Cisco Prime Collaboration Assurance Guide - Advanced, 10.0
Managing Device Credentials
Downloads: This chapterpdf (PDF - 1.31MB) The complete bookPDF (PDF - 8.14MB) | Feedback

Managing Device Credentials

Managing Device Credentials

You need to configure device credentials for all devices that are managed using Cisco Prime Collaboration. Device credentials are required for discovering devices and updating inventory. If the credentials vary for different devices, create separate credentials profiles. That is, if you want to manage two Cisco Unified Communications Managers with different credentials in Prime Collaboration, you must create two separate credentials profiles.


Note


  • Credentials are not required for the phones, Cisco Cius, and Cisco Jabber Video for TelePresence (Movi) endpoints. These endpoints are discovered with the discovery of the call processor with which they are registered.
  • You must enter CLI credentials for video endpoints and network devices before you start the troubleshooting workflow.
  • Ensure that you create an Enterprise License Manager profile by selecting Enterprise License Manager as the Device Type.

Adding a Device Credentials Profile

You must add and configure device credentials before discovering devices.

In your network, you may have configured the same SNMP credentials for all devices, but different CLI credentials. In such cases, first create a new profile and later clone the existing profile.


Note


JTAPI credentials are not required for Prime Collaboration Assurance Standard mode .

To add a new credential profile:


    Step 1   Choose Operate > Device Work Center.
    Step 2   In the Device Work Center page, click Manage Credentials.
    Step 3   In the Credentials Profile window, click Add and enter the necessary information. See the Credential Profiles Field Descriptions table.
    Step 4   Click Save.

    SSL Certificate Authentication for Device Discovery

    A Secure Socket Layer (SSL) certificate is primarily used to provide a secure connection between a server and a browser. The SSL certificate encrypts the sensitive information like login credentials, device credentials, and other details that you enter on the server. The encrypted information is communicated between the server and the respective browsers for authentication.

    In Prime Collaboration, when a device is added, the SSL certificates are exchanged for credential validation by accessing a protected resource using HTTPs. During exchange, the SSL certificate does not get stored in Prime Collaboration trust-store and communication to the device fails, at a later point of time. It is recommended that you manually import the SSL certificate to Prime Collaboration trust-store to access the device.

    Prime Collaboration enables you to check the authenticity of the SSL certificate during its communication with the devices or applications over HTTPs. However, this is not mandatory as you can still continue to discover the devices without authenticating the certificate.

    By default, Prime Collaboration does not validate the certificates from the devices or applications it communicates. To enable the SSL certificate authentication:


      Step 1   Choose Administration > System Setup > Assurance Setup > General Settings.
      Step 2   Check the Enable Certificate Authentication check box and click Save.
      Step 3   Login as root to the Prime Collaboration Assurance server to import SSL certificates to the trust-store (use SSH with port 26 to login).
      Step 4   Enter the following command if the certificate is already downloaded:

      ./emsam_certificate_import.sh <dir_path>

      For example,

      ./emsam_certificate_import.sh /root/cert

      Step 5   Enter the following command if the certificate needs to be downloaded and then imported:

      ./emsam_certificate_import.sh <file> <dir_path>

      For example,

      ./emsam_certificate_import.sh ip.txt /root/cert

      Step 6   Restart the Prime Collaboration server for the changes in trust manager to take effect.
      cpcmcontrol.sh restart

      Cloning a Device Credentials Profile

      To copy an existing credential profile:


        Step 1   Choose Operate > Device Work Center.
        Step 2   In the Device Work Center page, click Manage Credentials.
        Step 3   In the Credentials Profile window, select an existing profile and click Clone.
        Step 4   Click Add/Update.

        Credential Profiles Field Descriptions

        After the devices are discovered, you can check the current Inventory table to verify that the credentials have been updated in the Prime Collaboration database.


        Note


        JTAPI credentials are not required for Prime Collaboration Assurance Standard mode.

        The following table describes the fields on the Credential Profiles page.

        Table 1 Credential Profiles Field Descriptions

        Field Name

        Description

        Profile Name

        Name of the credential profiles.

        For example:

        • CTS_MAN
        • CUCM
        • router_switches

        Device Type

        (Optional) The credential fields (such as SNMP, CLI) are displayed, based on the device type that you have selected.

        To reduce rediscovery time, we recommend that you select the device type when you create the credential profiles.

        The default device type is “Any”, if you do not select a device type while creating a credential profile.

        See Cisco.com for the list of device types.

        For EX series, MX series, SX series, bare Codec devices, and all profiles with Codec, select the device type as Codec.

        For MSE devices, select Cisco MCU as the device type.

        You can enter any credentials (SNMP, HTTP, JTAPI, CLI, MSI) to create an Any credential profile. You must create an Any credential profile to run autodiscovery (Ping Sweep and CDP discovery). However, you can run logical discovery also.

        If your network has multiple subnets, then create an Any profile for each subnet.

        IP Version(1)

        The IP address is version 4 or version 6.

        IP Address Pattern

        IP address of the devices for which the credentials are provided. You must:

        • Separate multiple IP addresses by the delimiter pipe (|).
        • Not use 0.0.0.0 or 255.255.255.255.
        • Not use question mark (?).

        We recommend that you:

        • Enter the exact IP address for CTS-Manager, Cisco Unified CM, and Cisco TMS.
        • Enter the exact IP address for either CTS or network devices.
        • Do not use many wildcard expressions in the address patterns.

        For example:

        • 100.5.10.*|100.5.11.*|100.5.20.*|100.5.21.*
        • 200.5.1*.*|200.5.2*.*|200.5.3*.*
        • 172.23.223.14
        • 150.5.*.*

        Avoid using patterns such as 150.*.*.*, 192.78.22.1?, 150.5.*.*/24.

        If you are unable to find a common pattern for the devices, enter *.*.*.*.

        See SNMPv2C to understand how the patterns are used.

        General SNMP Options

        SNMP Timeout - The default is 10 seconds.

        SNMP Retries - The default is 2.

        SNMP Version - Selecting an SNMP version is mandatory.

        SNMPv2C

        Used to discover and manage the device.

        SNMP Read Community String

        You can provide either SNMPv2C or SNMPv3 credentials. We recommend that you use different SNMP credentials for Cisco TelePresence systems and network devices.

        Prime Collaboration searches the credential profiles, based on the IP address pattern. Prime Collaboration then chooses a profile for which the SNMP credentials match. There can be multiple matching profiles, that is, profiles with the same SNMP credentials. In such cases, Prime Collaboration chooses the profile that matches first.

        Note   

        If multiple profiles have the same SNMP credentials but different CLI credentials, Prime Collaboration might chose a profile that contains the correct SNMP credentials but incorrect CLI credentials for the device. If this occurs, the troubleshooting workflow might not work.

        SNMP Write Community String

        SNMPv3

        Used to discover and manage the device.

        SNMP Security Name - Enter a security name.

        SNMP Authentication Protocol - You can choose either MD5 or SHA.

        SNMP Authentication Passphrase - Enter a passphrase.

        CLI

        Used to access the device through CLI to discover media path for troubleshooting.

        CLI Login Username and Password

        The CLI credentials are used during the troubleshooting workflow. If the credentials are not entered or if the entered credentials are incorrect, the troubleshooting workflow feature may not work.

        HTTP

        Used to access the device through HTTP to poll system status and meeting information.

        HTTP Username and Password

        Prime Collaboration first checks the access for HTTP. If the access attempt fails, then Prime Collaboration checks the access for HTTPS.

        If you log in to Cisco TMS using the <domain/username> format, then ensure that you add the same <domain/username> value in the HTTP(s) Username field.

        JTAPI

        Used to retrieve the session status information from the Cisco Unified CM.

        JTAPI Username and Password.

        Note   

        Password must not contain a semicolon (;) or equals (=).

        JTAPI is optional. It is required only for TelePresence session monitoring.

        MSI

        Used to access the device through MSI to discover media path for troubleshooting.

        MSI Username and Password

        The MSI credentials are used during the troubleshooting workflow, to troubleshoot MSI enabled endpoints.

        MSI credentials remain the same as http credentials for TC 6.0 and TE 6.0 software versions. For TX 6.0 version, the default MSI username is msiuser and the password is cisco.

        1 (1) For Prime Collaboration compatibility details with IPv6 devices, see Prime Collaboration Support for IPv6.

        Note


        Minimize the use of wildcard character (*), while defining the IP address patterns in the credential profiles (Operate > Device Work Center > Manage Credentials). Use of wildcard character may increase the discovery time.


        Modifying Device Credentials

        If you have modified credentials for the devices that you are currently managing in the Prime Collaboration application, you must modify the relevant credential profiles in the Prime Collaboration database.

        If the credentials are incorrect, a major event, Device is not accessible from Prime Collaboration, is triggered (Operate > Alarms & Events > Events).

        To edit a credential profile:


          Step 1   Choose Operate > Device Work Center.
          Step 2   From the Device Work Center, select a device and click Modify Credentials.
          Step 3   Update the credentials and click Rediscover.

          Prime Collaboration takes a few minutes to update its database with the modified credentials. After the credentials are updated, an informational event, Device is accessible from Collaboration Manager, is triggered. Prime Collaboration uses the updated credentials in the next polling job.


          Verifying Device Credentials

          If device discovery fails because of incorrect credentials, you can test the credentials for the failed devices and rediscover those devices. Choose Operate > Device Work Center > Discovery Jobs for a list of devices that were not discovered.


          Note


          Do not run this task when a discovery job is in progress.


          To verify device credentials:


            Step 1   Choose Operate > Device Work Center.
            Step 2   From the Device Work Center, click Manage Credentials.
            Step 3   From the Credential Profiles window, select the profile name to use for testing the credentials, and click Verify.
            Step 4   Enter a valid device IP address to test the credentials. You can verify only one device at a time, and you cannot enter expressions such as *.*.*.*, 192.2.*.*, and so on.
            Step 5   Click Test. You can see an inprogress moving icon next to the test button till the task completes. The test results are displayed under the Test Credential Result pane.

            If the verification fails, see the possible reasons listed in Credential Verification Error Messages.


            Credential Verification Error Messages

            The credential verification error messages are tabulated below.

            Table 2 Credential Verification Error Messages

            Error Message

            Conditions

            Possible Solutions

            SNMPv2

            SNMP Request: Received no response from IP Address.

            Failed for one of the following reasons:

            • Device response time is slow.
            • Device is unreachable.
            • Incorrect community string entered in the credential profile.
            • Verify the device connectivity.
            • Update the credential profile with the correct community strings.

            SNMP timeout.

            Either the device response time is slow or the device is unreachable.

            • Verify the device connectivity.
            • Increase the SNMP Timeout and Retries values in the credential profile.

            Failed to fetch table due to: Request timed out.

            Either the device response time is slow or the device is unreachable.

            Increase the SNMP Timeout and Retries values in the credential profile.

            SNMPv3

            The configured SNMPv3 security level is not supported on the device.

            Device does not support the configured SNMPv3 security level.

            Change the SNMPv3 security level to the supported security level in the credential profile.

            The SNMPv3 response was not received within the stipulated time.

            Either the device response time is slow or the device is unreachable.

            Verify the device connectivity.

            SNMPv3 Engine ID is wrong.

            Incorrect engine ID entered in the credential profile.

            Enter the correct SNMPv3 engine ID in the credential profile.

            SNMPv3 message digest is wrong.

            Failed for one of the following reasons:

            • Either the SNMPv3 authentication algorithm or the device password is incorrect.
            • Network errors.
            • Verify that the correct SNMPv3 authentication algorithm and device password are set in the credential profile.
            • Check for network errors.

            SNMPv3 message decryption error.

            Cannot decrypt the SNMPv3 message.

            Verify that the correct SNMPv3 authentication algorithm is entered in the credential profile.

            Unknown SNMPv3 Context.

            The configured SNMPv3 context in the credential profile does not exist on the device.

            Verify that the configured SNMPv3 context is correct in the credential profile.

            Unknown SNMPv3 security name.

            Either the SNMPv3 username is incorrect in the credential profile or the SNMPv3 username is not configured on the device.

            Verify that the correct SNMPv3 username is set in the credential profile and on the device.

            CLI

            Login authentication failed.

            Incorrect credentials entered in the credential profile.

            Verify and reenter the device CLI credentials in the credential profile.

            Connection refused.

            Either SSH or Telnet service may not be running on the device.

            1. Verify the device connectivity for the supported CLI (port).
            2. Verify whether the SSH or Telnet service is running on the device.

            HTTP

            Server returned HTTP response code: 401 for URL.

            Either the HTTP service is not running or the URL is invalid.

            • Verify whether the HTTP or HTTPS service is running on the device.
            • Verify whether the URL is valid on the server.

            Connection refused.

            The HTTP or HTTPS service is not running.

            Verify whether the HTTP or HTTPS service is running on the device.

            HTTP check failed.

            Incorrect HTTP credentials entered in the credential profile.

            Verify and reenter the device HTTP credentials in the credential profile.

            JTAPI

            Failed to access JTAPI.

            Incorrect JTAPI credentials entered in the credential profile.

            Verify and reenter the device JTAPI credentials in the credential profile.

            Note   

            Password must not contain a semicolon (;) or equals symbol (=).

            MSI

            Failed to access MSI.

            Incorrect MSI credentials entered in the credential profile.

            Verify and reenter the device MSI credentials in the credential profile.


            Note


            All the nodes in the cluster may not be running all the protocols. For example, JTAPI may not be running on all the nodes. As a result, the credential validation test may fail for some of your nodes. After fixing the credentials issue, test the device credentials again and run the discovery for that device. After the devices are discovered, you can verify if the access information is updated in the Prime Collaboration database in the current Inventory table. To know more about the inventory table, see the View Inventory Details section in the Cisco Prime Collaboration Assurance Guide Advanced, 10.0.

            Deleting a Device Credential Profile

            You can delete only unused credential profiles. We recommend that you do not delete the credential profile of a device that is being managed in the Prime Collaboration application.

            For Prime Collaboration Assurance Advanced —To verify whether a profile is being used, go to the Inventory page and select a device. The profile details for the device are displayed in the Access Information pane. See Access Information.

            To delete a credential profile:


              Step 1   Choose Operate > Device Work Center.
              Step 2   In the Device Work Center page, click Manage Credentials. By default, the credentials for a device that appears first on the list are displayed.
              Step 3   Select the profile name and click Delete.