Cisco CNS Network Registrar Users's Guide Web Interface, 6.0
Global Administration
Downloads: This chapterpdf (PDF - 482.0KB) The complete bookPDF (PDF - 2.69MB) | Feedback

Global Administration

Table Of Contents

Global Administration

Global Administrator Role

Role Functions

Role Limitations

Adding an Administrator

Editing an Administrator

Deleting an Administrator

Managing Groups

Managing Roles

Adding a Constrained Role

Managing a Host Administrator Role

Assigning Zone Restrictions to a Host Administrator Role

Assigning IP Restrictions to a Host Administrator Role

Assigning Host Restrictions to a Host Administrator Role

Assigning Administrators or Groups to a Host Administrator Role

Managing a Zone Administrator Role

Managing Zone Restrictions for a Zone Administrator Role

Assigning Administrators and Groups to a Zone Administrator Role

Assigning Unconstrained Roles

Deleting a Role

Managing Keys

Entering the Key Data

Generating Random Keys

Managing Access Control Lists

Managing Servers

Viewing the Database Change Logs

Viewing the CCM Database Change Log and Sets

Viewing the MCD Database Change Log and Sets

Viewing Database Tasks

Viewing CCM Tasks

Viewing MCD Tasks


Global Administration


The global administrator role plays a vital part in Cisco CNS Network Registrar administration in that it is the springboard from which other administrative tasks develop. The global administrator sets up the administrative roles and access security, and monitors database changes and tasks. Because of these responsibilities, there should be a limited number of global administrators on the Network Registrar network.

This chapter describes the global administrator's role and responsibilities. Table 3-1 lists the topics.

Table 3-1 Global Administration Topics

If you want to learn about...
See...

Global administrator role

"Global Administrator Role" section

Adding an administrator

"Adding an Administrator" section

Administrator groups

"Managing Groups" section

Roles

"Managing Roles" section

Security keys

"Managing Keys" section

Access control lists (ACLs)

"Managing Access Control Lists" section

Managing the servers

"Managing Servers" section

Viewing changes to the database

"Viewing the Database Change Logs" section

Viewing database tasks

"Viewing Database Tasks" section


Global Administrator Role

The global administrator controls all aspects of the Web UI and manages all the other administrators. One clear set of tasks for the global administrator is to configure the granular administration infrastructure. Note that this role is not automatically assigned superuser rights, with which you can select and use all the Web UI functions when you log in to the Web UI. However, you have the right to set the superuser flag for an administrator, so that the global administrator is commonly considered the superuser role.

The basic administrator types appear in Table 3-2. They each also have a read-only variant.

Table 3-2 Basic Administrator Types 

Administrator Type
Description

ccm-admin

Global administrator—Responsible for the Central Configuration Manager (CCM) database. You should limit access to this role.

host-admin

Host administrator—Responsible for the hosts in one or more zones.

zone-admin

Zone administrator—Responsible for one or more zones and their resource records.

addrblock-admin

Address block administrator—Responsible for one or more address blocks and subnets, and their leases.

dhcp-admin

DHCP administrator—Responsible for the DHCP server, and defines scopes, policies, and leases.


Role Functions

The global administrator can perform these functions:

Create and manage administrators—Add and list administrators, set passwords, and determine the basic role of, and possible constraints on, each administrator.

Create and manage groups—Combine administrators with similar functions into groups.

Create and manage roles—Define constrained roles and assign them to administrators or groups.

Add and manage system access security keys—Determine access security by defining keys.

Add and manage access control lists (ACLs)—Set host access through ACLs by defining match list values.

Control servers—Reload, start, and stop the DNS, DHCP, and TFTP servers.

View database changes—View the change logs, change sets, and tasks for the CCM and MCD server databases to monitor the administrative changes made.

Role Limitations

The global administrator has no further limitations.

Adding an Administrator

The Web UI has only one predefined administrator, the admin account. As global administrator, you must create additional administrators so that you can assign host, zone, address space, and DHCP server management responsibilities to them, while limiting access to cluster administration. You can make administrators members of groups, and set further constraints on their roles when you define roles in the "Managing Roles" section.

How to Get There

On the Primary Navigation bar, click the Administration tab. On the Secondary Navigation bar, click the Administrators tab. This opens the List/Add Administrators page (see Figure 2-1).

Data to Enter

The List/Add Administrators page initially shows the admin user, who is a superuser with full Web UI, CLI, and GUI access, including creating and editing users and license keys. You can create multiple superusers; however, it is best to limit this access to a few administrators only.


Caution Be careful in deleting accounts with ccm-admin privileges (which includes the superuser). If you delete all of them, you can no longer create new users in the Web UI, CLI, or GUI. If you then delete all the other accounts, you can no longer log in to any of the Network Registrar user interfaces. You would then need to contact the Cisco Technical Assistance Center (TAC) for recovery instructions.

A NRCMD column indicates whether the administrator has full or limited access to the additional CLI and GUI user interfaces. Full access is to user and license key creation and editing, and to zone, host, and DHCP functions. Limited access is to zone, host, and DHCP functions only. If you leave this field blank, the administrator has no access to the CLI or GUI.

Full NRCMD—Equivalent of assigning a group to the administrator with ccm-admin, zone-admin, host-admin, and dhcp-admin access to the Web UI, CLI, and GUI.

Limited NRCMD—Equivalent of assigning a group to the administrator with zone-admin, host-admin, and dhcp-admin, but no ccm-admin access to the Web UI, CLI, and GUI.

To add an administrator, you must enter or select from the fields described in Table 3-3.

Table 3-3 Entries on the List/Add Administrators Page 

Entry
Description

Name

Name of the administrator, which is not case-sensitive.

Password

Password for the administrator, which is case-sensitive.

Superuser

Include a check mark if you want this administrator to have unlimited access to all functions. This includes user and key administration.

NRCMD

Select if you want this administrator to have additional CLI and GUI access, with full or limited functions in these user interfaces. Full access is the equivalent of assigning a group with ccm-admin, zone-admin, host-admin, and dhcp-admin privileges. Limited access is the equivalent of assigning a group with zone-admin, host-admin, and dhcp-admin privileges. If you leave this field blank, the administrator has no access to the CLI or GUI.

Groups

Predefined administrator groups for the administrator. You create any group names in the "Managing Groups" section. Select the group name or names from the drop-down list. To select multiple names, use your browser's multi-selection feature. To deselect a name, use your browser's deselection feature.

Roles

Predefined roles for the administrator. You create roles in the "Managing Roles" section. Select the role name or names from the drop-down list. To select multiple names, use your browser's multi-selection feature. To deselect a name, use your browser's deselection feature.


Actions to Take

After entering the fields, you can create, edit, or delete the administrator, and confirm the results:

Click Add Administrator to add the administrator. The administrator now appears in the list below the entry fields. The list is in alphabetical order.

To edit an administrator, click its name in the list. See the "Editing an Administrator" section.

To delete an administrator, click the Delete icon () to the left of its name. See the "Deleting an Administrator" section.

To confirm your additions, view the database change log. See the "Viewing the Database Change Logs" section.

Editing an Administrator

You can edit an administrator's password, superuser and NRCMD privileges, and the groups and roles.

How to Get There

On the Primary Navigation bar, click the Administration tab. On the Secondary Navigation bar, click the Administrators tab. Click the name of the administrator. This opens the Edit Administrator page (see Figure 2-12).

Data to Enter

To edit an administrator, modify or reselect the fields described in Table 3-4.

Table 3-4 Entries on the Edit Administrator Page 

Entry
Description

Name

Name of the administrator. You cannot modify this field.

Password

Password for the administrator, which is case-sensitive.

Superuser?

Enter a check mark if you want this administrator to have unlimited access to all administration functions. This includes user and key administration.

NRCMD user?

Select if you want this administrator to have additional CLI and GUI access, with full or limited functions in these user interfaces. Full access is the equivalent of assigning a group with ccm-admin, zone-admin, host-admin, and dhcp-admin privileges. Limited access is the equivalent of assigning a group with zone-admin, host-admin, and dhcp-admin privileges. If you leave this field blank, the administrator has no access to the CLI or GUI.

Groups

Predefined groups for the administrator. You create any special group names in the "Managing Groups" section. Select the group name or names in the Available list using the single- or multiselect feature of the browser, then use << to move it into the Selected list. To select all the groups, click Select All before moving them. To disassociate the administrator with a group or groups, click their name or names in the Selected list, and click >> to move it or them into the Available list.

Roles

Predefined roles for the administrator. You create any special group names in the "Managing Roles" section. Select the role name or names in the Available list using the single- or multiselect feature of the browser, then use << to move it into the Selected list. To select all the roles, click Select All before moving them. To disassociate the administrator with one or more roles, click their name or names in the Selected list, and click >> to move it or them into the Available list.


Actions to Take

You can implement or cancel your edits, and then confirm your changes:

To implement your edits, click Modify Administrator.

To cancel your edits, click Cancel.

To confirm your edits, view the database change log. See the "Viewing the Database Change Logs" section.

The bottom of the page shows the current roles for the user. Expand this area to confirm the role details.

Deleting an Administrator

It may become necessary to delete an administrator for security purposes or if that administrator type is no longer used. You must respond to a confirmation page before the deletion goes into effect.

How to Get There

On the Primary Navigation bar, click the Administration tab. On the Secondary Navigation bar, click the Administrators tab. This opens the List/Add Administrators page (see Figure 2-1).

Actions to Take

Deleting an administrator is a two step process—you activate and then confirm the deletion:

1. Click the Delete icon () to the left of the administrator name.

2. Click Delete to continue with the deletion, or Cancel to cancel it.

Managing Groups

Creating administrator groups is a way of grouping administrator roles into categories based on functionality or geography. For an introduction to roles, see the "Introduction to Roles" section. One example of using groups is to combine all the roles into a group named test-grp, then assign that group to all administrators in the test area, to avoid having to assign the same roles to each administrator individually. Table 3-5 describes the two predefined groups in the Web UI.

Table 3-5 Predefined Administrator Groups 

Group
Description

address-mgt-group

Combined DHCP, address block, and CCM administrator.

dns-mgt-group

Combined host, zone, and CCM administrator.


You can add more groups by giving them each a name and a short description. The actual association to administrators happens when you create administrators. Otherwise, the groups exist in name only.

Plan for the group names to reflect the intended role of its members so that you can define the correct administrators with them. Note that you can assign a group multiple roles. This saves the global administrator from having to assign each role separately.

How to Get There

On the Primary Navigation bar, click the Administration tab. On the Secondary Navigation bar, click the Groups tab. This opens the List/Add Administrator Groups page (see Figure 3-1).

Figure 3-1 List/Add Administrator Groups Page

Data to Enter

You must enter a group name, and you can add a description for it, based on the fields described in Table 3-6.

Table 3-6 Entries on the List/Add Administrator Groups Page 

Entries
Description

Name*

Name of the administrator group. Required.

Description

Short description of the administrator group. Optional.


Actions to Take

After entering the fields, you can create, edit, or delete the group, and confirm the results.

To create the group, click Add Group, which adds the group to the bottom of the list. You do not need to refresh the page.

To edit a group, click its name in the list. This opens the Edit Administrator Group page (see Figure 3-2). Edit the same fields as you entered on the List/Add Administrator Groups page. Be sure the group has a name and that it is unique.

In addition, you can assign roles for this group. Select one or more roles from the Available field and move them into the Selected field.

Click Modify Group to submit the change, or Cancel to cancel, to return to the List/Add Administrator Groups page.

Figure 3-2 Edit Administrator Group Page

To delete a group on the List/Add Administrator Groups page, click the Delete icon () to the left of its name. Confirm or cancel your deletion on the Confirm Delete page.

To confirm your changes, view the database change log. See the "Viewing the Database Change Logs" section.

Managing Roles

Network Registrar distinguishes between base roles and constrained roles.

A base role is one of the predefined administrative roles—ccm-admin, zone-admin, host-admin, addrblock-admin, and dhcp-admin. These are often referred to as unconstrained roles.

A constrained role customizes the base role with applied constraints. You can create constrained roles from two base roles:

host-admin

zone-admin

The unconstrained host administrator has authority over all hosts in a zone and the static IP addresses in it. The unconstrained zone administrator has authority over all zones. You may want a host administrator to be responsible for a limited range of hosts. You would create a constrained role for that purpose.

Adding a Constrained Role

Adding a constrained role requires these actions:

1. Add its name and select from one of two base roles—host-admin or zone-admin.

2. Decide if you want the role to have read-only privileges.

3. Add the constraints:

You can constrict a host administrator role to certain zones, IP addresses, and host names.

You can constrict a zone administrator role to certain zones (including based on their owner).

You can optionally assign groups and administrators to the role. However, you usually would do the reverse process of assigning the role to a group or administrator when you create the group or administrator.

How to Get There

On the Primary Navigation bar, click the Administration tab. On the Secondary Navigation bar, click the Roles tab. This opens the List/Add Administrator Roles page (see Figure 2-9).

Data to Enter

You must enter a role name and select from the list of predefined base roles, either host-admin or zone-admin. Any roles you create appear at the bottom of the list.

Actions to Take

After entering the fields, you can create, edit, or delete the role, and confirm the results.

To create the role, click Add Role. This opens the Add Administrator Role page for the base role that you selected. For roles based on:

host-admin—See the "Managing a Host Administrator Role" section.

zone-admin—See the "Assigning Zone Restrictions to a Host Administrator Role" section.

Unconstrainable base roles (dhcp-admin, ccm-admin, and addrblock-admin)—See the "Assigning Unconstrained Roles" section.

To edit a role, click its name in the list. This opens an Edit Administrator Role for the base role you selected.

To delete a role, click the Delete icon () to the left of its name. Confirm or cancel your deletion on the Confirm Delete page.

To confirm your changes, view the database change log. See the "Viewing the Database Change Logs" section.

Managing a Host Administrator Role

A host administrator can be constrained in these ways:

By a list of zones (only hosts in one of these zones can be viewed, added, modified, or deleted)

By a range of IP addresses that can be assigned to hosts

By a pattern of host names

How to Get There


Step 1 On the Primary Navigation bar, click the Administration tab.

Step 2 On the Secondary Navigation bar, click the Roles tab. This opens the List/Add Administrator Roles page.

Step 3 If you are adding a new role, assign it the host-admin base role.

Step 4 Click Add Role with a new role, or click the name of an existing role to edit it. Adding the role opens the Add Host Administrator Role page (see Figure 3-3); editing the role opens the Edit Host Administrator Role page. The two pages include the same fields.

Figure 3-3 Add/Edit Host Administrator Role Page: General Information


Data to Enter

The General Information area of the page includes the fields described in Table 3-7.

Table 3-7 Entries on the Add/Edit Host Administrator Role Page: General Information 

Entry
Description

Role Name

Name of the role. You can modify its name in this field.

Role Type

Base role, identified as host-admin. You cannot modify this field. However, you can give this role read-only rights by checking the Read Only Role box.

Note If you assign an administrator to multiple host roles, one of which is read-only, the read-only functionality takes precedence.


Actions to Take

At a minimum, you must assign a list of zones for the host administrator role. Otherwise, the role defaults to an empty access list. A host administrator logging in without an assigned zone will see the message "Zone list empty" and cannot perform any administrative tasks. See the following section to assign the zone restrictions.

Assigning Zone Restrictions to a Host Administrator Role

You can add zone restrictions for a host administrator role, or select All Zones for access to all zones, including those that have yet to be created. To assign specific zones, the zones must already be created (see "Zone Administration").

How to Get There


Step 1 On the Primary Navigation bar, click the Administration tab.

Step 2 On the Secondary Navigation bar, click the Roles tab. This opens the List/Add Administrator Roles page.

Step 3 If you are adding a new role, assign it the host-admin base role.

Step 4 Click Add Role with a new role, or click the name of an existing role to edit it. Adding the role opens the Add Host Administrator Role page; editing the role opens the Edit Host Administrator Role page.

Step 5 Scroll to the Zone Restrictions area, immediately below the General Information area (see Figure 2-10).


Data to Enter

The role is restricted to just those zones listed in the Selected list. If you want to bypass all zone restrictions, check the All Zones box. If neither is selected, the role is effectively disabled and has no access to any zone data.

To move a zone or zones to the Selected list, select one or more in the Available list and click << to move it or them to the Selected list. If the zone name you want is not in the Available list, add it according to the procedure in "Zone Administration."

Move zones back and forth between the lists as needed until you have the ones you want in the Selected list. For example, you might want exampleboston-hostadmin-role to administer addresses in both the example.com and boston.example.com zones. Select the two zone names in the Available list and click << to move them to the Selected list. To move all the listed zones, click Select All and then <<.

Actions to Take

If you do not want to add further constraints for the role, click Add Role or Edit Role, or Cancel to cancel. Otherwise, proceed to the next section to add IP restrictions for the role.

Assigning IP Restrictions to a Host Administrator Role

To add IP address restrictions for a host administrator role, determine which ranges of IP addresses you want the role to administer.

How to Get There


Step 1 On the Primary Navigation bar, click the Administration tab.

Step 2 On the Secondary Navigation bar, click the Roles tab. This opens the List/Add Administrator Roles page.

Step 3 If you are adding a new role, assign it the host-admin base role.

Step 4 Click Add Role with a new role, or click the name of an existing role to edit it. Adding the role opens the Add Host Administrator Role page; editing the role opens the Edit Host Administrator Role page.

Step 5 Scroll to the IP Restrictions area of the page (see Figure 2-11). (This area of the page may be contracted. If so, click the + sign to expand it.)


Data to Enter

The role is restricted to just those IP address ranges listed in the Selected list. If you want to accept all available IP ranges, including all those yet to be created, check the All IPRanges box. If neither is selected, assignment of IP addresses is unconstrained.

If IP address ranges are already in the Available list, select one or more and click << to move it or them to the Selected list. If there are no IP ranges, add them by creating subnet ranges, according to the procedure in the "Editing or Adding Address Ranges to a Subnet" section. Move addresses back and forth between the lists as needed until you have exactly the ones you want in the Selected list.

For example, you might want range65-120-hostadmin-role to administer the address ranges 192.168.50.65 through 192.168.50.120. Click this range in the Available list and click << to move it to the Selected list. To move all the listed ranges, click Select All and then <<.

Actions to Take

If you do not want to add further constraints for the role, click Add Role or Edit Role, or Cancel to cancel. Otherwise, proceed to the next section to assign host restrictions to the role.

Assigning Host Restrictions to a Host Administrator Role

To add host name restrictions for a host administrator role, determine the type of host names you want the role to administer.

How to Get There


Step 1 On the Primary Navigation bar, click the Administration tab.

Step 2 On the Secondary Navigation bar, click the Roles tab. This opens the List/Add Administrator Roles page.

Step 3 If you are adding a new role, assign it the host-admin base role.

Step 4 Click Add Role with a new role, or click the name of an existing role to edit it. Adding the role opens the Add Host Administrator Role page; editing the role opens the Edit Host Administrator Role page.

Step 5 Scroll to the Host Restrictions area of the page (see Figure 3-4). (This area of the page may be contracted. If so, click the + sign to expand it.)

Figure 3-4 Add/Edit Host Administrator Role Page: Host Restrictions


Data to Enter

The Host Name Regular Expression field can contain a wildcard expression for the host names you want to administer. The regular expression metacharacter (wildcard) syntax is based on POSIX 1003.2 and is described in Table 3-8. Remember that although the matching is case sensitive, the server considers host names as not case sensitive.

Table 3-8 Regular Expression Metacharacter Syntax 

Metacharacter
Description

(chars) (parentheses)

Treats the characters between the parentheses as a single text block. For an example of grouping using blocks, see the use of the backslash (\).

. (dot)

Matches any single character. For example, host. matches any name starting with host and ending with a single character, such as host1. To include the dot as an actual character, escape it using a \ (see backslash); for example, .*\.com.

* (asterisk)

Matches the previous character or block zero or more times. For example, host1* matches host, host1, host11, host111, and so on.

? (question mark)

Matches the previous character or block zero or one times only. For example, host1? matches host and host1 only (compare with *).

+ (plus sign)

Matches the previous character or block one or more times. For example, host1+ matches host1, host11, host111, and so on, but not host (compare with *).

[chars] (square brackets)

Matches any character (or range of characters) or block in the square brackets. For example, host[19]* matches host, host1, host19, host9199, and so on; the range statement [a-z] matches all lowercase characters.

[^chars] (caret in square brackets)

Excludes from the match any characters (or range of characters) or block in the square brackets. For example, host[^0].* matches any name starting with host, except if it immediately follows with a zero (so that host0101 would be excluded).

^ (caret)

Start of the line. For example, ^[^0-9].* matches any name not starting with a digit.

$ (dollar sign)

End of the line. For example, .*[^9]$ matches any name not ending with a 9.

{x,y} (curly brackets)

Bounding syntax that matches the last character or block at least x and not more than y times. For example, host[123]{1,3} matches host1, host11, and host123.

chars | chars

Matches the text before or after the operator. For example, ([a-z] | [A-Z])+ matches any lowercase or uppercase name of any number of characters.

\ (backslash
= escape character)

Because the characters (, ), [, ], ., *, ?, +, ^, and $ are special symbols, you must escape each one using a backslash (which is also a special symbol). For example, host(\([1-999]\))?\\?[a-z]? matches host(1) through host(999)\z.


Actions to Take

If you do not want to assign the role to an administrator or group for now, click Add Role or Edit Role, or Cancel to cancel. Otherwise, proceed to the next section to assign administrators or groups to the role.

Assigning Administrators or Groups to a Host Administrator Role

The Admins and Groups section of the Edit Host Administrator Role page is for assigning administrators or groups to the role.

How to Get There


Step 1 On the Primary Navigation bar, click the Administration tab.

Step 2 On the Secondary Navigation bar, click the Roles tab. This opens the List/Add Administrator Roles page.

Step 3 If you are adding a new role, assign it the host-admin base role.

Step 4 Click Add Role with a new role, or click the name of an existing role to edit it. Adding the role opens the Add Host Administrator Role page; editing the role opens the Edit Host Administrator Role page.

Step 5 Scroll to the Admins and Groups area of the page (see Figure 3-5). (This area of the page may be contracted. If so, click the + sign to expand it.)

Figure 3-5 Add/Edit Host Administrator Role Page: Admins and Groups

Data to Enter

This page includes the fields described in Table 3-9.

Table 3-9 Entries on the Add/Edit Host Administrator Role Page: Admins and Groups 

Entry
Description

Administrators

Administrator or administrators that should be assigned to this role. Select from the drop-down list of predefined administrators in the Available list and move the name or names to the Selected list by clicking the appropriate button. Move items back and forth as needed until the Selected list includes just the administrator name or names you want.

For example, you might want exampleboston-hostadmin-role to apply to example-zone-admin as well as example-host-admin. Multiselect both names and click << to move them to the Selected list. (Note, however, that you can also handle these multiple administrator entries using groups. See the Groups field description.)

Groups

If administrators are organized into groups, one or more of these groups can be assigned to this role. Select the desired predefined group or groups from the Available list and move it or them to the Selected list. Move items back and forth as needed until the Selected list includes just the group name or names you want.

To extend the example in the previous field description, instead of assigning both the example-host-admin and example-zone-admin administrator to the role, you can create a group, example-group, that includes both administrators, so that you can possibly add other administrators to the group later. Click example-group in the Available list and click << to move it to the Selected list.


Actions to Take

When you finish entering information on the Add/Edit Host Administrator Role page, click Add Role or Edit Role, or Cancel to cancel. You return to the List/Add Administrator Roles page.

Managing a Zone Administrator Role

Once you create a new zone administrator role, you can set further constraints for it. A zone administrator can be constrained by a list of zones or owners. These guidelines apply:

If constrained by zones, a zone administrator cannot add zones or zone templates.

If constrained by owners, a zone administrator can add zones only if the zone template used to create the zone is owned by a valid owner.

Constrained zone administrators cannot modify, add, or delete secondary servers.

How to Get There


Step 1 On the Primary Navigation bar, click the Administration tab.

Step 2 On the Secondary Navigation bar, click the Roles tab. This opens the List/Add Administrator Roles page.

Step 3 If you are adding a new role, assign it the zone-admin base role.

Step 4 Click Add Role with a new role, or click the name of an existing role to edit it. Adding the role opens the Add Zone Administrator Role page (see Figure 3-6); editing the role opens the Edit Zone Administrator Role page. The two pages include the same fields.

Figure 3-6 Add/Edit Zone Administrator Role Page: General Information


Data to Enter

The General Information area of this page includes the fields described in Table 3-10.

Table 3-10 Entries on the Add/Edit Zone Administrator Role Page: General Information 

Entry
Description

Role Name

Name of the role. You can modify its name in this field.

Role Type

Base role, identified as zone-admin. You cannot modify this field. However, you can specify read-only rights by checking the Read Only Role box.

Note If you assign an administrator to multiple zone roles, one of which is read-only, the read-only functionality takes precedence.


Actions to Take

At a minimum, you must assign a list of zones or owners for the role. Otherwise, the role defaults to an empty access list. A zone administrator logging in without an assigned zone or owner will see an empty list of zones and cannot add any new zones. See the following section to add the zone constraints.

Managing Zone Restrictions for a Zone Administrator Role

You can add zone or owner restrictions for a zone administrator role, or select all zones or all owners. You can base zone restrictions on these criteria:

Regular expression for the zone name

Predefined zones or their owners

How to Get There


Step 1 On the Primary Navigation bar, click the Administration tab.

Step 2 On the Secondary Navigation bar, click the Roles tab. This opens the List/Add Administrator Roles page.

Step 3 If you are adding a new role, assign it the zone-admin base role.

Step 4 Click Add Role with a new role, or click the name of an existing role to edit it. Adding the role opens the Add Zone Administrator Role page; editing the role opens the Edit Zone Administrator Role page. Both pages include the same fields.

Step 5 Scroll to the Zone Restrictions area of the page (see Figure 3-7).

Figure 3-7 Add/Edit Zone Administrator Role Page: Zone Restrictions


Data to Enter

The three parts of the Zone Restrictions area of this page show that you can restrict zones by zone name regular expression, or by existing zones or zone owners. You can restrict either by zone or owner, but not both. The fields in Figure 3-7 are described in Table 3-11.

Table 3-11 Entries on the Add/Edit Zone Administrator Role Page: Zone Restrictions 

Entry
Description

Zone Name Regular Expression

Enter a name string, including wildcards, to distinguish which types of zone names to administer. For example, enter the .*example.* string to administer all zones whose names contain the string example. See Table 3-8 for the regular expression syntax. Remember that although the matching is case sensitive, the server considers zone names as not case sensitive.

Edit Owners

Check this box if you want the role to edit zone owners. If unchecked, the role cannot edit any owners. See the "Managing Zone Owners" section.

Access Secondary Zones

Check this box if you want the role to access secondary zones. If unchecked, the role cannot access any secondary zones. See the "Managing Secondary Zones" section.

Access Reverse Zones

Check this box if you want the role to access reverse zones. If unchecked, the role cannot access any reverse zones. See the "Managing Reverse Zones" section.

By Zones

Check this box if you want the role restricted to particular zones. If you check this box, you cannot also check the By Owner box.

If zone names are already in the Available list, select one or more and click << to move it or them to the Selected list. If there are no zone names, add them according to the procedure in the "Managing Zones" section. Move zones back and forth between the lists as needed until you have exactly the ones you want in the Selected list.

To bypass all zone restrictions, check the All Zones box. For example, you might want exampleboston-role to administer the example.com and boston.example.com zones, as well as any newly created ones.

By Owner

Check this box if you want the role restricted to zones owned by a particular owner. If you check this box, you cannot also check the By Zones box.

If zone owners are already in the Available list, select one or more and click << to move it or them to the Selected list. If there are no zone owners, add them according to the procedure in the "Managing Zone Owners" section. Move zone owners back and forth between the lists as needed until you have exactly the ones you want in the Selected list. To bypass all zone owner restrictions, check the All Owners box.


Actions to Take

If you do not want to assign the role to an administrator or group for now, click Add Role or Edit Role, or Cancel to cancel. Otherwise, see the next section to assign administrators and groups to the role.

Assigning Administrators and Groups to a Zone Administrator Role

The Admins and Groups area of the Add/Edit Zone Administrator Role page is for assigning the role to administrators and groups (this area is identical to that of the Add/Edit Host Administrator Role page; see Figure 3-5).

Data to Enter

The Admins and Groups area of this page includes the fields described in Table 3-12.

Table 3-12 Entries on the Add/Edit Zone Administrator Role Page: Admins and Groups 

Entry
Description

Administrators

Administrator or administrators that should be assigned to this role. Select from the drop-down list of predefined administrators in the Available list and move it or them to the Selected list by clicking the appropriate button. Move items back and forth as needed until the Selected list includes just the administrator name or names you want.

For example, you might want exampleboston-role to apply to example-host-admin as well as example-zone-admin. Multiselect both names and click << to move them to the Selected list. (Note, however, that you can also handle these multiple administrator entries using groups. See the Groups field description in this table.)

Groups

If administrators are organized into groups, one or more of these groups can be assigned to this role. Select the desired predefined group or groups from the Available list and move it or them to the Selected list. Move items back and forth as needed until the Selected list includes just the group name or names you want.

To extend the example in the previous field description, instead of assigning both example-host-admin and example-zone-admin to the role, you can create a group, example-group, that includes both administrators, so that you can possibly add other administrators to the group later. Click example-group in the Available list and click << to move it to the Selected list.


Actions to Take

When you finish entering information on the Add/Edit Zone Administrator Role page, click Add Role or Edit Role, or Cancel to cancel. You return to the List/Add Administrator Roles page.

Assigning Unconstrained Roles

You cannot constrain these base roles:

dhcp-admin

ccm-admin

addrblock-admin

This means that any administrators or groups you set up with these roles have no further constraints. When you edit one of these roles by clicking its name on the List/Add Administrator Roles page, an Edit Administrator Role page appears. Figure 3-8 shows the page for a DHCP administrator role. The Role Name and Role Type (base role) cannot change. However, you can use this page to assign administrators and groups to the role.

Figure 3-8 Edit Administrator Role Page for an Unconstrained Role

To assign administrators or groups to the role, select one or more in the Selected field and move them into the Available field. In most cases, you would assign either groups or administrators, but not both.

Click Modify Role to change the role definition, or Cancel to cancel the change. You return to the List/Add Administrator Roles page.

Deleting a Role

It may become necessary to delete a role if it is no longer in use. Note that you cannot delete a base role, because the system requires it.

How to Get There

On the Primary Navigation bar, click the Administration tab. On the Secondary Navigation bar, click the Roles tab. This opens the List/Add Administrator Roles page.

Actions to Take

To delete the role, click the Delete icon () next to its name in the list. A confirmation page appears where you can click Delete to continue with the deletion, or Cancel to cancel it.

Managing Keys

You can secure dynamic DNS updates using keys. This allows DNS and DHCP servers to verify that requests and responses come from an authorized source, when properly configured. Both the DNS and DHCP servers can read and process transaction signature (TSIG) data from Network Registrar or other servers. TSIG is based on RFC 2845. It uses the HMAC-MD5 (or keyed-MD5) algorithm for integrity verification of data transmitted over open networks between parties that share a common secret key. TSIG is relatively simple to configure, lightweight for resolvers and nameservers to use, and flexible enough to secure DNS messages.

Entering the Key Data

In Network Registrar, the key name is associated with a secret value. The key name should reflect the name of the hosts using this key, and there should be a separate key for each host pair. Entry of a name also requires a secret. This section includes some rules and suggestions for entering key data.

How to Get There

On the Primary Navigation bar, click the Administration tab. On the Secondary Navigation bar, click the Keys tab. This opens the List/Add Encryption Keys page (see Figure 3-9).

Figure 3-9 List/Add Encryption Keys Page

Data to Enter

Entering keys requires entering values in the fields described in Table 3-13. The fields marked with an asterisk (*) are required.

Table 3-13 Entries on the List/Add Encryption Keys Page 

Entry
Description

Name*

Name of the key, in domain name format, which should reflect the names of the hosts sharing that key, such as host-a.host-b.example.com. Required.

Algorithm*

Always HMAC-MD5. You cannot modify this field.

Security Type*

Always TSIG. You cannot modify this field.

Time Skew

Amount of time that the time-stamp in packets signed with this key can differ from the local system time. This factor has a default value of five minutes (as specified in RFC 2845), and a range of one second to one hour. You can use the h, m, and s tag letters for time values expressed in hours, minutes, and seconds, respectively. If you omit the tag, the value is in seconds, making these values identical: 5m and 300. Optional.

Note Ensure that the system clocks between the DNS and DHCP servers fall within the time skew period. The shorter the time skew, the more secure the transaction.

Secret*

Shared secret, entered as a base64-encoded string. It should be at least as long as the keyed message digest (HMAC-MD5 is 16 bytes). Required.


You must enter the shared secret value as a base64 encoded string. This means that the only characters allowed are those in the base64 alphabet and one or two trailing pad characters (=). Entering nonbase64-encoded strings results in an error message.


Tip Network Registrar provides a random key generator utility, cnr_keygen. For details, see the "Generating Random Keys" section.


Because the shared secret is sensitive data and security would be compromised if this data were exposed, these rules and guidelines apply:

Do not add or modify keys using batch commands.

Change shared secrets frequently, perhaps every two months. Network Registrar recommends this without explicitly enforcing it.

The shared secret length should be at least as long as the keyed message digest (HMAC-MD5 is 16 bytes). Network Registrar does not explicitly enforce this and only checks that the shared secret is a valid base64-encoded string, although RFC 2845 recommends it.

Actions to Take

After adding these values, you can add, edit, or delete the key:

To add the key, click Add. This adds the key item to the List/Add Encryption Keys page.

To edit a key, click its name in the list. This opens the Edit Encryption Key page. On this page, you can modify or unset only the Time Skew and Secret fields. To unset a field, check its Unset? box and click Unset Fields. Click Modify Key to submit the change, or Cancel to cancel.

To delete a key, click the Delete icon () next to its name on the List/Add Encryption Keys page, and confirm or cancel the deletion.

Generating Random Keys

You can use the Network Registrar cnr_keygen utility to generate random key secrets so that you add them to the Secret field on the List/Add Encryption Keys page (see Figure 3-9). Execute the cnr_keygen key generator utility from a DOS prompt, or a Solaris or Linux shell:

On Windows, the utility is, by default, in the C:\Program Files\Network Registrar\bin folder.

On Solaris and Linux, the utility is, by default, in the /opt/nwreg2/usrbin directory.

> /opt/nwreg2/usrbin/cnr_keygen -n host-a.host-b.example.com. -b 16 -s 300 
	key "host-a.host-b." { 
                algorithm hmac-md5; 
                secret "xGVCsFZ0/6e0N97HGF50eg=="; 
                # cnr-time-skew 300; 
                # cnr-security-type TSIG; 
}; 

The only required input is the key name. Table 3-14 describes the command options.

Table 3-14 Options for the cnr_keygen Utility 

Option
Description

-n name

Key name. Required. The maximum length is 255 bytes.

-a hmac-md5

Algorithm. Optional. Only hmac-md5 is currently supported.

-b bytes

Byte size of the secret. Optional. The default is 16 bytes. The valid range is 1 through 64 bytes.

-s skew

Time skew for the key, or the amount of time that the time stamp in packets signed with this key can differ from the local system time. Optional. The default is five minutes. The range is one second through one hour.

Note Ensure that the system clocks between the DNS and DHCP servers fall within the time skew period.

-t tsig

Type of security used. Optional. Only TSIG is currently supported.

-h

Help. Optional. Displays the syntax and options of the utility.

-v

Version. Optional. Displays the version of the utility.


The resulting secret is base64-encoded as a random string. Enter this value in the Secret field on the List/Add Encryption Keys page.

You can also redirect the output to a file if you use the > or >> indicators at the end of the command line. The > writes or overwrites a given file, while the >> appends to an existing file.

> /opt/nwreg2/usrbin/cnr_keygen -n example.com > keyfile.txt 
> /opt/nwreg2/usrbin/cnr_keygen -n example.com >> addtokeyfile.txt 

You can then import the key file into Network Registrar using the CLI to generate the keys in the file. The key import can generate as many keys as it finds in the import file. Use this CLI command to import the key file:

nrcmd> import keys keyfile.txt 


Tip Refresh the list of encryption keys using the Refresh icon () if you used the CLI to import the keys.


Managing Access Control Lists

Access control lists (ACLs) provide a way to assign security keys to the DNS server or to individual zones. ACLs also provide an easier way to manage dynamic update restrictions with a more versatile form of listing authorized networks and hosts. You can set these types of ACLs:

Keys

IP addresses

Network addresses (including their mask)

Other ACLs

How to Get There

On the Primary Navigation bar, click the Administration tab. On the Secondary Navigation bar, click the ACLs tab. This opens the List/Add Access Control Lists page (see Figure 3-10).

Figure 3-10 List/Add Access Control Lists Page

Data to Enter

Entering ACLs requires entering values in the fields described in Table 3-15. The Name value is required.

Table 3-15 Entries on the List/Add Access Control Lists Page 

Entry
Description

Name*

Unique name of the ACL, as alphanumeric characters. Do not use a name resembling an IP address. Required.

Match List

Match list for the ACL, which can be a key, IP address and mask, or another ACL. You can combine one or more of these values separated by commas:

Key—The value must be in the form key name, with the keyword key followed by the name of the key (do not use quotes). See the "Managing Keys" section.

IP address—In the form 192.168.1.2.

Network address (with mask)—In the form 192.168.1.0/24.

Another ACL—That ACL must be predefined. Note that you should not delete an ACL that is referenced in another ACL's match list.


Actions to Take

After adding these values, you can add, edit, or delete the ACL:

To add the ACL, click Add. This adds the ACL entry to the ACLs page.

To edit an ACL, click its name on the ACLs page. This opens the Edit Access Control List page. On this page, you can modify only the Match List field. Click Modify ACL to submit the change, or Cancel to cancel.

To delete an ACL, click the Delete icon () next to its name on the ACLs page, and confirm or cancel the deletion.


Note Avoid deleting ACLs that are referenced by the update-acl attribute for zones, or in other ACLs.


Managing Servers

You can manage the Network Registrar protocol servers (DNS, DHCP, and TFTP), MCD server, and local server agent from the Web UI. Managing these servers involves determining their current state and health, and starting, stopping, or reloading the protocol servers, if necessary.


Note If you find a server error, investigate the server log file for a configuration error, correct the error, return to this page, then refresh the page.


How to Get There

On the Primary Navigation bar, click the Administration tab. On the Secondary Navigation bar, click the Servers tab. This opens the Manage Servers page (see Figure 3-11).

Figure 3-11 Manage Servers Page

Actions to Take

Table 3-16 describes the columns on this page.

Table 3-16 Columns on the Manage Servers Page 

Column
Description

Name

Description (if local) or name (if remote) of each server.

IP Address

IP address of the server, or localhost.

Type

Type of server—DNS, DHCP, TFTP, MCD, and the local gent.

State

State of the server—initialized, running, or disabled. If the Web UI cannot determine the state, a question mark (?) appears.

Health

Relative health of the server, as a color indicator: () for optimal health, () for less than optimal health, and () for stopped. The numbers in parentheses range from 0 (stopped) to 10 (optimum health). If the Web UI cannot determine the server's health, a question mark (?) appears. Note that the DHCP server is healthy only if at least one scope of addresses exists.

Statistics

Click the Report () icon to view statistics for the protocol server. This opens the Statistics for Server page, which shows statistics relevant to the server. You can refresh the statistics using the Refresh icon (). To return to managing the server, click Return to Manage Servers on that page. Each statistic item is described in the help window when you click the item name.

View Log

Click the Logs () icon to view the log files for the server. This opens the Log for Server page, which lists the log items for the particular server ordered by date and time. You can step through the log using the arrow keys and change the number of items shown by clicking Change Page Size. You can display the log items in two different ways, a tabular format and in the log file format (which you can better use for cutting-and-pasting to a text file). Toggle between these two display modes using the Logs () icon on the Log for Server page. To return to managing the server, click Return to Manage DNS Server on that page.

Start/Stop/
Reload

Click the Start icon () to start or restart the protocol server, click the Stop icon () to stop the server, or click the Refresh icon () to reload the server. If the function is unsuccessful, a red X appears in the column.


Viewing the Database Change Logs

You can view the change log for entries made to two databases:

Central Configuration Manager (CCM) database

Network Registrar server (MCD) database

The change logs are in reverse chronological order. You can also view the change sets for each of the log entries.

Viewing the CCM Database Change Log and Sets

The CCM database change log shows the changes made to the CCM database by Web UI administrators. The change sets are listed in reverse chronological order, with the most recent change at the top of the list. Every change log has zero or more change set entries. The change set entries are in S-expression format, showing the object class and attribute-value pairs in parentheses. If there are spaces in the change set expression, it is enclosed in square brackets.

How to Get There

On the Primary Navigation bar, click Administration. On the Secondary Navigation bar, click CCM Change Log. This opens the View CCM Change Log page (see Figure 3-12).

Figure 3-12 View CCM Change Log Page

Actions to Take

On this page, you can view the change log and their change sets:

View change log—Display each database change log entry. Each entry identifies the database sequence number (DBSN), date entered, responsible administrator, and how many entries are in the change set. Unless you change the Change Page Size value at the bottom of the page, the list shows only the last ten entries by default.

View change sets for a change log item—Click the change set number in the DBSN column. This opens the View CCM Change Set page (see Figure 3-13). At the top of the page is the change log item. Below it is the list of change set entries for the log item. You can navigate through each change log item by clicking the left and right arrow buttons to the right of the DBSN column heading.

Figure 3-13 View CCM Change Set Page

To return to the View CCM Change Log page, click Return to Change Set List.

The change set display is in S-expression format. Under each change entry are any CCM tasks created for the change set. See the "Viewing CCM Tasks" section for details on CCM tasks.

Viewing the MCD Database Change Log and Sets

The MCD database change log shows the changes an administrator made to the Network Registrar server (MCD) database. The change sets are listed in reverse chronological order, with the most recent change at the top of the list. Every change log has zero or more change set entries. The change set entries are in S-expression format, showing the object class and attribute-value pairs in parentheses. If there are spaces in the change set expression, it is enclosed in square brackets.

How to Get There

On the Primary Navigation bar, click Administration. On the Secondary Navigation bar, click MCD Change Log. This opens the View MCD Change Log page (which is virtually identical to the View CCM Change Log page shown in Figure 3-12).

Actions to Take

On this page, you can view the MCD database change log and their change sets:

View change log—Display each database change log entry. Each entry identifies the database sequence number (DBSN), date entered, responsible administrator, and how many entries are in the change set. Unless you change the Change Page Size value at the bottom of the page, the list shows only the last ten entries by default.

View change sets for a change log item—Click the change set number in the DBSN column. This opens the View MCD Change Set page (which is virtually identical to the View CCM Change Set page shown in Figure 3-13). At the top of the page is the change log item. Below it is the list of change set entries for the log item. You can navigate through each change log item by clicking the left and right arrow buttons to the right of the DBSN column heading.

To return to the View MCD Change Log page, click Return to Change Set List.

The change set display is in S-expression format. Each change entry shows any MCD tasks created for the change set. See the "Viewing MCD Tasks" section for details on MCD tasks.

Viewing Database Tasks

The Network Registrar databases create one or more tasks for certain operations for both the CCM and MCD databases. You can view these tasks for both databases. Tasks are created for operations listed in Table 3-17. Tasks are not created for operations not listed in the table.

Table 3-17 Database Operations Creating Tasks 

CCM Database Operations
MCD Database Operations

Modify an address block or subnet

Add or remove a scope

Add, modify, or remove a resource record set

Add or remove a network

Add, modify, or remove a host

Add or modify a failover pair

Add, modify, or remove a zone

 

The tasks refer back to change set DBSN numbers for change logs (see the "Viewing the Database Change Logs" section). You can expand and contract the tree of change logs to display the tasks for each one on the List CCM Tasks and List MCD Tasks pages.

Viewing CCM Tasks

CCM tasks are displayed on the List CCM Tasks page.

How to Get There

On the Primary Navigation bar, click Administration. On the Secondary Navigation bar, click CCM Tasks. This opens the List CCM Tasks page (see Figure 3-14).

Figure 3-14 List CCM Tasks Page

Actions to Take

Click the + sign next to any of the DBSN entry numbers to display the tasks for that entry. To expand all the entries, click Expand All; to collapse them, click Collapse All. Click the DBSN number itself to open the View CCM Change Set (see Figure 3-13) page for that change entry. The Task Description column describes the task as a simple entry of what type of object was added and the name of the object.

Viewing MCD Tasks

MCD tasks are displayed on the List MCD Tasks page.

How to Get There

On the Primary Navigation bar, click Administration. On the Secondary Navigation bar, click MCD Tasks. This opens the List MCD Tasks page (see Figure 3-15).

Figure 3-15 List MCD Tasks Page

Actions to Take

Click the + sign next to any of the DBSN entry numbers to display the tasks for that entry. To expand all the entries, click Expand All; to collapse them, click Collapse All. Click the DBSN number itself to open the View MCD Change Set page for that change entry.

The Task Description column describes the task as a simple entry of what type of object was added and the name of the object.