Prime Collaboration supports creation of user roles. A user can be assigned the Super Administrator role. A Super Administrator can perform tasks that both system administrator and network administrator can perform.
Prime Collaboration is preconfigured with a default web client administrator user called globaladmin; globaladmin is a superuser who can access both the Prime Collaboration Assurance UIs.
Specify a password for globaladmin when you configure your virtual appliance. You need to use these credentials when you launch the Prime Collaboration web client for the first time.
Prime Collaboration Assurance servers support these CLI users: admin and root.
You cannot create CLI users using the web client UI. CLI users are created during OVA configuration. By default, the username is admin; the password is specified during OVA configuration and is used to log into the CLI to check the application status and perform backup and restore.
We recommend that you write down the root password as it cannot be retrieved.
CLI users are not listed on the Prime Collaboration User Management page.
globaladmin and root follow same set of password validation rules, but the rules for admin are different. See the Cisco Prime Collaboration 10.0 Quick Start Guide for password validation rules for these users.
Two types of global Provisioning user roles are available: global and domain specific.
The global Provisioning user is typically an IP telephony expert who configures Prime Collaboration Provisioning business abstractions for voice applications. The domain-specific Provisioning user can be an administrator for a single domain but can be a user for multiple domains.
The user roles for Prime Collaboration Provisioning are explained in Table 1.
In the drop-down list, select the Domain for which you are setting the authorization roles. The selected roles only apply to the selected Domain. To apply the same authorization role to all available domains, select Apply to all domains.
If the administrator selects Apply to all domains, existing roles of the user in all the domains will be overridden with the current selection.
Authorized to view phone button templates, modify user roles, and add or update phone inventory.
Infrastructure Configuration Management
Authorized to provision infrastructure configuration objects. When you select this role, you must also select a profile from the Permission Profile box.
Authorized to manage his own services; set up lines, manage services, and configure phone options quickly and easily.
In the standalone Prime Collaboration Provisioning application, you can enable or disable Self-Care while adding both users. The Self-Care check box is not available while adding users. However, after creating a user, you can assign Self-Care role from the Manage User page. See Cisco Prime Collaboration 10.0 Provisioning Guide.
Users assigned these roles are allowed to place orders for other users and themselves.
Add, delete, or update a user within a Domain.
Add, delete, or update a user role within a Domain (if the rule for that Domain permits it).
Add, delete, or update phones in the inventory within a Domain (if the rule for that Domain permits it).
Search and view detailed user information within a Domain.
Place an order for a user within a Domain.
Authorized to access all the functionality specified by the Ordering role; can also access Advanced Order Options in the Order Entry page.
Authorized to access all the functionality specified by the Ordering role, and to assign the MAC address for a phone product at the time of order entry.
Users assigned one of these roles can perform activities assigned to the group during order processing.
Authorized to accept and complete the approval for orders.
Authorized to accept the user activity for assigning the MAC address.
Authorized to accept and complete shipping of orders.
Authorized to accept and complete receiving of orders.
globaladmin and domain admin can create Self-Care roles for any user. Self-Care role can be assigned to a user from the Manage Users page in the standalone Prime Collaboration Provisioning only. For more information, see "Creating a Self-Care Account" in the Cisco Prime Collaboration 10.0 Provisioning Guide.
In the converged mode, you cannot import a user associated with a Self-Care role into the Prime Collaboration Assurance application.
You can add a user and assign the predefined static role. The user will have access to the Prime Collaboration web client only.
If you are logging in for the first time to the Prime Collaboration Assurance, log in as globaladmin.
You, as a globaladmin, must create other administrators using real user-IDs.
You must not create a user with the name: globaladmin, pmadmin and admin.
To add a user:
Choose Administration > User Management.
On the User Management page, click Add.
In the Add User window, enter the required user details.
Select the role.
The users thus created via Add User feature are associated with the web client only and cannot log in to the Prime Collaboration Assurance server through the CLI.
To edit user details, select a user at Administration > User Management and make the necessary changes.
As part of your regular system administration tasks, you sometimes must delete users from the Prime Collaboration database. However, you cannot delete the Prime Collaboration web client default administrator globaladmin.
To delete a user, select the user from Administration > User Management and click Delete. Any jobs that are scheduled in the deleted user name continue to run until canceled.
Configuring an LDAP Server
You can configure Prime Collaboration to connect to a Lightweight Directory Access Protocol (LDAP) server, to access user information stored in the LDAP server. In converged mode, the LDAP server specified in Prime Collaboration Assurance is used for authentication only; authorization and role-based access control (RBAC) functions are performed by Prime Collaboration.
You must create an LDAP user from the User Management page to enable the user to log in using LDAP credentials. To add a user, see Adding a user and to edit or delete a user, see Modifying User Roles.
Prime Collaboration supports one primary LDAP server and one backup LDAP server.
In the LDAP Settings page, enter values for all the fields. See Table 4 for the field descriptions.
If Prime Collaboration must use SSL encryption, check the Use SSL check box and specify port 636.
Click Test Connection to check the connectivity to the LDAP server.
Upon successful connection, click Apply Settings and restart Prime Collaboration Assurance server to log in using LDAP.
To restart Prime Collaboration Assurance Server, log in as admin user and execute the following commands:
application stop cpcm
application start cpcm
The application stop cpcm command takes 10 minutes to complete execution and application start cpcm takes 10 to 15 minutes to complete execution.
LDAP Configuration Parameters
Table 2 LDAP Server Configuration
Server IP address
Enter the LDAP server name or IP address.
Optionally enter the Backup LDAP server IP address.
Enter the Port number on which the LDAP requests for the server is received.
Non-secure port: 389
Secure SSL port: 636
Optionally enter the Backup LDAP server Port number.
If the LDAP server is configured to use a non-standard port, that port should be entered here as well.
Admin Distinguished Name
Enter the username of the user who has access rights to the corresponding LDAP directory.
For example, a user, John Doe, with userID = jdoe must enter John Doe.
If admin is a user in Windows domain cisco, just enter admin (username with domain prefix such as cisco\admin will not work).
Enter the password for the LDAP server authentication and reconfirm the password.
LDAP User Search Base
Enter the user search base. LDAP server searches for users under this base.
You must enter the CN or OU details when you enter the search base. Just dc=cisco,dc=com will not work; you must also specify the CN or OU part, for example,
If you have configured two different user groups, for example,
OU=Organization, OU=Accounts, DC=aaa, DC=com
OU=Service, OU=Accounts, DC=aaa, DC=com
The search base to be entered is OU=Accounts, DC=aaa, DC=com.
If a user in OU=Organization user group is configured as Admin DN, then all the users in Organization user group can log into Prime Collaboration, but the users in Services user group will not be able to log in. Similarly, if a user in OU=Services user group is configured as Admin DN, then all the users in Services user group can log into Prime Collaboration, but not the users in Organization user group.
If you configure a user in top level as Admin DN, then all the users under that level can log into Prime Collaboration. For example, if a user in OU=Accounts user group is configured as Admin DN, then all the users in Organization and Services user groups can log in to Prime Collaboration.
LDAP authentication fails if you enter special characters in the search base.
Resetting Prime Collaboration Assurance Passwords
As a super administrator, system administrator or network operator, you can reset the password for other Prime Collaboration users.
You can reset the Prime Collaboration Assurance web client globaladmin password using the following procedure.
To reset the Prime Collaboration Assurance globaladmin password:
Log in as a root user.
Enter the "goemsam" command:
Execute the following:
Enter a new password for the globaladmin and also confirm the new password.
To change your own password, go to Administration > User Management, click Change Password, and make necessary changes.
Single Sign-On for Prime Collaboration
Prime Collaboration provides users with admin privileges to enable Single Sign-On (SSO) in Prime Collaboration Assurance and Prime Collaboration Provisioning using Security Assertion Markup Language (SAML).
You can enable SSO in Prime Collaboration Provisioning to cross-launch the following UC applications:
Cisco Unified Communications Manager
Cisco Unity Connection
Cisco Unified Presence
To cross-launch the UC applications without the need for login credentials, ensure that SSO for those applications are configured on the same IdP server as that of Prime Collaboration.
Ensure that the following prerequisites are met before you enable SSO:
Prime Collaboration Provisioning is configured to use Secure Socket Layer (SSL). SSL needs to be enabled before you enable SSO for Provisioning. For the steps to enable SSL in Prime Collaboration Provisioning, see section "Enabling SSL for Prime Collaboration Provisioning" in the Cisco Prime Collaboration 10.0 Provisioning Guide.
By default, SSL is enabled in Prime Collaboration Assurance application.
At least one LDAP Administrative user exists in the system – through LDAP synchronization in Prime Collaboration Provisioning and by manually creating an LDAP administrative user in Prime Collaboration Assurance. For information on how to provide administrative privileges to a user in Prime Collaboration Provisioning, see "Managing Users" in the Cisco Prime Collaboration 10.0 Provisioning Guide.
An Identity Provider (IdP) server that enables you to use SSO to access many other applications from a single hosted application and a Service Provider. The Service Provider is a website that hosts the applications.
Following are the supported third-party IdP servers:
Download the Identity Provider metadata file from the IdP server and save it in your local system.
To enable Single Sign-on:
Choose Administration -> Single Sign-on.
Click Enable SSO.
A warning message is displayed stating, Enabling SSO redirects you to the IdP server for authentication from the next login. To access the application, you will need to be authenticated successfully.
Enable SSO is disabled if the above mentioned prerequisites are not met.
Follow the steps provided in the SSO wizard to enable Single Sign-On.
Locate the IdP metadata file from your local system and click Import IdP Metadata.
Click Download Trust Metadata file.
Launch the IdP server and import the downloaded Trust Metadata file.
This is a manual step for Enabling SSO. You need to create a Circle of Trust (CoT) in the IdP server and log out before you proceed with the SSO testing.
To run SSO Test Setup, select a username from the Valid Administrative Usernames drop-down.
Using any other username to log in to the IdP server might lock the administrator account.
Click Run SSO Test to test the connectivity among the IdP server, Prime Collaboration Applications, and Single Sign-On. If you are prompted with an error message, Unable to do Single Sign-On or Federation:
Manually log in to the IdP server using the end user credentials and check if the authentication is successful.
Verify if the Trust Metadata file is successfully uploaded in the IdP server.
Verify if the Prime Collaboration server and the IdP server are part of the same Circle of Trust.
In the converged mode, Prime Collaboration uses the Provisioning setup to cross launch the Cisco Unified CM, Cisco Unity Connection and Cisco Unified Presence applications.
Troubleshooting and Logs for SSO
When you are logged out of the Prime Collaboration server while enabling SSO, it is recommended that you close the browser and re-launch the Prime Collaboration application. Because, though your session expires in Prime Collaboration server, the IdP server session might still be active.
You can find the log file (ssosp*.log) for Prime Collaboration Provisioning in the /opt/cupm/sep/logs directory and for Prime Collaboration Assurance in the /opt/emms/tomcat/webapps/emsam/log/sso directory.
While enabling SSO, ensure that the hostname for Prime Collaboration is set and is part of DNS.
When IdP server is down, you can:
Use the recovery URL- https://<PCserver IP address or host name that is part of DNS>/ssosp/local/login.
Disable Single Sing-On from CMD Utility.
To disable SSO from CMD utility in Prime Collaboration applications:
Log in to Prime Collaboration Provisioning server using SSH with port 22, for Prime Collaboration Assurance it is 26.
Navigate to the /opt/cupm/sep/build/bin directory for Prime Collaboration Provisioning and /opt/emms/emsam/bin directory for Prime Collaboration Assurance. Add <Operation> and <Value> entries for cpcmconfigsso.sh file based on the table below:
Operations can be ..
Values can be ..
1-To get the Single Sign-On status
2-To get the recovery URL status
3-To set the Single Sign-On status
You cannot enable SSO through CLI. Use the UI procedure to enable SSO.
4-To set the recovery URL status
True or False
To disable SSO, run the following command:
cpcmconfigsso.sh 3 false
By default, the recovery URL is enabled. If you want to disable it for security reasons, set it as false.