Cisco Prime Collaboration Provisioning Guide - Standard and Advanced, 10.0
Setting Up the Server
Downloads: This chapterpdf (PDF - 1.35MB) The complete bookPDF (PDF - 6.23MB) | Feedback

Setting Up the Server

Setting Up the Server

Managing Licenses

To use Provisioning, you must have the Provisioning Image license and one or more scale licenses. The image license must be present or the product will remain in the evaluation mode. Scale licenses add to the number of phones you can provision.

The License Status Information page (go to Administration > System Configuration > License Management, click the Provisioning License Status Icon on the right) displays Feature name, Available count, Used count and Expiry.

In Prime Collaboration Provisioning Standard, the delegation, workflow, template, and nbi features are listed under unavailable features. When you purchase a license for Prime Collaboration Provisioning Advanced, these features will appear in the valid features list.


Note


If you have a distributed installation, when the network connection between the two servers is lost and then reestablished or when only the Provisioning database (the PostgreSQL database) server is restarted, you will not be able to log into the Provisioning server, and sometimes a license error appears on the Licensing Status Information page. The error message states that all features are unavailable. When this occurs, restart the Provisioning services.


  • You can purchase Provisioning image license and one or more scale licenses to cover the number of phone MAC addresses to be managed. Scale licenses are additive, up to 150,000 per one Provisioning instance. The image license must be present or the product will remain in evaluation mode.
  • The optional Provisioning NBI requires the purchase of a separate license (Provisioning API license). Provisioning checks for the presence of the license before enabling the Provisioning NBI.
  • The Application Programmable Interface (API) for Provisioning is called the Cisco Prime Collaboration Provisioning Northbound Interface (Provisioning NBI). It is a set of web service, SOAP-based requests covering the majority of Provisioning’s provisioning functionality. For detailed information about the Provisioning NBI, see Cisco Prime Collaboration Provisioning Northbound Interface Guide.

    Note


    To use the Provisioning NBI, you must purchase an additional feature license. Purchasing a base (phone limit) Provisioning license does not enable you to use the Provisioning NBI.


Licensing Process

The following process applies to new installations (and upgrades), scale licenses, and the Provisioning API license.

  1. Obtain a Product Authorization Key (PAK)—The PAK is used to register Provisioning on Cisco.com, and it contains resource limitations. For each incremental license that you purchase, you will receive a PAK, and you must use that PAK to obtain a license file.
  2. Obtain a license file—A license file is sent to you after you register the PAK on Cisco.com.
  3. Copy the license file to the server where Provisioning is to be installed. If Provisioning is already installed and you are upgrading your license file, you must register the license file with Provisioning.

Adding a License File to Prime Collaboration Provisioning

To add a license file to Prime Collaboration Provisioning standalone or converged application:

Procedure
    Step 1   Go to License Management page.
    • In the converged mode, choose Administration > License Management.
    • In the standalone Prime Collaboration Provisioning application, choose Administration > System Configuration > License Management.
    Step 2   In the License Management page, click Add.
    Note    If you are updating from the Cisco Prime Collaboration Provisioning Standard mode to the Cisco Prime Collaboration Provisioning Advanced licensed mode, you must add the new license files and later delete all the old license files (see Upload Time column) listed in the License Management page using the Delete option.
    Step 3   In the Add License File window, upload the license file and click OK.

    The newly added license file information appears in the License Status pane. If you purchased more than one license, repeat Step 2 and Step 3to install each additional license.

    To delete a license file, in the License Management page, select the license file and then click Delete.


    Switching Between the Standard and Advanced modes in Prime Collaboration

    Prime Collaboration provides you the facility to switch from the Standard mode to the Advanced mode in both Prime Collaboration Assurance and Prime Collaboration Provisioning.

    The table below captures the different scenarios of switching:
    Installation Modes Standard to Advanced Evaluation Standard to Advanced (Purchase license) Advanced Evaluation to Advanced (Purchase license) Advanced Evaluation to Standard
    Prime Collaboration Assurance Yes. (Click the Upgrade icon at the top right corner of the User Interface and click Start Evaluation.) Yes. (Click the Upgrade icon at the top right corner of the User Interface and click Add Licenses. In the License Management page, click Add and upload the license file for the advanced mode.) Yes. (Click the Upgrade icon at the top right corner of the User Interface and click Add licenses. In the License Management page, click Add and upload the license file for the advanced mode.) Yes. After the evaluation expiry, you are prompted with a message to either downgrade to the standard mode or to purchase a license file for advanced mode.

    If you choose to downgrade, the Cluster for Standard Mode dialog box pops-up. Select a cluster from the Unified Communications Manager drop-down, device type from the Cisco Unity Connection drop-down and click Select.

    Prime Collaboration Provisioning Not Applicable Yes. (Click the Upgrade icon at the top right corner of the User Interface and click Add Licenses. In the License Management page, click Add and upload the license file for the advanced mode) Yes. (Click the Upgrade icon at the top right corner of the User Interface and click Add licenses. In the License Management page, click Add and upload the license file for the advanced mode) Not Applicable
    In the converged mode, you have the provision to switch over from the standard to advanced mode. You can either upgrade:
    • One application only - You can switch from the standard to advanced mode in Prime Collaboration Assurance only and continue to access the Prime Collaboration Provisioning in the same (installed) mode.
    • Both the applications - You can switch from the standard or advanced evaluation mode to the advanced (purchase licensed) in both Prime Collaboration Assurance and Prime Collaboration Provisioning.

    Cross-launch from Prime Collaboration Provisioning

    With Prime Collaboration 10.0, you can access the Cisco Unified Communication functionality through Prime Collaboration Provisioning, using the cross-launch feature of Prime Collaboration Provisioning. Any user with admin privilege can cross-launch from Prime Collaboration Provisioning to use Cisco Unified Communication products. The main intent of providing cross-launch is to enable a smooth, continuous workflow if an admin in Prime Collaboration Provisioning wants to modify/update a user configuration on the product UI of the configured devices such as CUCM, Unity Connection, or IM and Presence Services.

    As an admin user, you can use cross-launch for the following purposes, from Prime Collaboration Provisioning:

    Note


    • Cross launching is available for users with admin privileges only and is supported for CUCM, Unity Connection and Presence Services from 10.0 version onwards. If you add older version (earlier than 10.0) of these devices in Prime Collaboration Provisioning, you will view native launch links only, as an admin. However, Presence Services, with versions earlier than 10.0, are not listed in the Infrastructure Configuration view as native links were not supported in earlier versions of Prime Collaboration.
    • Enabling Single Sign-On (SSO) for Cross-launch is not mandatory. If you have not enabled SSO for cross-launch, you must specify the login credentials when you cross launch a processor (CUCM, Unity Connection, or Presence Services) for the first time by continuing when you are prompted to add the website in the trusted security certificate list. However, you need not login on successive attempts to cross launch the processor as long as the session is in progress and running. To enable SSO, see Single Sign-On for Prime Collaboration.
    • Depending on browser settings, the cross-launch may open in new browser tab or a new window. Refer to the browser compatibility in the product documentation of the specific application (for example, CUCM, Unity Connection, and such).

    Integrating Prime Collaboration Servers

    You can leverage capabilities of both Prime Collaboration Assurance and Prime Collaboration Provisioning systems if you choose to integrate Prime Collaboration Assurance and Prime Collaboration Provisioning applications in order to monitor voice endpoints, video endpoints, and provision the Unified Communications Systems.

    Attaching Prime Collaboration Provisioning

    To integrate the servers:

    Before You BeginBefore you integrate the Prime Collaboration servers:

    By default, the Prime Collaboration Assurance server works in the secured mode (HTTPS) whereas the Prime Collaboration Provisioning server works in the non-secure (HTTP) mode. You must configure the Prime Collaboration Provisioning server in the HTTPS mode to avoid the mixed content issue. For details on how to enable SSL, see the Setting up the server section in the Cisco Prime Collaboration 10.0 Provisioning User Guide.

    Procedure
      Step 1   Go to Administration > System Setup > Assurance Setup > Cisco Prime 360 Integration
      Step 2   Under Prime Collaboration Provisioning Server Setup, specify the IP address of the Prime Collaboration Provisioning application server that you want to attach to.
      Step 3   Choose the protocol and enter the port details.

      We recommend that you use HTTPS.

      The port used for Prime Collaboration Assurance and Provisioning servers over HTTP is 80; for Prime Collaboration Assurance over HTTPS is 443 and for Prime Collaboration Provisioning it is 46443.

      See Required Ports for Prime Collaboration for details on the ports used for data transfer.

      Step 4   Test the connectivity of the Prime Collaboration Provisioning server.
      Step 5   Click Attach. After you attach the Prime Collaboration Provisioning application to Prime Collaboration Assurance, you must refresh the UI to view the Design and Deploy tabs on the UI.
      Step 6   Click Test Provisioning Certificate on the Getting Started page to test the SSL certificate for Prime Collaboration Provisioning server, if you have selected the HTTPS protocol.

      If you have selected HTTP protocol, mixed content is displayed on the browser:

      On Windows Internet Explorer:

      When you launch the converged application, the following message appears "Do you want to view only the web page content that was delivered securely".

      If you select "No", from the pop-up dialog box, the appropriate data is displayed on all of the Prime Collaboration Provisioning pages.

      If you select "Yes" from the pop-up dialog box, data is not displayed on all of the Prime Collaboration Provisioning pages. However, with Microsoft IE 9.0 and 10.0,the security warning is not displayed and the appropriate data is displayed on all of the Prime Collaboration Provisioning pages.

      On Mozilla Firefox:

      For the mixed contents to be displayed on the server, click the Shield icon in the address bar and select Disable Protection on This Page from the Keep Blocking drop-down.

      After Integration:

      • The Prime Collaboration Provisioning UI is converged with Prime Collaboration Assurance, and the Provisioning IP address is redirected to Prime Collaboration Assurance application even though you log in to Prime Collaboration Provisioning application.
      • After you detach Prime Collaboration Provisioning from Prime Collaboration Assurance, the user roles that were applicable for Prime Collaboration Provisioning and Prime Collaboration Assurance in the converged mode also apply for the standalone applications.
      • If you want to restart or shut down the Prime Collaboration Provisioning application, ensure you detach it from Prime Collaboration Assurance. You can then converge it after the restart process.

      Single Sign-On for Prime Collaboration

      Prime Collaboration provides users with admin privileges to enable Single Sign-On (SSO) in Prime Collaboration Assurance and Prime Collaboration Provisioning using Security Assertion Markup Language (SAML).

      You can enable SSO in Prime Collaboration Provisioning to cross-launch the following UC applications:
      • Cisco Unified Communications Manager
      • Cisco Unity Connection
      • Cisco Unified Presence

      Note


      To cross-launch the UC applications without the need for login credentials, ensure that SSO for those applications are configured on the same IdP server as that of Prime Collaboration.

      Ensure that the following prerequisites are met before you enable SSO:

      • Prime Collaboration Provisioning is configured to use Secure Socket Layer (SSL). SSL needs to be enabled before you enable SSO for Provisioning. For the steps to enable SSL in Prime Collaboration Provisioning, see section "Enabling SSL for Prime Collaboration Provisioning" in the Cisco Prime Collaboration 10.0 Provisioning Guide.

        Note


        By default, SSL is enabled in Prime Collaboration Assurance application.
      • At least one LDAP Administrative user exists in the system – through LDAP synchronization in Prime Collaboration Provisioning and by manually creating an LDAP administrative user in Prime Collaboration Assurance. For information on how to provide administrative privileges to a user in Prime Collaboration Provisioning, see "Managing Users" in the Cisco Prime Collaboration Provisioning Guide, 10.0 .
      • An Identity Provider (IdP) server that enables you to use SSO to access many other applications from a single hosted application and a Service Provider. The Service Provider is a website that hosts the applications.
        Following are the supported third-party IdP servers:
        • Open Access Manager (OpenAM)
        • Ping Identity
        • Active Directory Federation Services (ADFS)
        • Oracle Identity Manager
        For the steps to setup an IdP server, see the SAML SSO Deployment Guide for Cisco Unified Communication Applications, Release 10.0(1).
      • Download the Identity Provider metadata file from the IdP server and save it in your local system.

      To enable Single Sign-on:

      Procedure
        Step 1   Choose Administration -> Single Sign-on.
        Step 2   Click Enable SSO.

        A warning message is displayed stating, Enabling SSO redirects you to the IdP server for authentication from the next login. To access the application, you will need to be authenticated successfully.

        Note    Enable SSO is disabled if the above mentioned prerequisites are not met.
        Step 3   Click Continue.
        Step 4   Follow the steps provided in the SSO wizard to enable Single Sign-On.
        1. Locate the IdP metadata file from your local system and click Import IdP Metadata.
        2. Click Download Trust Metadata file.
        3. Launch the IdP server and import the downloaded Trust Metadata file.
          Note    This is a manual step for Enabling SSO. You need to create a Circle of Trust (CoT) in the IdP server and log out before you proceed with the SSO testing.
        4. To run SSO Test Setup, select a username from the Valid Administrative Usernames drop-down.
          Note    Using any other username to log in to the IdP server might lock the administrator account.
        5. Click Run SSO Test to test the connectivity among the IdP server, Prime Collaboration Applications, and Single Sign-On. If you are prompted with an error message, Unable to do Single Sign-On or Federation:
          • Manually log in to the IdP server using the end user credentials and check if the authentication is successful.
          • Verify if the Trust Metadata file is successfully uploaded in the IdP server.
          • Verify if the Prime Collaboration server and the IdP server are part of the same Circle of Trust.
        6. Click Finish.
        In the converged mode, Prime Collaboration uses the Provisioning setup to cross launch the Cisco Unified CM, Cisco Unity Connection and Cisco Unified Presence applications.

        Troubleshooting and Logs for SSO

        • When you are logged out of the Prime Collaboration server while enabling SSO, it is recommended that you close the browser and re-launch the Prime Collaboration application. Because, though your session expires in Prime Collaboration server, the IdP server session might still be active.
        • You can find the log file (ssosp*.log) for Prime Collaboration Provisioning in the /opt/cupm/sep/logs directory and for Prime Collaboration Assurance in the /opt/emms/tomcat/webapps/emsam/log/sso directory.
        • While enabling SSO, ensure that the hostname for Prime Collaboration is set and is part of DNS.
        When IdP server is down, you can:
        • Use the recovery URL- https://<PCserver IP address or host name that is part of DNS>/ssosp/local/login.
        • Disable Single Sing-On from CMD Utility.
        To disable SSO from CMD utility in Prime Collaboration applications:
        • Log in to Prime Collaboration Provisioning server using SSH with port 22, for Prime Collaboration Assurance it is 26.
        • Navigate to the /opt/cupm/sep/build/bin directory for Prime Collaboration Provisioning and /opt/emms/emsam/bin directory for Prime Collaboration Assurance. Add <Operation> and <Value> entries for cpcmconfigsso.sh file based on the table below:
        Operations can be .. Values can be ..
        1-To get the Single Sign-On status Not applicable
        2-To get the recovery URL status Not applicable
        3-To set the Single Sign-On status False
        Note    You cannot enable SSO through CLI. Use the UI procedure to enable SSO.
        4-To set the recovery URL status True or False
        • To disable SSO, run the following command:

        cpcmconfigsso.sh 3 false


        Note


        By default, the recovery URL is enabled. If you want to disable it for security reasons, set it as false.

        Enabling SSL for Prime Collaboration Provisioning

        Ensure that you detach Prime Collaboration Provisioning from Prime Collaboration Assurance before you enable OpenSSL.


        Note


        • It is not mandatory to enable SSL on Prime Collaboration Provisioning although SSL is enabled by default in Prime Collaboration Assurance.
        • If you have integrated Prime Collaboration Assurance and Prime Collaboration Provisioning, after you enable SSL on the Prime Collaboration Provisioning, you must re-attach Prime Collaboration Provisioning and the Prime Collaboration Assurance with the port number specified during the SSL configuration. By default OpenSSL is enabled with 443 as port number, however, this is configurable.

        Procedure
          Step 1   Download OpenSSL1.0.1g-PC10-Linux.zip from Cisco.com. Log in as root user on the Provisioning server and copy the zip file to /opt/cupm folder. Unzip the zip file using the following command:
          unzip OpenSSL1.0.1g-PC10-Linux.zip
          This will in turn create OpenSSL1.0.1g-PC10-Linux folder under /opt/cupm.
          Step 2   create a backup directory in /opt/cupm by using the following command:
           mkdir <backupdirectoryname>
          Navigate to /opt/cupm/httpd. Run the following commands to backup bin, lib, modules, and ssl folders (available under /opt/cupm/httpd):
          cp -R ssl/ /opt/cupm/<backup_directory_name>/ssl
          cp -R bin/ /opt/cupm/<backup_directory_name>/bin
          cp -R lib/ /opt/cupm/<backup_directory_name>/lib
          cp -R modules/ /opt/cupm/<backup_directory_name>/modules
          
          Step 3   Navigate to /opt/cupm/OpenSSL1.0.1g-PC10-Linux. Copy the bin, lib, modules, and ssl folders from /opt/cupm/OpenSSL1.0.1g-PC10-Linux folder to /opt/cupm/httpd folder by using the following commands:
          unalias cp 
          cp -R ssl/* /opt/cupm/httpd/ssl/
          cp -R bin/* /opt/cupm/httpd/bin/
          cp -R lib/* /opt/cupm/httpd/lib/
          cp -R modules/* /opt/cupm/httpd/modules/
          
          Note   

          While copying the files, if you are prompted to overwrite existing files, choose Yes to All. Ensure that you have chosen Autoselect format when copying files through SSH file transfer.

          Step 4   Create links from the new lib files (to the Operating System library files) as follows: ln -s /opt/cupm/httpd/lib/libssl.so.1.0.0 /lib64 ln -s /opt/cupm/httpd/lib/libcrypto.so.1.0.0 /lib64
          Step 5   Navigate to the /opt/cupm/httpd/bin directory and run the following command for access permissions: chmod 777 openssl
          Step 6   Run the following command to create a key: ./openssl genrsa -out /opt/cupm/httpd/mycorp.com.key 1024
          Step 7   Run the following command create an SSL certificate:./openssl req -new -key /opt/cupm/httpd/mycorp.com.key -x509 -out /opt/cupm/httpd/mycorpcom.crt -days 365

          where mycorpcom.crt is the certificate name and mycorp.com.key is the key name.

          The key and certificate files will now be created in the opt/cupm/httpd folder.

          Sample output:
          • Country Name (2 letter code) [AU]:US
          • State or Province Name (full name) [Some-State]:CA
          • Locality Name (eg, city)[ ]:CA
          • Organization Name (eg, company) [Internet Widgits Pty Ltd]:mycorp, LLC
          • Organizational Unit Name (eg, section)[ ]:Sales
          • Common Name (eg, YOUR name)[ ]:
          • Email Address [ ]:you@mycorp.com
          Step 8   Update the following lines in the /opt/cupm/httpd/conf/ssl.conf file to map the certificate with the key file:

          – Replace SSLCertificateFile conf/server.crt with SSLCertificateFile /opt/cupm/httpd/mycorpcom.crt

          – Replace SSLCertificateKeyFile conf/server.key with SSLCertificateKeyFile /opt/cupm/httpd/mycorp.com.key

          Step 9   Configure the Apache Server (see Configuring the Apache Server).

          Configuring the Apache Server

          Procedure
            Step 1   In the Prime Collaboration Provisioning system, log in as root user and make a backup of the httpd.conf file located at /opt/cupm/httpd/conf.
            Step 2   In the httpd.conf file, using vi editor, update the following line:

            #Include conf/extra/httpd-ssl.conf

            as

            Include conf/ssl.conf

            Step 3   Restart the Apache server using the following commands:

            /opt/cupm/httpd/bin# ./apachectl -k stop

            /opt/cupm/httpd/bin# ./apachectl -k start -DSSL



            Note


            • To enable https by default when you start the Prime Collaboration Provisioning application, log in as root users, and modify the following lines in the /opt/cupm/cupm-full-service.sh and opt/cupm/cupm-app-service.sh files. You can then restart the Prime Collaboration Provisioning services: $PM_BASE/httpd/bin/apachectl -k start & as $PM_BASE/httpd/bin/apachectl -k start -DSSL & $PM_BASE/httpd/bin/apachectl -k stop & as $PM_BASE/httpd/bin/apachectl -k stop -DSSL &
            • You can check if the ports 80 or 443 are enabled (listening), using the following command from the SSH console, #lsof -i :443 #lsof -i :80
            • We recommend that you configure port 443 in the ssl.conf file. Change Listen 443 to the required port.
            • If you want to exclusively run HTTPS, you must disable HTTP by commenting out “Listen 80” in the /opt/cupm/httpd/conf/httpd.conf file, and then restart the Apache server.

            Changing the SSL Port

            To change the port used for SSL by Prime Collaboration Provisioning:

            Procedure
              Step 1   In the Prime Collaboration Provisioning system, open the ssl.conf file (located at /opt/cupm/httpd/conf).
              Step 2   Change the port number in the following lines:

              Listen 443

              VirtualHost _default_:443

              Note   

              After you change the port number, you must enter the new port number when you access Prime Collaboration

              Step 3   Save the changes and close the file.
              Step 4   Restart the Apache server.

              Updating OpenSSL for Prime Collaboration Provisioning

              You can download the latest openSSL that has fix for vulnerabilities from Cisco.com.

              If you have integrated Prime Collaboration Assurance and Prime Collaboration Provisioning, ensure that you detach Prime Collaboration Provisioning from Prime Collaboration Assurance before you upgrade OpenSSL.

              Procedure
                Step 1   Download OpenSSL1.0.1g-PC10-Linux.zip from Cisco.com. Log in as root user on the Provisioning server and copy the zip file to /opt/cupm folder. Unzip the zip file using the following command:
                unzip OpenSSL1.0.1g-PC10-Linux.zip
                This will in turn create OpenSSL1.0.1g-PC10-Linux folder under /opt/cupm.
                Step 2   create a backup directory in /opt/cupm by using the following command:
                 mkdir <backupdirectoryname>
                Navigate to /opt/cupm/httpd. Run the following commands to backup bin, lib, modules, and ssl folders (available under /opt/cupm/httpd):
                cp -R ssl/ /opt/cupm/<backup_directory_name>/ssl
                cp -R bin/ /opt/cupm/<backup_directory_name>/bin
                cp -R lib/ /opt/cupm/<backup_directory_name>/lib
                cp -R modules/ /opt/cupm/<backup_directory_name>/modules
                
                Step 3   Navigate to /opt/cupm/OpenSSL1.0.1g-PC10-Linux. Copy the bin, lib, modules, and ssl folders from /opt/cupm/OpenSSL1.0.1g-PC10-Linux folder to /opt/cupm/httpd folder by using the following commands:
                unalias cp 
                cp -R ssl/* /opt/cupm/httpd/ssl/
                cp -R bin/* /opt/cupm/httpd/bin/
                cp -R lib/* /opt/cupm/httpd/lib/
                cp -R modules/* /opt/cupm/httpd/modules/
                
                Note   

                While copying the files, if you are prompted to overwrite existing files, choose Yes to All. Ensure that you have chosen Autoselect format when copying files through SSH file transfer.

                Step 4   Create links from the new lib files (to the Operating System library files) as follows:
                ln -s /opt/cupm/httpd/lib/libssl.so.1.0.0 /lib64 
                ln -s /opt/cupm/httpd/lib/libcrypto.so.1.0.0 /lib64 
                
                Step 5   Navigate to /opt/cupm/httpd/bin directory and run the following command for access permissions: chmod 777 openssl
                Step 6   Run the following command to create a key: ./openssl genrsa -out /opt/cupm/httpd/<yourkey.key> 1024
                Step 7   Run the following command create an SSL certificate: ./openssl req -new -key /opt/cupm/httpd/<yourkey.key> -x509 -out /opt/cupm/httpd/<yourcert.crt> -days 365

                where yourcert.crt is the certificate name and yourkey.key is the key name.

                Sample output:
                • Country Name (2 letter code) [AU]:US
                • State or Province Name (full name) [Some-State]:CA
                • Locality Name (eg, city)[ ]:CA
                • Organization Name (eg, company) [Internet Widgits Pty Ltd]:mycorp, LLC
                • Organizational Unit Name (eg, section)[ ]:Sales
                • Common Name (eg, YOUR name)[ ]:
                • Email Address [ ]:you@mycorp.com
                Step 8   Update the following lines in the /opt/cupm/httpd/conf/ssl.conf file to map the certificate with the key file:

                – Replace SSLCertificateFile /opt/cupm/httpd/mycorpcom.crt with SSLCertificateFile /opt/cupm/httpd/yourcert.crt

                – Replace SSLCertificateKeyFile /opt/cupm/httpd/mycorp.com.key with SSLCertificateKeyFile /opt/cupm/httpd/yourkey.key

                Note   

                If there are any old certificates in /opt/cupm/httpd, you must remove them.

                Step 9   Restart the Apache server using the following commands: /opt/cupm/httpd/bin# ./apachectl -k stop

                /opt/cupm/httpd/bin# ./apachectl -k start -DSSL


                Configuring Provisioning to Use LDAP and ACS Servers

                You can configure Prime Collaboration Provisioning to use ACS or LDAP servers for authentication. ACS server is used to authenticate only, however, you can use LDAP server to read, write and synchronize.


                Note


                • If you are adding an ACS server, you must add the Provisioning server as an ACS client (with TACACS).
                • To enable SSL for LDAP Server, see Enabling SSL Support for LDAP Server.
                • Before deleting an ACS or LDAP server, make sure it is not assigned to a Domain. ACS/LDAP servers are enabled on a per Domain basis. After adding an ACS/LDAP server, you must assign it to a Domain. All the users then, in a Domain, will be authenticated against that ACS/LDAP server. If an ACS/LDAP server is not associated to a Domain, all the users of that Domain are authenticated locally. globaladmin is always authenticated locally.

                When configuring Provisioning to use Cisco Secure Access Control Server, be aware of the following:
                • When you click the Test Connection button, only the connectivity of the IP address is checked.
                • The Shared Secret Key is used only for authentication.
                • If you entered an incorrect Shared Secret Key, when you try to log into Provisioning, you will get an incorrect secret key error. Use the SSK that is generated while configuring ACS.
                • Provisioning supports only Access Control Server (ACS) 4.2.

                Enabling SSL Support for LDAP Server


                Note


                SSL is supported only for LDAP servers.


                To enable SSL, you must import the SSL certificate for the LDAP server into Provisioning. Provisioning provides a command line script to import the SSL certificate.

                Procedure
                  Step 1   Log into the server using SSH.
                  Step 2   Go to /opt/cupm/sep/build/bin directory.
                  Note   

                  If you accepted the default location during installation, the installation directory is /opt/cupm.

                  Step 3   At the command prompt, run the following command:
                  ./ImportSSLCertificate.sh <operation> <alias> [path]
                  
                  

                  Following are descriptions for the fields:

                  • operation—The action that the command is performing. You can enter either import or delete.
                  • alias—The string under which the certificate will be stored in the Provisioning key store.
                  • path—The path where the certificate is stored (for example, /opt/cupm/servercert.cer). This is required only if you are importing a certificate.
                  Step 4   Restart Provisioning.
                  Step 5   Go to the LDAP Server Configuration page and check the Use SSL check box.
                  Note   

                  To delete an SSL certificate in Provisioning, run the same script, making sure to enter delete for the operation.


                  Configuring Prime Collaboration Provisioning Server Time Zone

                  To change the time zone setting in a converged sever, you must detach Provisioning from Assurance, and change the time zone settings.

                  You can provide Coordinated Universal Time (UTC), also known as Greenwich Mean Time (GMT), updated with leap seconds.

                  To change the time zone in the Provisioning server:

                  Procedure
                    Step 1   Log into the Prime Collaboration Provisioning server with the account that you have created during installation. By default, it is the admin account.
                    Step 2   Enter the following command to see the list of supported time zones:
                    cm/admin# show timezones
                    Step 3   Enter the following commands to set the time zone for the Prime Collaboration Provisioning server:
                    cm/admin(config)# config t
                    cm/admin(config)# clock timezone US/Pacific
                    cm/admin(config)# exit
                    Step 4   Enter the following command to copy running-configuration to startup-configuration:
                    cm/admin# write memory
                    Step 5   Login into Prime Collaboration Provisioning using root account.
                    Step 6   Navigate to cd /opt/cupm/sep.
                    Step 7   Update the following property in the dfc.properties file to update the offset:
                    dfc.gui.utc_offset=<applicable offset for your geographic location>
                    For example, if you are in IST time zone, you would enter: dfc.gui.utc_offset=+0530
                    Step 8   Restart the services
                    /etc/init.d/pmservers stop
                    /etc/init.d/pmservers start 
                    Note    After attaching the Provisioning server to Assurance, the Assurance time zone settings are displayed in the converged server. However, the Provisioning dashboards will display Provisioning time zone only.

                    In the Provisioning standalone server, you can also change the time zone by selecting the Time Zone icon from the top right corner of the Provisioning home page. In the Time Zone Settings (UTC Offset) page, enter the New UTC offset and Location details and click Apply.


                    Note


                    The changes that you make to the time zone via UI will last only till you log out of the application. When you login back, only the server time zone will be displayed in the UI.