The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Web Services Management Agent (WSMA) defines a set of web services through which a network device can be managed, configuration data information can be retrieved, and new configuration data can be uploaded and manipulated. WSMA uses XML-based data encoding, that is transported by the Simple Object Access Protocol (SOAP) for the configuration data and protocol messages.
You can use WSMA over Secure Shell Version 2 (SSHv2), HTTP, or HTTPS to access the entire Cisco command-line interface (CLI). Multiple WSMA clients can connect to the WSMA server running on Cisco software.
You can also use WSMA over SSHv2, HTTP, or HTTPS to initiate secure connections from Cisco software to applications over trusted and untrusted networks.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Web Services Management Agent (WSMA) is a family of embedded agents used by the point-to-point management application to fully manage a device.
The Configuration WSMA service provides services to change the configuration on Cisco devices and validates and applies a set of configuration commands to Cisco software. Any noninteractive configuration CLI command that can be applied using the Cisco console can also be applied using this WSMA. This service is available for all configuration CLI commands on the Cisco device. It treats a set of commands as a single operation.
Three types of configuration requests can occur:
The configuration WSMA service allows you to specify the CLI commands using either the XML Programmatic Interface (XML-PI) mode, or as direct CLI commands. Configuration WSMA service requests use the following modes and attributes:
For more information about the request and response messages for this service, see the WSMA configuration schema at ftp://ftp.cisco.com/pub/wsma/schema/wsma_config.xsd.
Web Services Management Agent (WSMA) is a family of embedded agents used by the point-to-point management application to fully manage a device.
The EXEC WSMA provides services to retrieve operational data from the Cisco device and handles EXEC mode command-line operations such as show commands and other diagnostic commands on Cisco devices. Interactive EXEC commands have Expect and Response tags to allow you to configure the exchange sequence. The service can retrieve show command operational data in XML-Progammatic Interface (PI) format and it allows remote reloading of the Cisco device.
EXEC WSMA service requests consist of a single EXEC mode command encapsulated in an <execCLI> tag with the following tags and attributes:
The order and number of the dialoge elements must match the actual prompts seen or the EXEC call will fail. All dialogues must be run otherwise an error message is seen.
For more information on the request and response messages for this service, see the WSMA EXEC schema at: ftp://ftp.cisco.com/pub/wsma/schema/wsma_exec.xsd
Web Services Management Agent (WSMA) is a family of embedded agents used by the point-to-point management application to fully manage a device.
The Filesystem WSMA service provides services to manage files on the Cisco device. It copies and validates files between local and remote file systems. This agent can be used to list directories, upgrade the software image running on the device and delete files. File copies can be validated using a Message Digest 5 (MD5) checksum if available.
There are three types of filesystem requests:
The fileCopy request option has the following attributes:
The fileCopy request option has the following tags:
There are three types of filesystem responses:
The errorInfo response is seen only if the operation fails. The errorInfo response returns an error string of the error encountered that contains two error fields; errorCode and errorMessage.
The errorCode response details the possible error types and can include:
For more information about the request and response messages for this service see the WSMA filesystem schema at ftp://ftp.cisco.com/pub/wsma/schema/wsma_filesystem.xsd
Web Services Management Agent (WSMA) is a family of embedded agents used by the point-to-point management application to fully manage a device.
The Notification WSMA service collects configuration-change events and forwards the details to the management application that has subscribed to get the notifications.
Multiple management applications can receive the notifications by connecting to a listener profile. Each management application must explicitly subscribe to the notifications and can turn notification on or off on the profile without affecting the operation of other connected management applications. If a connection drops notifications are turned off.
Notifications are not cached or stored. If no management application is connected when an event happens then there is no record of that event.
Notification requests have three attributes:
Notification responses have the following attributes:
For more information about the request and response messages for this service, see the WSMA notification schema at ftp://ftp.cisco.com/pub/wsma/schema/wsma_notify.xsd
Web Services Management Agent (WSMA) is a family of embedded agents used by the point-to-point management application to fully manage a device.
When a new WSMA session is established, the Cisco device sends a Hello message containing the WSMA ID and a list of WSMA services available on the session. The remote management application can query this information by sending a WSMA Hello request to the Cisco device.
This service is enabled by default on every WSMA profile.
For more information about the request and response messages for this service, see the WSMA hello schema at t ftp://ftp.cisco.com/pub/wsma/schema/wsma_hello.xsd
Web Services Management Agent (WSMA) is a family of embedded agents, used by the point-to-point management application to fully manage a device.
If a WSMA profile is configured to use keepalive messages, and if no WSMA service request has been received for the configured keepalive interval, the Cisco device sends a Keepalive request on the WSMA session. If the number of keepalive requests sent exceeds the configured retries, the WSMA session is closed.
A keepalive request has one attribute, correlator. The correlator attribute is a number that starts at 1 and increments each time a keepalive request is sent on a session. The correlator value used in a keepalive response must match the value in a keepalive request.
For more information about the request and response messages for this service, see the WSMA keepalive schema at ftp://ftp.cisco.com/pub/wsma/schema/wsma_keepalive.xsd
Web Services Management Agent (WSMA) needs input from external management applications to cause actions on the device. A physical transport protocol must be configured and associated to a WSMA to allow the WSMA to communication with external management applications. The transport protocol and an encapsulation together form a WSMA profile. Any WSMA agent must be associated with a specific WSMA profile to perform valid operations. WSMA profiles demultiplex requests to the appropriate WSMA.
WSMA profiles work as a transport termination point and allow transport and XML encapsulation parameters to be configured:
The service listener is a type of Web Services Managment Agent (WSMA) profile that listens for incoming connections and accepts devices from allowed addresses or accepted user IDs. The accepted addresses are configured by defining an access list.
Accepted user IDs are configured by defining the transport method that the service listener listens for. The transport method (Secure Shell (SSH) HTTP, or HTTPS) enforces the specific user ID that is accepted.
Note |
WSMA listener profiles cannot access Cisco devices that are located behind a firewall. |
The service initiator is a type of Web Services Management Agent (WSMA) profile that initiates secure connections from Cisco devices to management applications over trusted and untrusted networks.
The service initiator creates a dynamic socket that attempts to stay connected to a configured server address. Each initiator can be configured with retry, keepalive, timeout, and reconnect settings. In addition, each initiator can specify a backup connection to use if the primary connection fails.
The service initiator allows WSMA to initiate connections to devices behind a firewall or Network Address Translation(NAT), and in Zero Touch Deployment (ZTD) networks.
Simple Object Access Protocol (SOAP) is an industry-standard protocol to exchange XML data between applications. It defines a common mechanism to handle corrupted XML messages. It has a header mechanism to collate metadata associated with a transaction.
SOAP 1.1 and SOAP 1.2 have different schema definitions. They can coexist with no impact on the other. Cisco software has both SOAP 1.1 and SOAP 1.2 libraries. SOAP has mechanisms to handle XML framing and operational errors in a generic manner, allowing greater interoperability of XML-based applications.
To run the WSMA over SSHv2 feature, the Web Services Management Agent (WSMA) agent must be configured to use a service profile that is using Secure Shell (SSH) as a transport method. The figure below shows a basic WSMA over SSHv2 network configuration. The client and server exchange keys for security and password encryption. The user ID and password of the SSHv2 session running WSMA are used for authorization and authentication purposes. The user privilege level is enforced and the client session may not have full access to the WSMA operations if the privilege level is not high enough. If authentication, authorization, and accounting (AAA) is configured, the AAA service is used as if a user had established an SSH session directly to the device. Using the existing security configuration makes the transition to WSMA almost seamless. Once the client has been successfully authenticated, the client invokes the SSH connection protocol and the SSH session is established. After the SSH session is established, the user or application invokes WSMA as an SSH subsystem. The default name for the subsystem is "wsma."
Figure 1 | WSMA over SSHv2 |
SSHv2 runs on top of a reliable transport layer and provides strong authentication and encryption capabilities. SSHv2 provides a means to securely access and securely execute commands on another computer over a network.
Service listeners do not support SSHv1. The configuration for the SSHv2 server is similar to the configuration for SSHv1. Use the ip ssh version command to specify which version of SSH you want to configure. If you do not configure this command, SSH by default runs in compatibility mode; that is, both SSHv1 and SSHv2 connections are honored.
Note |
SSHv1 is a protocol that has never been defined in a standard. If you do not want your device to fall back to the undefined protocol (version 1), you should use theip ssh version command and specify version 2. |
Use the ip ssh rsa keypair-name command to enable an SSH connection using Rivest, Shamir, and Adelman (RSA) keys that you have configured. If you configure the ip ssh rsa keypair-name command with a key-pair name, SSH is enabled if the key pair exists, or SSH will be enabled if the key pair is generated later. If you use this command to enable SSH, you need not configure a hostname and a domain name.
To run the WSMA over HTTP feature, you must configure the Web Services Management Agent (WSMA) agent to use a service profile which is using either HTTP or Hypertext Transfer Protocol Secure (HTTPS) as a transport. For HTTPS, the client and server exchange keys for security and password encryption. The user ID and password of the HTTP or HTTPS session running WSMA are used for authorization and authentication purposes. The user privilege level is enforced and the client session may not have full access to the WSMA operations if the privilege level is not high enough. If Authentication, Authorization and Accounting (AAA) is configured, the AAA service is used as if a user had established an SSH session directly to the device. Using the existing security configuration makes the transition to WSMA almost seamless. After the HTTP or HTTPS session is established, the user or application invokes WSMA as an HTTP path. The default name for the path is "/wsma."
When you use HTTP as the transport for a initiator profile, the WSMA Notification service is available without additional configuration. However, to use the Config, Exec, and Filesys services, you must first configure keepalive messages on the initiator profile. When keepalive messages are configured, the Cisco device can periodically send a request to the remote WSMA application, which allows the remote HTTP server the opportunity to send a WSMA request.
When using HTTP as the transport for a listener profile, the WSMA Notification service is not supported since the Cisco device acting as a HTTP server cannot send HTTP requests, it can only respond to HTTP requests.
HTTP is a reliable request/response protocol that runs on top of a reliable transport layer. HTTPS provides strong authentication and encryption capabilities.
HTTP is configured with the ip http server command and HTTPS is configured using the ip http secure-server command.
You can configure access lists for use with a service listener. An access list is a sequential collection of permit and deny conditions that applies to IP addresses. The Cisco software tests addresses against the conditions in an access list one by one. The first match determines whether the software accepts or rejects the address. Because the software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the software rejects the address.
The two main tasks involved in using access lists are as follows:
The Web Services Management Agent (WSMA) IDs allow Cisco networking devices to have unique IDs. Unique IDs are important in a Network Address Translation (NAT) or Dynamic Host Configuration Protocol (DHCP) network where all the device IP addresses are locally significant. In this type of deployment, the WSMA ID can be used to give each device a globally unique ID.
The WSMA ID can be explicitly configured based on other properties of the device such as:
Whenever the WSMA ID changes, all WSMA sessions are disconnected. This is to protect the management applications from synchronizing the state dynamically.
Web Services Management Agent (WSMA) security is integrated with authentication, authorization, and accounting (AAA) configuration of Cisco software. The AAA associations configured on the transport layer are used by WSMA.
WSMA is designed for point-to-point operation and works over an encrypted transport. The security on the transport layer identifies and authenticates the users.
The Web Services Security Header (WSSE) is the Simple Object Access Protocol (SOAP) security extension.
The WSMA profiles can be configured to expect or ignore additional security headers in the SOAP messages depending on the deployment mode. If WSMA is configured to contain a security header, the format of the header is as per the SOAP security extension, WSSE.
SOAP enforces authentication using the WSSE header. Any authentication errors are reported as SOAP faults. The authenticated message is passed on to the WSMA, which checks for the authorization level of the user before applying any operation. Authorization errors are reported as a WSMA error response.
If WSMA profiles are configured without the WSSE, then the security header is ignored and the transport login credentials are used for authentication. If the WSSE is expected, then the details of the security header are used to authenticate the user. If the security header is missing, the incoming message is discarded and a SOAP fault is issued.
Each Web Services Management Agent (WSMA) service publishes its XML schema. The schema describe the XML messages that the specific WSMA service can understand and execute. The WSMA schema define the entire data required to execute an operation and ensure operations can be performed identically regardless of the type of transport used to carry the message.
A full list of WSMA schema (XSD) files is available from the ftp://ftp.cisco.com/pub/wsma/schema/ FTP site.
Perform this task to enable Secure Shell Version 2 (SSHv2) on your device using a hostname and domain name.
Perform this task to enable the HTTP server. The HTTP server is disabled by default. Once the HTTP server is enabled, you can configure optional server characteristics.
To disable the standard HTTP server and configure the HTTPS server with Secure Socket Layer (SSL) version 3.0, complete this task.
If a certificate authority is to be used for certification, you should declare the certificate authority (CA) trustpoint on the routing device before enabling the secure HTTP server.
Command or Action | Purpose | |||
---|---|---|---|---|
|
Example: Device> enable |
Enables privileged EXEC mode. |
||
|
Example: Device# show ip http server status |
(Optional) Displays the status of the HTTP server. |
||
|
Example: Device# configure terminal |
Enters global configuration mode. |
||
|
Example: Device(config)# no ip http server |
Disables the standard HTTP server.
|
||
|
Example: Device(config)# ip http secure-server |
Enables the HTTPS server. |
||
|
Example: Device(config)# ip http secure-port 1025 |
(Optional) Specifies the port number that should be used for the HTTPS server. The default port number is 443. |
||
|
Example: Device(config)# ip http secure-ciphersuite rc4-128-sha rc4-128-md5 |
(Optional) Specifies the CipherSuites (encryption algorithms) that should be used for encryption over the HTTPS connection.
|
||
|
Example: Device(config)# ip http secure-client-auth |
(Optional) Configures the HTTP server to request an X.509v3 certificate from the client in order to authenticate the client during the connection process.
|
||
|
Example: Device(config)# ip http secure-trustpoint trustpoint-01 |
Specifies the CA trustpoint that should be used to obtain an X.509v3 security certificate and to authenticate the connecting client's certificate. |
||
|
Example: Device(config)# end |
Ends the current configuration session and returns to privileged EXEC mode. |
||
|
Example: Device# show ip http server secure status |
Displays the status of the HTTP secure server configuration. |
To display the status of the Secure Shell (SSH) connection on your device, use the show ssh and show ip ssh commands.
The ip ssh version command can be used for troubleshooting your SSH configuration. By changing versions, you can determine which SSH version has a problem.
Command or Action | Purpose | |
---|---|---|
|
Example: Device> enable |
Enables privileged EXEC mode. |
|
Example: Device# show ssh |
Displays the status of SSH server connections. |
|
Example: Device# show ip ssh |
Displays the version and configuration data for SSH. |
The following sample output from the show ssh command displays status about SSHv2 connections:
Device# show ssh
Connection Version Mode Encryption Hmac State
Username
1 2.0 IN aes128-cbc hmac-md5 Session started lab
1 2.0 OUT aes128-cbc hmac-md5 Session started lab
%No SSHv1 server connections running.
The following sample output from the show ip ssh command displays the version of SSH that is enabled, the authentication timeout values, and the number of authentication retries:
Device# show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
If you configure service initiator over HTTP or Secure HTTP (HTTPS), you must configure keepalive settings so that the Cisco device can periodically send a HTTP Request to the remote Web Services Management Agent (WSMA) application, thus giving the remote WSMA application a chance to send WSMA requests.
HTTPS
Command or Action | Purpose | |
---|---|---|
|
Example: Device> enable |
Enables privileged EXEC mode. |
|
Example: Device# configure terminal |
Enters global configuration mode. |
|
Example: Device(config)# wsma profile initiator prof1 |
Creates a service initiator and enters WSMA initiator configuration mode. |
|
Example: Device(config-wsma-init)# encap soap12 |
(Optional) Configures an encapsulation for the service listener profile. |
|
Example: Device(config-wsma-init)# transport ssh sshserver path /mypath/bin/mywsma-app.sh user user1 6 encrypted-password |
Defines a transport configuration for the WSMA profile. |
|
Example: Device(config-wsma-init)# keepalive 100 retries 10 |
(Optional) Enables keepalive messages and configures interval and retry values for a WSMA profile. |
|
Example: Device(config-wsma-init)# idle-timeout 345 |
(Optional) Specifies the amount of time (in minutes) to keep the session alive in the absence of any data traffic. |
|
Example: Device(config-wsma-init)# max-message 290 |
(Optional) Specifies the maximum receive message size (from 1 to 2000 kilobytes). |
|
Example: Device(config-wsma-init)# backup hold 233 |
(Optional) Sets the time (in minutes) that the WSMA profile remains connected to the backup transport configuration. |
|
Example: Device(config-wsma-init)# backup excluded 30 |
(Optional) Sets the time (in seconds) that the WSMA profile must wait before attempting to connect to the backup transport configuration after a connection is lost. |
|
Example: Device(config-wsma-init)# reconnect 434 |
(Optional) Specifies the time for the WSMA initiator profile to wait before attempting to reconnect a session. |
|
Example: Device(config-wsma-init)# stealth |
(Optional) Configures the service to not send Simple Object Access Protocol (SOAP) fault messages in response to corrupted XML messages. |
|
Example: Device(config-wsma-init)# wsse |
(Optional) Enables the Web Services Security Header (WSSE) for a WSMA profile. |
|
Example: Device(config-wsma-init)# end |
Ends the current configuration session and returns you to privileged EXEC mode. |
Before you configure service listener over SSH, you must first configure SSH. For more information, see Enabling SSHv2 Using a Hostname and Domain Name.
Before you configure service listener over HTTP, you must first configure HTTP. For more information, see the Enabling the HTTP Server section and Enabling the HTTPS Server section.
Command or Action | Purpose | |
---|---|---|
|
Example: Device> enable |
Enables privileged EXEC mode. |
|
Example: Device# configure terminal |
Enters global configuration mode. |
|
Example: Device(config)# wsma profile listener prof1 |
Creates a service listener and enters WSMA listener configuration mode. |
|
Example: Device(config-wsma-listen)# encap soap12 |
(Optional) Configures an encapsulation for the service listener profile. |
|
Example: Device(config-wsma-listen)# transport ssh subsys wsma |
Defines a transport configuration for the Web Services Management Agent (WSMA) profile. |
|
Example: Device(config-wsma-listen)# idle-timeout 345 |
(Optional) Specifies the amount of time (in minutes) to keep the session alive in the absence of any data traffic. |
|
Example: Device(config-wsma-listen)# max-message 290 |
(Optional) Specifies the maximum receive message size (from 1 to 2000 kilobytes). |
|
Example: Device(config-wsma-listen)# keepalive 100 retries 10 |
(Optional) Enables keepalive messages and configures interval and retry values for a WSMA profile. |
|
Example: Device(config-wsma-listen)# acl 34 |
(Optional) Defines the access control list (ACL) group to use. |
|
Example: Device(config-wsma-listen)# stealth |
(Optional) Configures the service to not send Simple Object Access Protocol (SOAP) fault messages in response to corrupted XML messages. |
|
Example: Device(config-wsma-listen)# wsse |
(Optional) Enables the Web Services Security Header (WSSE) for a WSMA profile. |
|
Example: Device(config-wsma-listen)# end |
Ends the current configuration session and returns you to privileged EXEC mode. |
Perform this task to enable a specific Web Services Management Agent (WSMA) service and associate it with a profile.
A WSMA initiator or listener profile must be configured and enabled.
Command or Action | Purpose | |
---|---|---|
|
Example: Device> enable |
Enables privileged EXEC mode. |
|
Example: Device# configure terminal |
Enters global configuration mode. |
|
Example: Device(config)# wsma agent config profile prof1 |
Enables the WSMA and associates it with a profile. |
Perform this task to assign unique Web Services Management Agent (WSMA) IDs to Cisco networking devices.
Command or Action | Purpose | |
---|---|---|
|
Example: Device> enable |
Enables privileged EXEC mode. |
|
Example: Device# configure terminal |
Enters global configuration mode. |
|
Example: Device(config)# wsma id ip-address fastethernet 0/1 |
Assigns unique WSMA IDs to Cisco networking devices. |
Command or Action | Purpose | |
---|---|---|
|
Example: Device> enable |
Enables privileged EXEC mode. |
|
Example: Device# show wsma agent config counters |
Displays the specified statistics counters, or schema for the Web Services Management Agent (WSMA). |
|
Example: Device# debug wsma agent config |
Enables debugging of the WSMA. |
|
Example: Device# clear wsma agent filesys counters |
Clears WSMA statistics counters. |
The following example shows how to display the WSMA configuration agent counters. The counters return the following information:
Device# show wsma agent counters
WSMA Exec Agent Statistics:
messages received 0, replies sent 0, faults 0
WSMA Config Agent Statistics:
messages received 4, replies sent 4, faults 0
WSMA Filesys Agent Statistics:
messages received 1, replies sent 1, faults 0
WSMA Notification Agent Statistics:
config silent
messages received 0, replies sent 0, notifications sent 0, faults 0
The following example shows how to display the WSMA configuration schema:
Device#show wsma agent config schema
New Name Space 'urn:cisco:wsma-config'
<VirtualRootTag> [0, 1] required
<WSMA-Config> [0, 1] required
<request> 1 required
<config-data> 1 required
<cli-config-data> [0, 1] required
<cmd> 1+ required
<cli-config-data-block> [0, 1] required
<xml-config-data> [0, 1] required
<Device-Configuration> [0, 1] required
<> any subtree is allowed
Perform this task to monitor and maintain Web Services Management Agent (WSMA) profiles.
Command or Action | Purpose | |
---|---|---|
|
Example: Device> enable |
Enables privileged EXEC mode. |
|
Example: Device# show wsma profile connections |
Displays the specified service profile connections, statistics counters, or schema. |
|
Example: Device# debug wsma profile listener |
Enables debugging of WSMA profiles. |
|
Example: Device# clear wsma profile prof1 counters |
Clears WSMA profile sessions or statistic counters. |
An XML payload is typically wrapped in a Simple Object Access Protocol (SOAP) message for data transportation. Without a correct design of SOAP messages, an XML payload may not be exchanged properly even if the payload follows common XML schema. The XML payload over all transports is identical. Web Services Management Agent (WSMA) supports both SOAP1.1 and SOAP1.2. The SOAP header supports two modes of security, no wsse and wsse.
Use the following XML schema to deliver WSMA payloads:
<?xml version="1.0" encoding="UTF-8"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Body> <request xmlns="urn:cisco:wsma-exec" correlator="01"> <execCLI> <cmd>ping oz-dirt</cmd> </execCLI> </request> </SOAP:Body> </SOAP:Envelope>]]>]]>
<?xml version="1.0" encoding="UTF-8"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Body> <response xmlns="urn:cisco:wsma-exec" correlator="01" success="1"> <execLog> <dialogueLog> <sent>ping oz-dirt</sent> <received>Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.3.1.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms</received> </dialogueLog> </execLog> </response> </SOAP:Body> </SOAP:Envelope>]]>]]>
<?xml version="1.0" encoding="UTF-8"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Body> <request xmlns="urn:cisco:wsma-config" correlator="4.1"> <configApply details="all"> <config-data> <cli-config-data> <cmd>no cns config partial mixy</cmd> <cmd>no stupid</cmd> <cmd>no cns exec 80 </cmd> </cli-config-data> </config-data> </configApply> </request> </SOAP:Body> </SOAP:Envelope>]]>]]>
<?xml version="1.0" encoding="UTF-8"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Body> <response xmlns="urn:cisco:wsma-config" correlator="4.1" success="1"> <resultEntry lineNumber="1" cliString="no cns config partial mixy"> <success change="NO_CHANGE" mode="IMMEDIATE" /> </resultEntry> <resultEntry lineNumber="2" cliString="no stupid"> <failure errorType="TEMPORARY" errorCode="PARSE_ERROR_NOMATCH" /> </resultEntry> <resultEntry lineNumber="3" cliString="no cns exec 80 "> <success change="NO_CHANGE" mode="IMMEDIATE" /> </resultEntry> </response> </SOAP:Body> </SOAP:Envelope>]]>]]>
<?xml version="1.0" encoding="UTF-8"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Body> <request xmlns="urn:cisco:wsma-config" correlator="5.1"> <configApply details="all"> <config-data> <cli-config-data-block>no cns config partial mixy no stupid no cns exec 80</cli-config-data-block> </config-data> </configApply> </request> </SOAP:Body> </SOAP:Envelope>]]>]]>
<?xml version="1.0" encoding="UTF-8"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Body> <response xmlns="urn:cisco:wsma-config" correlator="5.1" success="1"> <resultEntry lineNumber="1" cliString="no cns config partial mixy"> <success change="NO_CHANGE" mode="IMMEDIATE" /> </resultEntry> <resultEntry lineNumber="2" cliString="no stupid"> <failure errorType="TEMPORARY" errorCode="PARSE_ERROR_NOMATCH" /> </resultEntry> <resultEntry lineNumber="3" cliString="no cns exec 80"> <success change="NO_CHANGE" mode="IMMEDIATE" /> </resultEntry> </response> </SOAP:Body> </SOAP:Envelope>]]>]]>
<?xml version="1.0" encoding="UTF-8"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Body> <request xmlns="urn:cisco:wsma-config" correlator="6.1"> <configApply details="all"> <config-data> <xml-config-data> <Device-Configuration><cns operation="delete" > <config><partial> <HostNameAddressConfigurationServer>mixy</HostNameAddressConfigurationServer> <PortNumberConfigServiceDefault80>80</PortNumberConfigServiceDefault80></partial></config></cns> <stupid operation="delete" /><cns operation="delete" ><exec><P>80</P></exec></cns> </Device-Configuration> </xml-config-data> </config-data> </configApply> </request> </SOAP:Body> </SOAP:Envelope>]]>]]>
<?xml version="1.0" encoding="UTF-8"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Body> <response xmlns="urn:cisco:wsma-config" correlator="6.1" success="1"> <resultEntry lineNumber="1" cliString="no cns config partial mixy 80"> <success change="NO_CHANGE" mode="IMMEDIATE" /> </resultEntry> <resultEntry lineNumber="2" cliString="no stupid"> <failure errorType="TEMPORARY" errorCode="PARSE_ERROR_NOMATCH" /> </resultEntry> <resultEntry lineNumber="3" cliString="no cns exec 80"> <success change="NO_CHANGE" mode="IMMEDIATE" /> </resultEntry> </response> </SOAP:Body> </SOAP:Envelope>]]>]]>
<?xml version="1.0" encoding="UTF-8"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Body> <request xmlns="urn:cisco:wsma-filesystem" correlator="2"><fileList/></request> </SOAP:Body> </SOAP:Envelope>]]>]]>
<?xml version="1.0" encoding="UTF-8"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Body> <response xmlns="urn:cisco:wsma-filesystem" correlator="2" success="1"> <fileSystemList> <fileSystem name="nvram" type="nvram" size="522232" freespace="516471" readable="true" writeable="true"> <directory name="/" fullName="nvram:/" readFlag="true" writeFlag="true"> <file name="startup-config" fullName="nvram:/startup-config" size="2134" readFlag="true" writeFlag="true"/> <file name="private-config" fullName="nvram:/private-config" size="1527" readFlag="false" writeFlag="false"/> <file name="underlying-config" fullName="nvram:/underlying-config" size="2134" readFlag="true" writeFlag="true"/> <file name="persistent-data" fullName="nvram:/persistent-data" size="99" readFlag="false" writeFlag="false"/> <file name="ifIndex-table" fullName="nvram:/ifIndex-table" size="0" readFlag="true" writeFlag="true"/> </directory> </fileSystem> <fileSystem name="disk2" type="disk" size="64229376" freespace="63987712" readable="true" writeable="true"> <directory name="/" fullName="disk2:/" readFlag="true" writeFlag="true" modDate="1979-11-30T00:00:00.000Z"> <file name="spec.odm" fullName="disk2:/spec.odm" size="131739" readFlag="true" writeFlag="true" modDate="2007-08-31T05:11:36.000Z"/> </directory> </fileSystem> <fileSystem name="bootflash" type="flash" size="14942208" freespace="8455208" readable="true" writeable="true"> <directory name="/" fullName="bootflash:/" readFlag="true" writeFlag="true"> <file name="c7200-kboot-mz.bw" fullName="bootflash:/c7200-kboot-mz.bw" size="5131872" readFlag="true" writeFlag="true" modDate="1999-11-30T00:01:47.000Z"/> <file name="startup-config.base" fullName="bootflash:/startup-config.base" size="1808" readFlag="true" writeFlag="true" modDate="1999-11-30T00:23:26.000Z"/> <file name="startup-config.12dec03.balam" fullName="bootflash:/startup-config.12dec03.balam" size="1598" readFlag="true" writeFlag="true" modDate="2000-01-05T22:54:50.000Z"/> </directory> </fileSystem> </fileSystemList> </response> </SOAP:Body> </SOAP:Envelope>]]>]]>
<?xml version="1.0" encoding="UTF-8"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Body> <request xmlns="urn:cisco:wsma-filesystem" correlator="12"> <fileCopy erase="0" overwrite="1" filesize="131739"> <srcURL>tftp://oz-dirt/jbalestr/spec.odm</srcURL> <dstURL>test</dstURL> </fileCopy> </request> </SOAP:Body> </SOAP:Envelope>]]>]]>
<?xml version="1.0" encoding="UTF-8"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Body> <response xmlns="urn:cisco:wsma-filesystem" correlator="12" success="1"> <copyStatus></copyStatus> </response> </SOAP:Body> </SOAP:Envelope>]]>]]>
<?xml version="1.0" encoding="UTF-8"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Body> <request xmlns="urn:cisco:wsma-filesystem" correlator="6"> <fileDelete> <deleteFileList> <filename>brick</filename> </deleteFileList> </fileDelete> </request> </SOAP:Body> </SOAP:Envelope>]]>]]>
<?xml version="1.0" encoding="UTF-8"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Body> <response xmlns="urn:cisco:wsma-filesystem" correlator="6" success="1"> <deleteStatusList> <deleteStatus> <fileName>brick</fileName> <status>DELETED</status> </deleteStatus> </deleteStatusList> </response> </SOAP:Body> </SOAP:Envelope>]]>]]>
configure terminal hostname host1 ip domain-name example.com crypto key generate rsa ip ssh timeout 120 ip ssh version 2
configure terminal ip ssh rsa keypair-name sshkeys crypto key generate rsa usage-keys label sshkeys modulus 768 ip ssh timeout 120 ip ssh version 2
configure terminal wsma agent config profile prof
configure terminal wsma profile initiator ssh-test transport ssh sshserver path /mypath/bin/mywsma-app.sh user user1 6 encrypted-password
configure terminal wsma profile listener mySession encap soap12 transport ssh subsys wsma acl 34 exit
Device# show wsma profile connections
Listener Profile http: 0 open connections: 0 closing connections
Encap: soap11
WSSE header is required
Max message (RX) is 50 Kbytes
SOAP Faults are sent
Idle timeout infinite
Keepalive not configured
Listening via http
Listening to path /wsma. Max Idle 0 ms. Accepting post on plaintext connections.
Established at 01:11:04.207 UTC Tue Jan 12 2010
Tx 493475 bytes (90 msg), Tx 0 errors,
Last message sent at 05:18:08.539 UTC Sat Feb 20 2010
Rx 59457 bytes (90 msg), 0 empty msg
Last message received at 05:18:08.295 UTC Sat Feb 20 2010
Listener Profile ssh: 2 open connections: 0 closing connections
Encap: soap11
WSSE header is required
Max message (RX) is 50 Kbytes
SOAP Faults are sent
Idle timeout infinite
Keepalive not configured
Listening via ssh
SSH listener, 10 sessions accepted, 0 sessions rejected
Connected sessions...
Remote connection via SSH by user(cisco) from 172.16.29.134:44457, state connect
Established at 01:14:03.184 UTC Thu Mar 11 2010
Tx 1183 bytes (2 msg), Tx 0 errors,
Last message sent at 01:14:48.565 UTC Thu Mar 11 2010
Rx 10 bytes (1 msg), 0 empty msg
Last message received at 01:14:48.565 UTC Thu Mar 11 2010
Remote connection via SSH by user(cisco) from 172.16.154.90:45404, state connect
Established at 01:14:28.041 UTC Thu Mar 11 2010
Tx 1183 bytes (2 msg), Tx 0 errors,
Last message sent at 01:14:54.437 UTC Thu Mar 11 2010
Rx 7 bytes (1 msg), 1 empty msg
Last message received at 01:14:54.437 UTC Thu Mar 11 2010
Initiator Profile ssh-init: 0 open connections: 0 closing connections
Encap: soap11
WSSE header is required
Max message (RX) is 50 Kbytes
SOAP Faults are sent
Idle timeout infinite
Keepalive not configured
Reconnect time 60 seconds
No transport configured
The following example shows how to display information about Web Services Management Agent (WSMA) profile counters:
Device# show wsma profile counters
Statistics for profile http
incoming total 90, bad XML 0, authentication errors 0, oversized 0
outgoing total 90, absorbed 0
message internal errors 0
Connection Accepts 90, local hangup 0, remote hangup 90, keepalive hangup 0
session internal errors 0
Statistics for profile ssh
incoming total 9, bad XML 2, authentication errors 0, oversized 0
outgoing total 20, absorbed 0
message internal errors 0
Connection Accepts 8, local hangup 0, remote hangup 8, keepalive hangup 0
session internal errors 0
The following example shows how to display information about WSMA profile schema:
Device# show wsma profile schema
Schema http
New Name Space ''
<VirtualRootTag> [0, 1] required
New Name Space 'http://schemas.xmlsoap.org/soap/envelope/'
<Envelope> 1+ required
<Header> any subtree is allowed
<Body> 1 required
<Fault> [0, 1] required
<faultcode> 1 required
<faultstring> 1 required
<faultactor> [0, 1] required
<detail> any subtree is allowed
New Name Space 'urn:cisco:exec'
<request> [0, 1] required
<execCLI> 1+ required
<cmd> 1 required
<dialogue> 0+ required
<expect> 1 required
<reply> 1 required
New Name Space 'urn:cisco:wsma-config'
<request> [0, 1] required
<config-data> 1 required
<cli-config-data> [0, 1] required
<cmd> 1+ required
<cli-config-data-block> [0, 1] required
<xml-config-data> [0, 1] required
<Device-Configuration> [0, 1] required
<> any subtree is allowed
New Name Space 'urn:cisco:wsma-filesystem'
<request> [0, 1] required
<fileList> [0, 1] required
<fileDelete> [0, 1] required
<deleteFileList> 1 required
<filename> 1+ required
<fileCopy> [0, 1] required
<srcURL> 1 required
<dstURL> 1 required
<validationInfo> [0, 1] required
<md5CheckSum> 1 required
<deleteFileList> [0, 1] required
<filename> 1+ required
New Name Space 'urn:cisco:wsma-notify'
<request> [0, 1] required
Schema example1
New Name Space ''
<VirtualRootTag> [0, 1] required
New Name Space 'http://schemas.xmlsoap.org/soap/envelope/'
<Envelope> 1+ required
<Header> any subtree is allowed
<Body> 1 required
<Fault> [0, 1] required
<faultcode> 1 required
<faultstring> 1 required
<faultactor> [0, 1] required
<detail> any subtree is allowed
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
WSMA commands |
|
IP access lists |
Security Configuration Guide: Access Control Lists in the Securing the Data Plan Configuration Guide Library |
IP access lists commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples |
Cisco IOS Security Command Reference |
Public Key Infrastructure |
Public Key Infrastructure Configuration Guide in the Secure Connectivity Configuration Guide Library |
Secure Shell and Secure Shell Version 2 |
Secure Shell Configuration Guide in the Securing User Services Configuration Guide Library |
Security commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples |
Cisco IOS Security Command Reference |
WSMA schema files in XSD format |
RFC |
Title |
---|---|
RFC 2132 |
DHCP Options and BOOTP Vendor Extensions |
RFC 2246 |
The TLS Protocol Version 1.0 |
RFC 4251 |
The Secure Shell (SSH) Protocol Architecture |
RFC 4252 |
The Secure Shell (SSH) Authentication Protocol |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for Web Services Management Agent |
Feature Name |
Releases |
Feature Information |
---|---|---|
Web Services Management Agent |
12.2(50)SY 12.4(24)T 15.1(1)SG 15.1(1)T Cisco IOS XE Release 3.3SG |
The WSMA feature enables you to perform network configurations via the Cisco CLI over an encrypted transport. The WSMA protocol defines a set of web services through which a network device can be managed, configuration data information can be retrieved, and new configuration data can be uploaded and manipulated. WSMA uses an XML-based data encoding for configuration data and protocol messages. In Cisco IOS Release 15.1(1)T this feature was modified to include support for both listener and initiator profiles. The following commands were introduced: acl, clear wsma agent, clear wsma profile, debug wsma agent, debug wsma profile, encap, idle-timeout, max-message, show wsma agent, show wsma id, show wsma profile, stealth, transport, wsma agent, wsma id, wsma profile. |
SSHv2 --Secure Shell Version 2. SSH runs on top of a reliable transport layer and provides strong authentication and encryption capabilities. SSHv2 provides a means to securely access and securely execute commands on another computer over a network.
WSMA --Web Services Management Agent. A protocol that defines a set of web services through which a network device can be managed, configuration data information can be retrieved, and new configuration data can be uploaded and manipulated.
XML --Extensible Markup Language. A standard maintained by the World Wide Web Consortium (W3C) that defines a syntax that lets you create markup languages to specify information structures. Information structures define the type of information (for example, subscriber name or address), not how the information looks (bold, italic, and so on). External processes can manipulate these information structures and publish them in a variety of formats. XML allows you to define your own customized markup language.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.