Table Of Contents
Release Notes for CiscoWorks Network Compliance Manager 1.8.01
Published: September 2012, OL-28028-01
These release notes are for CiscoWorks Network Compliance Manager (NCM) 1.8.01. It contains the following sections:
Note The Docs tab provided in the CiscoWorks NCM user interface might not include links to the latest documents. Therefore, we recommend that you access the CiscoWorks NCM documentation set using the following URL: http://www.cisco.com/en/US/products/ps6923/tsd_products_support_series_home.html
CiscoWorks NCM tracks and regulates configuration and software changes in a multivendor network environment. It provides visibility into network changes and tracks compliance with a broad variety of regulatory, IT, corporate governance, and technology requirements. CiscoWorks NCM helps IT staff identify and correct trends that could lead to problems, such as network instability and service interruption.
Installing the CiscoWorks NCM 1.8.01 Patch
To install the NCM patch:
Step 1 On the NCM server, unzip the patch bundle.
Step 2 From the command line, run the patch script.
For Windows, either double-click the patch.bat script or run the following command:C:\> patch.bat
For Linux or Solaris, run one of the following commands:% sh patch.sh
Note The patch process creates a patch.log file in the <NCM_HOME>/server/log directory. In the event of an error during the patch installation process, the error is logged to this file.
Step 3 After installing the patch, clear the web browser cache for each user.
Note In a Multimaster or Horizontal Scalability environment, follow this installation approach:
1. On all NCM servers, stop all NCM services.
2. Apply this patch to all NCM servers.
3. On all NCM servers, restart the NCM services.
What's Been Fixed in CiscoWorks NCM 1.8.01
Table 1 describes the issues fixed in CiscoWorks NCM 1.8.01.
Table 1 Issues Fixed in CiscoWorks NCM 1.8.01
Bug Id Bug Summary
Show the core ID for a task when using Horizontal Scalability
Track how long a device has been out of compliance
Provide options for configuring the determination of who actually made a change on the device (See Additonal Information, below.)
Reports should reflect the actual time started, finished, and duration for tasks
Provision Device From Template menu doesn't progress to the next page
Failed task status always reported as 'Running'
Exception thrown when checking "list active policies only"
CiscoCatNative: the snapshot failover from SCP to TFTP does not work correctly
Import/Export to Word for compliance policies/rules
Provide a way to enable command script task session logging through the API
Last Access Time and Last Snapshot Result show wrong values (See Additonal Information, below.)
Update SWIM library
The device hostname should not be case sensitive
Link for "Other End" shows incorrect data
Script text box does not display after searching devices/groups
The NCM proxy cursor does not properly react on Cisco ACE devices
Expect fails to set timeout
Save 'Update Device Software task' error when selecting '*.bin' software image file
BlockType 'raw' in the table RN_DEVICE_DATA
VLAN search results are not predictable
User with Existing View Permission Role selected and created View Partition Permissions checked is unable to see checkboxes when comparing two configurations from different devices (Devices > Configuration Changes)
Enhanced custom data "limit values to" field is limited to100 characters
Rule Exception Expire Date field needs in to include future years
Command script run by a user with custom permissions throws NPE
Reports > Search For > Interfaces displays incorrect "Negotiated Duplex" information
When creating a command script or advanced command script with the Multiline option selected, the "Limit Values To"box is restricted to 255 characters
Generate a session log when running an advanced command script through the API
User permission denial throws a java exception
Advanced script does not use the last used password
WSDL operation show_device missing Site Name as output
Cannot edit partition
HPSA and TACACS+ authentication failover does not work when SA is unavailable
Import deactivates device templates
Connection through bastion host fails.
CiscoWorks NNMi-CiscoWorks NCM integration: NCM does not interact correctly with NNMi for devices not in the "Default Site" partition (See Additonal Information below.)
NCM import not updating console server port
Problem exporting device passwords using tc_tools.sh
Reroute to NCM logon page loses the target link
SNMPv2c is not used during driver discovery
LDAP Setup Wizard using Generic LDAP and SSL
Issue with addins directory
Issue with selecting device on run command script
Compliance search "View Search Result as CSV File": unchecked policy rule displayed as 'Yes' for Rule Compliance, instead of "Not Checked Yet"
NCM WSDL - list_task output generates too much data
Perl script will not save as "Auto Remediation" task
Any user can edit other user-defined reports, regardless of permissions
Compliance report CSV export results in discrepancies
Runtime exception error in jboss_wrapper for RN_DeviceLastUsed duplicate records
Configuration change report with "include result details" formatted incorrectly in CSV output
UI error when clicking on A10 interface detail
Incorrect checkmark behavior when importing scripts, diagnostics, or compliance policies
Duplicate results when searching in diagnostics
Policy import should fail if dependency (diagnostics) is missing
Some non-administrator users are unable to view device configurations
Event Notification Rule not updating
Need to allow special characters in policy name and description
Permissions problem when creating a command from the configuration templates for a specific partition
Global "Change Detection and Polling" settings and Driver Discovery
Unable to re-run auto-remediation command script
Problem with compliance search export
View > Current Configuration does not always show the correct configuration
NCM reports an older configuration as the current device configuration for some devices(See Additonal Information, below.)
Very large number of error messages filling jboss_wrapper.log when running large diagnostic tasks
Dynamic device group membership computation should be
triggered when case-sensitivity is changed
Check Configuration Compliance Report shows policy rule passed, but manual run fails
User Reports Add To Favorites is broken
Need to allow Special Characters in Policy Detailed Description and Solution
Installer with documented workaround and tc_tools.sh doesn't work with Oracle service name, works with SID
Some of the fixes detailed here require additional manual steps or .rcx file modifications. The .rcx files are located in the <NCM_HOME>/jre directory.
Unless otherwise directed, it is recommend to make all changes to the adjustable_options.rcx file. Other files might be overwritten during an NCM upgrade.
Note Before modifying .rcx files, back up the current .rcx files to a location outside of the NCM directory structure. (NCM reads all .rcx files within the NCM directory structure.)
This fix provides a way to adjust the priorities that NCM uses for associating a user to a specific device change. By default, the NCM uses the following priorities (1 is the highest priority):
a. User who scheduled a password change that was run on the device.
b. User who scheduled a software update that was run on the device.
c. User who deployed a configuration to the device.
d. User who ran a script on the device.
e. User who connected to the device through the system's proxy.
f. User information gathered from AAA logs.
g. User information parsed from a syslog message.
h. User who scheduled a diagnostic that was run on the device. uses for associating a user to a specific device change. By default, the NCM uses the following priorities (1 is the highest priority):
This fix associates a weighted value to each priority. These weights can be adjusted using rcx settings.
To change the default order of these priorities, follow these steps:
a. Add the following text to the adjustable_options.rcx file:<option name="changepriority/ACL_DELETE_PRIORITY">21</option><option name="changepriority/PASSWORD_CHANGE_PRIORITY">20</option><option name="changepriority/SOFTWARE_UPDATE_PRIORITY">18</option><option name="changepriority/CONFIGURE_SYSLOG_PRIORITY">17</option><option name="changepriority/CONFIG_DEPLOY_PRIORITY">16</option><option name="changepriority/SCRIPT_RUN_PRIORITY">15</option><option name="changepriority/PROXY_PRIORITY">12</option><option name="changepriority/SYSLOG_PRIORITY">10</option><option name="changepriority/AAA_PRIORITY">8</option><option name="changepriority/DIAGNOSTIC_RUN_PRIORITY">2</option><option name="changepriority/NONE_PRIORITY">0</option>
b. As needed, change the value for each priority to reflect the desired priority order. The higher the value, the higher the priority.
Note Each value must be an integer and unique within this list of priorities.
c. Save the adjustable_options.rcx file.
d. Do one of the following:
–Restart the NCM services.
–Click [Save] on the Admin > Administrative Settings > User Interface page in the product console.
–Run the "reload server options" command from the NCM proxy.
To verify that the new values are being used, set Feature/ChangeDetectionto trace.
By default, the Show Device and Show Device Template commands display a heading named "Last Snapshot Result." This fix supports changing this heading to "Last Task Result."
To enable this fix, follow these steps:
a. In the appserver.rcx file, locate the following lines:<option name="formatting/show device/stdout/body">Device ID : $Device.DeviceID$...Last Successful Snapshot : $Device.LastAccessSuccessDate$...$CustomData$Comments : $Device.Comments$</option>
b. Copy the entire option definition from the appserver.rcx file to the adjustable_options.rcx file.
c. In the adjustable_options.rcx file, locate the following copied line:Last Snapshot Result : $Device.LastAccessAttemptStatus$
d. Change the copied line to:Last Task Result : $Device.LastAccessAttemptStatus$
e. Save the adjustable_options.rcx file.
f. Reload the .rcx settings by running the "reload server options" command from the NCM proxy or by restarting the NCM services.
This fix enables NCM to interact with NNMi for devices in non-default partitions.
To enable this fix, follow these steps:
a. In the site_options.rcx file, locate the following lines:<option name="3rd party/integrations/NCMPartition"><title>NCM Partition</title><section>NNMi Integration</section><size>30</size><type>Text</type><comment>NCM-NNMi integration partition</comment>Default Site</option>
b. To these lines, append the following option:<option name="3rd party/integrations/nnm_map_securitygroups_to_partitions/enabled">0<title>NNMi Maps Security Groups to NCM Security Partitions</title><section>NNMi Integration</section><type>RadioButtons</type><domain>1</domain><number_1>Enabled</number_1><domain>0</domain><number_0>Disabled</number_0></option>
c. Save the site_options.rcx file.
d. Reload the .rcx settings by running the "reload server options" command from the NCM proxy or by restarting the NCM services.
This fix provides a way to force NCM to reevaluate the current configuration of all managed devices.
To enable this fix, run the following command from the NCM proxy:run checkdb -resolver currentconfig -verbose
The runtime of this command is proportional to the number of devices being managed.
Uninstalling the CiscoWorks NCM 1.8.01 Patch
The root of the NCM installation directory contains a subdirectory named patch_backups that was created by the patch installer. In the patch_backups directory is a subdirectory named with the patch build number. This subdirectory contains a backup of all critical files changed by the patch installer. The backup.log file lists the files that were backed up and the original location of each file.
To remove the patch and roll back to the pre-patch state:
Step 1 Stop the NCM services.
Step 2 Manually restore the files listed in the backup.log file to their original locations.
Step 3 Back out any changes made to the .rcx files as noted in the section, Additional Information, if applicable.
Step 4 Restart the NCM services.
Table 2 shows the supported platforms for CiscoWorks NCM 1.8.x
The following operating systems are no longer supported:
•Red Hat AS3
Note For all operating system upgrades, please see the respective vendor documentation or contact your system support personnel. Cisco is not responsible for issues that might arise during third-party product upgrades.
Table 3 shows the databases that are supported by CiscoWorks NCM 1.8.x
Except for modest deployments without full enterprise scale and performance requirements, the application server and database server should be on separate physical machines. In addition, the database server should be dedicated to CiscoWorks NCM, rather than serving multiple applications.
Note CiscoWorks NCM 1.8.x does not support the use of Microsoft SQL Named Instances.
The following databases are no longer supported:
•Oracle 9i and Oracle 9.2
•Microsoft SQL Server 2000
Note For all database upgrades, please see the respective vendor documentation or contact your database analyst. Cisco is not responsible for issues that might arise during third-party product upgrades.
Additional CiscoWorks NCM Configurations
If you have configured a High Availability Distributed System, the database requirements for Oracle and Microsoft SQL Server include:
If you have configured a Horizontal Scalability environment, the database requirements for Oracle and Microsoft SQL Server include:
See High Availability Distributed System Configuration Guide for CiscoWorks Network Compliance Manager for information on configuring High Availability Distributed System environment.
See Horizontal Scalability User Guide for CiscoWorks Network Compliance Manager for information on configuring Horizontal Scalability environment.
Note High Availability and Horizontal Scalability environments are not supported for MySQL.
Table 4 lists the virtual servers NCM supports.
Table 4 NCM-Supported Virtual Servers
Virtual Server Supported Operating System Types Notes
•ESX Server 3.5
•ESX 4.0 or later minor version
•ESXi 4.1 or later minor version
•ESXi 5.0 or later minor version
•Host OS:— Windows— Linux
•Guest OS: Any of the operating systems listed in Table 2
•The virtual environment must meet the x86-64 or AMD64 hardware requirements listed in Table 5.
Microsoft® Hyper-V R2
· Host OS: Windows Server 2008 R2 x64· Guest OS: Any of the Windows operating systems listed in Table 2
Oracle Solaris Zones
If you are running NCM in a virtual environment, review the follow guidelines:
•Because NCM can be network intensive, many virtual machines sharing a virtual switch and network interface card could result in unexpected behavior, including time-outs and failed tasks.
•Each virtual environment is different and could function differently under loads with shared VM guests.
•On a virtual server, it is recommended that the Disk I/O be split. The virtual server must have two arrays:
–One array for the host operating system
–One array for the virtual machines
•Live migration (for example, using Vmotion) of the NCM application server is not recommended.
•If you plan to use virtual machines for both the NCM application and the NCM database, ensure that they are running on different guests. It is recommended to host the database virtual machine on a different array to avoid conflicting I/O on the array. Verify that the database is supported in a virtual environment.
•When configuring NCM on virtual machines in a Multimaster Distributed System environment or a Horizontal Scalability environment, the maximum number of NCM application servers is two.
•Some virtual guests time drift, which can be an issue and should be corrected. Synchronizing the guests to an external time source can solve this issue.
•Each NCM guest system must be configured with a set reservation for CPU and memory. These reservations should be at least 125% of the standalone server requirements listed in Table 5 and Table 6. Ensure that the resource pool containing the NCM guest system has adequate resources to consistently deliver the CPU and memory reservations to the NCM guest system.
To counter performance issues while running NCM in a virtual environment, do the following:
•Increase hardware resources on the physical host.
•Ensure resources are dedicated to the NCM application server guest.
•Decrease the number of guests running simultaneously.
•Add a network interface card dedicated to NCM to the virtual server.
A large number of concurrent tasks increases NCM resource demand. If performance issues arise, reduce the number of concurrent tasks or provide more resources to the NCM virtual server. (This suggestion also applies to physical servers.)
Additional Required Applications
You need to install the following applications:
•CiscoWorks NCM supports the following browsers:
–Mozilla Firefox 3.x and higher
–Internet Explorer 7.x and higher
Note Windows pop-up blockers must be disabled for the browser. Cookies must be enabled for the browser.
•Microsoft Excel 2000 or higher, if you are viewing Summary Reports from the CiscoWorks NCM server.
•Adobe® Acrobat Reader™ version 4.0 or higher if you are viewing CiscoWorks NCM documentation from the CiscoWorks NCM server.
•ActivePerl 5.8.x (for Windows).
•Perl 5.8.x (for Solaris and Linux). The CiscoWorks NCM Convert-to-Perl script feature uses Perl.
•Perl Net::SSH::Expect module (for using the Connect module with SSH)
Note Third-party products mentioned in this documentation are manufactured by vendors independent of Cisco. Cisco makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
CiscoWorks NCM requires the following minimum hardware:
Table 6 Database Server Requirements
Intel Xeon or equivalent, 3.0+ GHz
16 GB RAM
512 GB, Fast SCSI
100 Mbps Fast Ethernet, full duplex
Accessing the CiscoWorks NCM Documentation Set
All or any part of the CiscoWorks NCM documentation set, including this document, might be upgraded over time. Therefore, we recommend that you access the CiscoWorks NCM documentation set using the following URL: http://www.cisco.com/en/US/products/ps6923/tsd_products_support_series_home.html
Tip To cut and paste a two-line URL into the address field of your browser, you must cut and paste each line separately to get the entire URL without a break.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
Open a service request online at:
View a list of Cisco worldwide contacts at:
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2012 Cisco Systems, Inc. All rights reserved.