized state.

To reset secure store encryption on a Central Manager, follow these steps:


Step 1 Enter the cms secure-store reset command on the primary Central Manager.

Step 2 Wait until the standby Central Manager replicates the data from the primary Central Manager.

The replication should occur in 60 seconds (default) or as configured for your system.

Step 3 Enter the cms secure-store reset command on the standby Central Manager if secure store is in the initialized and open state.

Step 4 From the primary Central Manager, reset all user account passwords, CIFS credentials, and/or CIFS legacy mode core passwords.

For information on resetting user passwords, see the "Changing the Password for Another Account" section on page 7-8. For information on resetting CIFS legacy mode core cluster passwords, see the "Configuring the Core Cluster" section on page 11-11. For information on resetting dynamic share passwords, see the "Creating Dynamic Shares" section on page 11-21. For information on resetting preposition passwords, see the "Creating a Preposition Directive" section on page 11-25.

Step 5 Reinitialize and open secure store on the primary Central Manager as described in the "Enabling Secure Store Encryption on the Central Manager" section.

Step 6 If secure store on the standby Central Manager is initialized but not open, wait until the primary Central Manager replicates data to the standby Central Manager, then open secure store on the standby Central Manager using the cms secure-store open command.

Step 7 On each WAE registered to the Central Manager, follow these steps:

a. If secure store is initialized and open, from the Central Manager, clear secure store (see the "Disabling Secure Store Encryption on a WAE Device" section). Or, from the CLI, enter the cms secure-store clear EXEC command.

b. From the Central Manager, initialize secure store (see the "Enabling Secure Store Encryption on a WAE Device" section). Or, from the CLI, enter the cms secure-store init EXEC command. (This step is needed only if you performed step 7a.)

c. Enter the crypto pki managed-store initialize command and restart the SSL accelerator.

d. If disk encryption is enabled, from the Central Manager, disable disk encryption (see the "Enabling Disk Encryption" section on page 15-28). Or, from the CLI, enter the no disk encrypt enable global configuration command.

e. If disk encryption had been enabled before step 7d, reload the device. After the reload, reenable disk encryption and reload the device again.


Note If the WAE is reloaded before doing Step 7, disk encryption, SSL acceleration, and secure store will not function properly. In this case, you must restore the WAE to factory defaults.


Step 8 From the primary Central Manager, reimport all certificate and key files for all the accelerated and peering services which are configured on the WAEs.


Disabling Secure Store Encryption on a WAE Device

To disable secure store encryption on a WAE device, follow these steps:


Step 1 From the WAAS Central Manager GUI, choose Manage Devices (or Manage Device Groups).

Step 2 Click the Edit icon next to the device or device group for which you want to disable secure store.

Step 3 From the navigation pane, choose Configure > Security > Secure Store. The Secure Store Settings window appears, as shown in Figure 9-1.

Step 4 Check the Clear CMS Secure Store box and then click Submit to disable secure store encryption and return to standard encryption.

You can also enter the cms secure-store clear command to disable secure store encryption and return to standard encryption.


To disable secure store on a WAE or Central Manager from the CLI, use the cms secure-store clear EXEC command.


Note When you disable secure store on the primary Central Manager, you should disable secure store on the standby Central manager as well.


Modifying the Default System Configuration Properties

The WAAS software comes with preconfigured system properties that you can modify to alter the default behavior of the system. To modify these properties, choose Configure > System Properties from the WAAS Central Manager GUI navigation pane.

Table 9-4 describes the system configuration properties that you can modify.

Table 9-4 Descriptions for System Configuration Properties 

System Property
Description

cdm.remoteuser.deletionDaysLimit

Maximum number of days since their last login after which an external user will be deleted from the WAAS Central Manager database. For example, if cdm.remoteuser.deletionDaysLimit is set to 5, an external user will be deleted from the database if the difference between their last login time and the current time is more than 5 days. The default is 1 day. An external user is a user that is defined in an external AAA server and not in the WAAS Central Manager.

cdm.session.timeout

Timeout in minutes of a WAAS Central Manager GUI session. The default is 10 minutes. If the session is idle for this length of time, the user is automatically logged out.

DeviceGroup.overlap

Status of whether a device can belong to more than one device group. The default is true (devices can belong to more than one device group).

System.datafeed.pollRate

Poll rate between a WAAS device and the WAAS Central Manager (in seconds). The default is 300 seconds.

System.device.recovery.key

Device identity recovery key. This property enables a device to be replaced by another node in the WAAS network.

System.guiServer.fqdn

Scheme to use (IP address or FQDN) to launch the Device Manager GUI.

System.healthmonitor.collectRate

Collect and send rate in seconds for the CMS device health (or status) monitor. If the rate is set to 0, the health monitor is disabled. The default is 120 seconds.

System.lcm.enable

Local and central management feature (enable or disable). This property allows settings that are configured using the local device CLI or the WAAS Central Manager GUI to be stored as part of the WAAS network configuration data. The default is true. If this property is set to false (disabled), configuration changes made on a local device will not be communicated to the Central Manager and configurations done in the Central Manager will overwrite local device configurations.

System.monitoring.collectRate

Rate at which a WAE collects and sends the monitoring report to the WAAS Central Manager (in seconds). The default is 300 seconds (5 minutes). Reducing this interval impacts the performance of the WAAS Central Manager device.

System.monitoring.dailyConsolidationHour

Hour at which the WAAS Central Manager consolidates hourly and daily monitoring records. The default is 1 (1:00 a.m.).

System.monitoring.enable

WAE statistics monitoring (enable or disable). The default is true.

System.monitoring.maxDevicePerLocation

Maximum number of devices for which monitoring is supported in location level reports. The default is 25.

System.monitoring.maxReports

Maximum number of completed or failed report instances to store for each custom report. The default is 10 report instances.

System.monitoring.monthlyConsolidationFrequency

How often (in days) the WAAS Central Manager consolidates daily monitoring records into monthly records. If this setting is set to 1, the WAAS Central Manager checks if consolidation needs to occur every day, but only performs consolidation if there is enough data for consolidation to occur. The default is 14 days.

When a monthly data record is created, the corresponding daily records are removed from the database. Consolidation occurs only if there is at least two calendar months of data plus the consolidation frequency days of data. This ensures that the WAAS Central Manager always maintains daily data records for the past month and can display data on a day level granularity for the last week.

For example, if data collection starts on February 2nd, 2006 and System.monitoring.monthlyConsolidationFrequencyis set to 14, then the WAAS Central Manager checks if there is data for the past two calendar months on the following days: Feb 16th, March 2nd, March 16th, and March 30th. No consolidation will occur because there is not enough data on these days.

On April 13th, however, two calendar months of data exists. The WAAS Central Manager then consolidates data for the month of February and deletes the daily data records for that month.

System.monitoring.recordLimitDays

Maximum number of days of monitoring data to maintain in the system. The default is 1825 days.

System.monitoring.timeFrameSettings

Default time frame to be used for plotting all the charts. Settings saved by the user will not be changed. The default is Last Hour.

System.print.driverFtpTimeout

Maximum number of seconds to wait for printer driver files to transfer by FTP. The range is 10 to 1800 seconds. The default is 600 seconds.

System.registration.autoActivation

Status of the automatic activation feature, which automatically activates WAE devices that are registered to the Central Manager. The default is true (devices are automatically registered).

System.rpc.timeout.syncGuiOperation

Timeout in seconds for the GUI synchronization operations for the Central Manager to WAE connection. The default is 50 seconds.

System.security.maxSimultaneousLogins

Maximum number of concurrent WAAS Central Manager sessions permitted for a user. Specify 0 (zero, the default) for unlimited concurrent sessions. A user must log off the Central Manager to end a session. If a user closes the browser without logging off, the session is not closed until after it times out after 120 minutes (the timeout is not configurable). If the number of concurrent sessions permitted also is exceeded for that user, there is no way for that user to regain access to the Central Manager GUI until after the timeout expires. This setting does not affect CLI access to the Central Manager device.

System.security.webApplicationFilter

Status of the web application filter, which rejects any javascript, SQL, or restricted special characters in input. The default is false.

System.standby.replication.maxCount

Maximum number of statistics data records (in thousands) that will be replicated to a standby Central Manager. The range is 10 to 300. The default is 200 (200,000 records). We do not recommend increasing this number.

System.standby.replicationTimeout

Maximum number of seconds to wait for replication to a standby Central Manager. The range is 300 to 3600 seconds. The default is 900 seconds. We do not recommend decreasing this timeout.


To view or modify the value of a system property, follow these steps:


Step 1 From the WAAS Central Manager GUI navigation pane, choose Configure > System Properties. The Config Properties window appears.

Step 2 Click the Edit icon next to the system property that you want to change. The Modifying Config Property window appears.

Step 3 From a drop-down list, enter a new value or choose a new parameter, depending on the system property that you want to change.

Step 4 Click Submit to save the settings


Configuring Web Application Filter

Web Application Filter is a security feature that protects the WAAS Central Manager GUI against Cross-Site Scripting (XSS) attacks. XSS security issues can occur when an application sends data that originates from a user to a web browser without first validating or encoding the content, which can allow malicious scripting to be executed in the client browser, potentially compromising database integrity.

This security feature verifies that all application parameters sent from WAAS users are validated and/or encoded before populating any HTML pages.

This section contains the following topics:

Enabling Web Application Filter

Security Verification

Enabling Web Application Filter

To enable the Web Application Filter, follow these steps:


Step 1 From the WAAS Central Manager GUI, choose Configure > System Properties. The Config Properties window appears. (See Figure 9-2.)


Note You cannot enable this feature using the CLI. This feature is disabled by default.


Figure 9-2 Config Properties

Step 2 Click the Edit icon next to the system.security.webApplicationFilter entry.

The Modifying Config Property window appears.

Step 3 Choose true from the Value drop-down list to enable this feature.

A warning appears to advise Central or Device Manager users to log out and then back in after enabling this feature. (See Figure 9-3.)

Figure 9-3 Modifying Config Property

Step 4 Click OK and then Submit.

Step 5 Log out and then back in again.


Security Verification

The Web Application Filter feature verifies security using two methods, input verification and sanitization. Input validation validates all input data before accepting data. Sanitization prevents malicious configuration and scripts already present in the data from getting executed.

This section contains the following topics:

Input Validation

Sanitization

Input Validation

Input validation scans all data that is input to the Central/Device Manager database and is only configurable by the admin user.

Any input submitted using the Central Manager GUI that is suspicious of XSS is blocked. Blocked input results in a warning. (See Figure 9-4.)

Figure 9-4 Warning

Input data is checked against the following XSS filter rules:

Input is rejected if it contains a semicolon (;)

Input is rejected if it is enclosed in angle brackets (<>)

Input is rejected if it can be indirectly used to generate the above tags (&#60, &#62, %3c, %3e)

Sanitization

The sanitizer prevents malicious configuration and scripts from getting executed in the browser when there is an XSS attack on the database. Sanitization is not configurable by the user. (See Figure 9-5.)

Figure 9-5 XSS Configuration Data

Configuration data coming from the Central Manager that is suspect for XSS is shown in red on the My WAN > Manage Device Groups > Device Groups page.

Configuring Faster Detection of Offline WAAS Devices

You can detect offline WAAS devices more quickly if you enable the fast detection of offline devices. A WAAS device is declared as offline when it has failed to contact the WAAS Central Manager for a getUpdate (get configuration poll) request for at least two polling periods. (See the "About Faster Detection of Offline Devices" section for more information about this feature.)

To configure fast detection of offline WAAS devices, follow these steps:


Step 1 From the WAAS Central Manager GUI navigation pane, choose Configure > Fast Device Offline Detection. The Configure Fast Offline Detection window appears.


Note The fast detection of offline devices feature is in effect only when the WAAS Central Manager receives the first UDP heartbeat packet and a getUpdate request from a device.


Step 2 Check the Enable check box to enable the WAAS Central Manager to detect the offline status of devices quickly.

Step 3 In the Heartbeat Rate (Seconds) field, specify how often devices should transmit a UDP heartbeat packet to the WAAS Central Manager. The default is 30 seconds.

Step 4 In the Heartbeat Fail Count field, specify the number of UDP heartbeat packets that can be dropped during transmission from devices to the WAAS Central Manager before a device is declared offline. The default is 1.

Step 5 In the Heartbeat UDP Port field, specify the port number using which devices will send UDP heartbeat packets to the primary WAAS Central Manager. The default is port 2000.

The Maximum Offline Detection Time field displays the product of the failed heartbeat count and heartbeat rate.

Maximum Offline Detection Time = Failed heartbeat count * Heartbeat rate

If you have not enabled the fast detection of offline devices feature, then the WAAS Central Manager waits for at least two polling periods to be contacted by the device for a getUpdate request before declaring the device to be offline. However, if you enable the fast detection of offline devices feature, then the WAAS Central Manager waits until the value displayed in the Maximum Offline Detection Time field is exceeded.

If the WAAS Central Manager receives the Cisco Discovery Protocol (CDP) from a device, then the WAAS Central Manager GUI displays the device as offline after a time period of 2* (heartbeat rate) * (failed heartbeat count).

Step 6 Click Submit.


About Faster Detection of Offline Devices

Communication between the WAAS device and WAAS Central Manager using User Datagram Protocol (UDP) allows faster detection of devices that have gone offline. UDP heartbeat packets are sent at a specified interval from each device to the primary WAAS Central Manager in a WAAS network. The primary WAAS Central Manager tracks the last time that it received a UDP heartbeat packet from each device. If the WAAS Central Manager has not received the specified number of UDP packets, it displays the status of the nonresponsive devices as offline. Because UDP heartbeats require less processing than a getUpdate request, they can be transmitted more frequently, and the WAAS Central Manager can detect offline devices much faster.

You can enable or disable this feature, specify the interval between two UDP packets, and configure the failed heartbeat count. Heartbeat packet rate is defined as the interval between two UDP packets. Using the specified heartbeat packet rate and failed heartbeat count values, the WAAS Central Manager GUI displays the resulting offline detection time as a product of heartbeat rate and failed heartbeat count. If the fast detection of offline devices is enabled, the WAAS Central Manager detects devices that are in network segments that do not support UDP and uses getUpdate (get configuration poll) request to detect offline devices.

By default, the feature to detect offline devices more quickly is not enabled.

Configuring Alarm Overload Detection

WAAS devices can track the rate of incoming alarms from the Node Health Manager. If the rate of incoming alarms exceeds the high-water mark (HWM), then the WAAS device enters an alarm overload state. This situation occurs when multiple applications raise alarms at the same time to report error conditions. When a WAAS device is in an alarm overload state, the following occurs:

SNMP traps for subsequent alarm raise and clear operations are suspended. The trap for the raise alarm-overload alarm and the clear alarm-overload alarm are sent; however, traps related to alarm operations between the raise alarm-overload alarm and the clear alarm-overload alarm operations are suspended.

Alarm overload raise and clear notifications are not blocked. The alarm overload state is communicated to SNMP and the Configuration Management System (CMS). However, in the alarm overload state, SNMP and the CMS are not notified of individual alarms. The information is only available by using the CLI.

The WAAS device remains in an alarm overload state until the rate of incoming alarms decreases to the point that the alarm rate is less than the low-water mark (LWM).

If the incoming alarm rate falls below the LWM, the WAAS device comes out of the alarm overload state and begins to report the alarm counts to SNMP and the CMS.

When the WAAS device is in an alarm overload state, the Node Health Manager continues to record the alarms being raised on the WAAS device and keeps a track of the incoming alarm rate. Alarms that have been raised on a WAAS device can be listed using the show alarm CLI commands that are described in the Cisco Wide Area Application Services Command Reference.

To configure alarm overload detection for a WAAS device (or device group), follow these steps:


Step 1 From the WAAS Central Manager GUI navigation pane, choose My WAN > Manage Devices (or Manage Device Groups). The Devices (or Device Groups) window appears.

Step 2 Click the Edit icon next to the device (or device group) for which you want to configure the alarm overload state.

Step 3 In the navigation pane, choose Configure > Monitoring > Alarm Overload Detection. The Alarm Overload Detection Settings window appears.

Step 4 Uncheck the Enable Alarm Overload Detection check box if you do not want to configure the WAAS device (or device group) to suspend alarm raise and clear operations when multiple applications report error conditions. This check box is checked by default.

Step 5 In the Alarm Overload Low Water Mark (Clear) field, enter the number of incoming alarms per second below which the WAAS device comes out of the alarm overload state.

The low-water mark is the level up to which the number of alarms must drop before alarms can be restarted. The default value is 1. The low-water mark value should be less than the high-water mark value.

Step 6 In the Alarm Overload High Water Mark (Raise) field, enter the number of incoming alarms per second above which the WAAS device enters the alarm overload state. The default value is 10.

Step 7 Click Submit to save the settings.


To configure alarm overload detection from the CLI, you can use the alarm overload-detect global configuration command.

Configuring the E-mail Notification Server

You can schedule reports to be generated periodically, and when they are generated, a link to the report can be e-mailed to one or more recipients. (For details, see the "Managing Reports" section on page 16-48.)

To enable email notification, you must configure email server settings for the WAAS Central Manager by following these steps:


Step 1 From the WAAS Central Manager GUI navigation pane, choose My WAN > Manage Devices. The Devices window appears.

Step 2 Click the Edit icon next to the WAAS Central Manager device for which you want to configure the email server settings.


Note Only SMTP mail servers are supported. If any other type of mail server is configured, the email notification fails.


Step 3 In the navigation pane, choose Configure > Monitoring > Email Notification Server. The Configure Email Server Details window appears.

Step 4 In the Mail Server Hostname field, enter the hostname of the SMTP email server that is to be used to send email.

Step 5 In the Mail Server Port field, enter the port number. The default is port 25.

Step 6 In the Server Username field, enter a valid email account username.

Step 7 In the Server Password field, enter the password for the email account.

Step 8 In the From Address field, enter the e-mail address shown as the sender of the email notification.

Step 9 Click Submit.