Cisco Physical Access Manager User Guide, Release 1.4.1
Configuring and Monitoring the Cisco PAM Server
Downloads: This chapterpdf (PDF - 2.31MB) The complete bookPDF (PDF - 61.78MB) | Feedback

Configuring and Monitoring the Cisco PAM Server

Table Of Contents

Configuring and Monitoring the Cisco PAM Server

Contents

Overview

About the Cisco PAM Server Administration Utility

Logging on to the Cisco PAM Server Administration Utility

Using Redundant Appliances for High Availability

Understanding IP Addresses on the Cisco PAM Server

Cisco PAM Appliance IP Addresses

Upgrading a Single Standalone Server to an HA Configuration

Gateway Module IP Addresses

Entering the Initial Server Configuration

Before You Begin

Connecting a PC to the Appliance

Initial Setup Instructions

Configuring Cisco PAM on Virtual Machine (VM)

Before You Begin

Configuration Procedure

Using the Web Admin Menus, Commands and Options

Accessing the Cisco PAM Server Administration Utility

Menus and Options in the Cisco PAM Server Administration Utility

Monitoring

Setup

Commands

Launch Client

Downloads

Archiving Historical Events

Understanding Live, Pruned and Archived Events

Pruning and Archiving Historical Events

Installing and Revising Language Packs

Usage Notes

Creating or Revising a Language Pack

Changing or Recovering the Server Password

Changing the Cisco PAM Server Administration Utility Password

Resetting a Forgotten Password

Enabling the Forgot Password Feature

Recovering a Lost Server Password

Obtaining and Installing Optional Feature Licenses

Understanding Module Licenses

Licenses in a Redundant Configuration

Purchasing Additional Feature Licenses

Part Numbers for the Optional Feature Licenses

Installing Additional Licenses

Displaying a Summary of Installed Licenses

Displaying the Cisco PAM Appliance Serial Number

Performing a Graceful Failover with Redundant Appliances

Troubleshooting and Monitoring

Next Steps


Configuring and Monitoring the Cisco PAM Server


This chapter describes how to configure the Cisco PAM server software, including optional feature licenses and high availability. This chapter also describes the additional server monitoring and configuration features of the Cisco PAM Server Administration utility.

When you log on to the appliance for the first time, a set of initial setup screens appear. Enter the settings and other information as described in this chapter.

After the initial setup is complete, the main administration utility windows are displayed, allowing you to install the Cisco PAM desktop client software and additional feature licenses. A variety of other configuration and monitoring tasks can also be performed.

Contents

Overview

About the Cisco PAM Server Administration Utility

Logging on to the Cisco PAM Server Administration Utility

Using Redundant Appliances for High Availability

Understanding IP Addresses on the Cisco PAM Server

Entering the Initial Server Configuration

Configuring Cisco PAM on Virtual Machine (VM)

Using the Web Admin Menus, Commands and Options

Menus and Options in the Cisco PAM Server Administration Utility

Archiving Historical Events

Installing and Revising Language Packs

Changing or Recovering the Server Password

Obtaining and Installing Optional Feature Licenses

Displaying the Cisco PAM Appliance Serial Number

Performing a Graceful Failover with Redundant Appliances

Troubleshooting and Monitoring

Next Steps

Overview

This chapter provides background information to use the Cisco PAM Server Administration utility to perform the initial setup of your Cisco PAM appliance.

Refer to the following topics:

About the Cisco PAM Server Administration Utility

Logging on to the Cisco PAM Server Administration Utility

Using Redundant Appliances for High Availability

Understanding IP Addresses on the Cisco PAM Server

About the Cisco PAM Server Administration Utility

The Cisco PAM Server Administration utility is a web-based tool used to enter server settings for the Cisco PAM appliance, including network addresses, feature licenses, and high availability settings. The utility also performs a variety of maintenance and monitoring tasks, including backup and restore, system logs, and resetting the server.

When you access the utility for the first time, the initial setup screens appear. See Entering the Initial Server Configuration.

After the initial server configuration is complete, see Using the Web Admin Menus, Commands and Options.


Note The Cisco PAM server software is different from the desktop client software. The desktop (client) software runs on a PC and is used to configure devices and access control settings. Whenever you upgrade the server software, you must also upgrade the desktop software. If the versions are not the same, an error occurs when launching the desktop client. See Installing or Updating the Cisco PAM Desktop Software.


Logging on to the Cisco PAM Server Administration Utility

To log on to the Cisco PAM Server Administration utility, use one of the following methods:

Connect a PC directly to the server Eth0 port, as described in Entering the Initial Server Configuration.

Log in to the Cisco PAM Server Administration utility over the Internet using the Eth0 port IP address. You can also use the Shared IP address when two servers are set up in a redundant HA configuration. Ask your system administrator for the correct IP address.

The Eth1 port can optionally be enabled for Cisco PAM Server Administration utility connections over the web. The Eth1 port is disabled by default.

Using Redundant Appliances for High Availability

High availability is achieved by installing two Cisco PAM appliances in a redundant configuration. One appliance acts as the active server, and the second runs in warm standby mode. All data and configurations on the active appliance are automatically mirrored on the standby appliance to minimize any data loss or system downtime if a failover occurs. If the active appliance goes off-line, the standby appliance automatically assumes full control of the system, including the Shared IP address and optional feature licences.


Note The high availability (HA) feature requires a separate license. See Obtaining and Installing Optional Feature Licenses.


Understanding IP Addresses on the Cisco PAM Server

The Cisco PAM appliance IP address provides network communication between the appliance and the Gateway modules. The IP address is also used to log in to the system using either a web browser or the Cisco PAM desktop client.

This section describes the different IP addresses that can be configured on an appliance: Eth0, Eth1 and the Shared IP Address.

Cisco PAM Appliance IP Addresses

Eth0 Port IP Address

Shared IP Address

Eth1 Port IP address

Upgrading a Single Standalone Server to an HA Configuration

Gateway Module IP Addresses


Note Contact your system administrator tor for the specific IP address settings used in your system.


Cisco PAM Appliance IP Addresses

Each appliance must be configured with an Eth0 IP address. Servers in a redundant configuration must also be configured with a Shared IP address. The Eth1 port is disabled by default but can also be enabled and assigned an IP address. Review the following summaries to determine the configuration required by your deployment.

Eth0 Port IP Address

In a standalone configuration, the Eth0 IP address provides communication between the Cisco PAM appliance and the Gateway modules. The Eth0 IP address is also used to log on to the Cisco PAM Server Administration utility.

In a redundant HA configuration, the Eth0 ports provides communication between the active and standby appliances. The Eth0 IP address for the active and standby appliance must be different.

Shared IP Address

The Shared IP address is used in a redundant HA configuration and is transferred from the active to the standby server if a failover occurs. This allows system communication to continue since Gateway modules and end users will continue to communicate with the same IP address even after a failover to a different physical server.

In an HA configuration, the Shared IP address is used to log on to the Cisco PAM Server Administration utility, and is configured on each Gateway module.

The Shared IP address and the Eth0 IP address should be on the same subnet.

Eth1 Port IP address

The Eth1 port is disabled by default. You can enable and configure the Eth1 port for remote Internet connections to the Cisco PAM Server Administration utility.

Eth0 and Eth1 can be on separate subnets.

Upgrading a Single Standalone Server to an HA Configuration

To change a single standalone server to the active server in an HA configuration, you must configure a Shared IP address on the existing standalone server, and then configure a standby server with the same Shared IP address.

The new Shared IP address is used to log in to the system, and is used for network communication by the Gateway modules.


Note The active and standby servers must have unique Eth0 IP addresses.


See the "Upgrading the Server Software" for more information.

If possible, we recommend assigning two IP addresses to a single standalone CPAM server: Eth0 and the Shared IP Address. This allows you to switch from a standalone configuration to an HA configuration without changing the IP address required for user logins.

Gateway Module IP Addresses

The Gateway module is configured with the following.

Cisco PAM Configuration—defines the IP address and port of the Cisco PAM appliance used to manage the Gateway. This can be either the Eth0 address in a standalone configuration, or the Shared IP address in an HA configuration. See the "Cisco PAM Appliance IP Addresses" section.

Eth0—defines the network settings for the Eth0 port on the Gateway module. Eth0 is used for network connectivity with the Cisco PAM appliance.

DNS—defines the domain name server (DNS) if names, not IP addresses, are used for the NTP or Cisco PAM addresses.

For instructions to install and configure the Gateway modules, see the Cisco Physical Access Gateway User Guide.

To use Cisco PAM to configure Gateway network settings, see the "Changing the Gateway Module Network Settings" section.

Entering the Initial Server Configuration

The initial setup screens appear automatically when you boot the Cisco PAM appliance for the first time, (or after a complete system restore). The instructions in this section are for a standalone server, or for the two servers in a redundant (high availability) configuration.

Before You Begin

Connecting a PC to the Appliance

Initial Setup Instructions

Before You Begin

Before you power on the Cisco PAM appliance, you need the following:

A PC and web browser Internet Explorer 6.0 or higher.

An Ethernet cable to connect your PC directly to the Cisco PAM appliance. Cross-over and straight-through cables are supported.

In addition, gather the following information:

IP, subnet, and gateway addresses for the Cisco PAM appliance:

For a standalone server installation, one IP address for Eth0 is required.

For a redundant (HA) server configuration, two IP addresses are required: One address for the Shared IP Address setting, and a second address for the Eth0 port. See Understanding IP Addresses on the Cisco PAM Server.

(Optional) If using NTP synchronization, the address of the NTP server.

(Optional) The DNS server settings.

(Optional) An FTP or SFTP server address, username and password, if event archives will be backed up to a remote server.

Administrator password. If you are setting up the appliance for the first time, use the default password cpamadmin.

Connecting a PC to the Appliance

To complete the initial Cisco PAM configuration, connect an Ethernet cable from a PC to the Cisco PAM appliance Eth0 port. Use a web browser to enter the required settings.


Step 1 Connect an Ethernet cable from your PC to the Eth0 port on the Cisco PAM appliance (the Eth1 port is disabled by default). See Cisco Physical Security Multi Services Platform User Guide or Cisco Physical Access 1125 Appliance User Guide for the location of the appliance ports.


Note After configuration is complete, disconnect your the Eth0 cable from the PC, connect the appliance to the IP network.


Step 2 Power on the appliance. See Cisco Physical Security Multi Services Platform User Guide or Cisco Physical Access 1125 Appliance User Guide for the location of the power button.

Step 3 Open a web browser on your PC and enter the URL: https://192.168.1.2.


Note Be sure to include the s in https://. This connects your browser to the secure URL.


Step 4 Enter the default username and password as shown in Figure 3-2:

default username: cpamadmin

default password: cpamadmin

Figure 3-1 Cisco PAM Server Administration Utility: Login


Tip The default cpamadmin password is used the first time you log into the active or standby appliance. You are required to configure a new password during the initial setup process, as described in Initial Setup Instructions. The cpamadmin username cannot be changed.



Note See Changing or Recovering the Server Password for more information.



Initial Setup Instructions

To enter the initial configuration for a Cisco PAM appliance, do the following:


Step 1 Log on to the appliance, as described in Connecting a PC to the Appliance.

Step 2 Enter the server configuration, as shown in Figure 3-2:


Note The version and serial number are not configurable.


a. Type: Select the server type to enable the configuration options for the appliance.

Active Server: (Default) Select Active Server for a single appliance, or if the appliance is the active server in a redundant configuration.

Standby Server: Select Standby Server if the appliance is the standby server in a redundant configuration. A standby server must have the exact same configuration settings as the active except the network addressees, host name, and HA license.

Figure 3-2 Initial Setup: Server Configuration

b. Site Name: Enter a description for the appliance to identify the appliance on the network. This field is disabled for a standby appliance since the standby server assumes the active server name if a failover occurs.

Enter any combination of letters and numbers up to 32 characters. Spaces are not allowed. Dashes and underscore characters are allowed.

Example: SJCSite1.

c. Select Next to apply the settings and continue.

Step 3 Enter the initial User settings to define the administrator password and email address, as shown in Figure 3-3. Enter the same settings on the active and standby appliance.

Figure 3-3 Initial Setup: User Configuration

a. Username: The admin username cannot be changed. The default username is cpamadmin.

b. Current Password: Enter the administrator password. The default password is cpamadmin.

c. New Password: Enter a new administrator password. The administrator has full rights to configure the Cisco PAM appliance, and grant access rights to other users. The new password is required and must be entered to continue.

d. Re-enter Password: Re-enter the administrator password to confirm the setting.

e. Email Address: (Optional) Enter the email address that will receive system messages. This email address also receives Forgot Password emails (see Resetting a Forgotten Password).

f. Select Next to apply the settings and continue.

Step 4 Enter the Network configuration for the Cisco PAM appliance, as shown in Figure 3-4.

The Shared IP address, Port and SSL are the same on the active and standby appliances.

The host name must be different for the active and standby appliances.

The Eth0 and Eth1 IP addresses must be different on the active and standby appliances.

All IP addresses must be on the same subnet.

Figure 3-4 Initial Setup: Network Configuration

Complete the following Network settings:

a. Host Name: Enter the host name on the active appliance. Enter a different host name on the standby appliance. The host name is used to identify the appliance on the local network and does not impact other configurations.

b. Shared IP Address: Enter the same IP address on the active and standby appliance. This address is transferred from the active to the standby appliance if a failover occurs. We recommend configuring a Shared IP ADdress on all appliances, even if the appliance is a standalone (non-HA) configuration. See Understanding IP Addresses on the Cisco PAM Server for more information.

The Shared IP address and the Eth0 IP address should be on the same subnet. Eth0 and Eth1 can be on separate subnets.

c. Transport Port: The default value is 8020. Enter the same number on the active and standby appliances.

d. SSL Enable For Server: Click the SSL checkbox to enable or disable secure IP communication between the Cisco PAM appliance and the Cisco Physical Access Gateways. The settings must be the same on the active and standby appliances.


Note SSL is enabled by default on all Gateways and Cisco PAM appliances. If SSL is disabled for a Gateway but enabled for Cisco PAM, the Gateway will not be able to connect to the appliance. If the SSL settings are changed, reset all Gateways and the Cisco PAM appliance. We recommend enabling SSL to ensure secure communications.


e. Eth0: (Required) Enter a static IP address for the Eth0 port. If the appliance is a standalone server, this port is the Cisco PAM appliance IP address. In a redundant (HA) configuration, the Eth0 port is used for HA communication between the active and standby appliance. The active appliance must have a different Eth0 IP address than the standby appliance.

See Understanding IP Addresses on the Cisco PAM Server for more information.

IP Address: Enter the IP address for the Eth0 port. This address should be on the same subnet as the Shared IP address, and must be different on the active and standby appliances.

Subnet Mask: Enter the subnet mask provided by your system administrator.

Gateway: (Optional) Enter the Gateway provided by your system administrator.

f. Eth1: This port is disabled by default. You can enable and configure the Eth1 port for remote Internet connections to the Cisco PAM Server Administration utility.

Enable Interface: Click the check box to enable or disable the Ethernet interface.

DHCP: Click the check box to enable or disable DHCP. When DHCP is enabled, the IP following address fields are inactive since the information is supplied by a DHCP server.

IP Address: Enter the IP address for the Eth0 port. If configured, this address must be different on the active and standby appliances.

Subnet Mask: Enter the subnet mask provided by your system administrator.

Gateway: (Optional) Enter the Gateway provided by your system administrator. If a Gateway is provided for Eth0, leave this field blank.

g. Select Next to apply the settings and continue.


Tip Either the Eth0, Eth1 or Shared IP address can be used to connect a PC to the Cisco PAM Server Administration utility over the Internet. Ask your system administrator for the IP address used for this purpose in your system.


Step 5 (Optional) Enter the DNS Settings for the Cisco PAM appliance. Enter the same settings on the active and standby appliance.

a. Primary DNS: (Optional) Enter the domain name server (DNS) for the Cisco PAM appliance.

b. Secondary DNS: (Optional) Enter the secondary DNS.

c. Domain: (Optional) Enter the domain name for the appliance.

d. Select Next to apply the settings and continue.

Step 6 (Optional) Enter the email settings used to send messages from the Cisco PAM appliance. Enter the same settings on the active and standby appliance.

a. SMTP Server Address: Enter the SMTP server address used to send outgoing messages. Outgoing messages include event and other alarm information.

b. SMTP Email Address from: Enter the email address that will appear in the From field for messages sent by the Cisco PAM appliance. This email address is also the Reply To address.

c. Test: Click the Test button to send a test message and verify the SMTP settings. The test message is sent to the administrator email address entered in User settings.

d. Select Next to apply the settings and continue.

Step 7 Enter the Date and Time settings. Enter an initial date and time for the server. These settings are used by the appliance and the Cisco Physical Access Gateways. Enter the same settings on the active and standby appliance.

e. Date & Time: Click the calendar icon to open a pop-up window and select the current day. The current date and time are inserted from your computer's date and time settings.

f. Time Zone: Select the time zone where the appliance is installed.

g. NTP enable: Select the checkbox to enable use of an optional Network Time Protocol server, used to automatically adjust the date and time for the Cisco PAM appliance.


Note We strongly recommend using NTP to synchronize the Cisco PAM appliance and Gateway module clocks to ensure correct event and messaging. See the "Change the NTP Setting for Multiple Gateways" section for more information.


h. NTP Server Address: If NTP is enabled, enter the NTP server IP address.

i. Select Next to apply the settings and continue.

Step 8 Enter the Event pruning and archiving settings, as shown in Figure 3-5.

Pruned events are removed from the main events database table and placed in a separate events database, allowing you to reduce the size of the main database while keeping old events accessible on the Cisco PAM system. Pruned events are not visible in Events & Alarms, but are included in reports. Pruned events are also included in system backups.

Archived events are removed from all Cisco PAM database tables and copied to a compressed file. The file includes a password-protected SQL script, and can be run on an offline database to view the purged events. Archived events are not visible in the Events & Alarms listings or Reports, and are not included in system backups.See the "Archiving Historical Events" section for more information.

a. Select the Pruning tab (Figure 3-5), and enter the following settings:

Figure 3-5 Initial Setup: Event Pruning and Archiving

Live Events Window (days)—Enter a value between 0 and 500 (inclusive). This is the minimum number of days the events will be available in the live view. The default is 30 days. After the minimum number of days the events will be removed at the next scheduled pruning. For example, enter 30 to keep events in the live view for 30 days. After midnight on day 30, the events are subject to pruning and archiving (depending on the schedule defined in the following steps).

The Pruning Hours field is enabled only when you select Daily in Schedule.The default value is one.

Figure 3-6 Pruning Hours

For other options in Schedule, the Pruning Hours field is read-only.See Figure 3-5


NoteTo ensure that events are regularly pruned, we recommend entering 30 days or less in the Live Events Window field. Entering a value greater than 30 can cause an excessive number of event entries to accumulate in the main database and negatively impact system performance.

The number is rounded to midnight of the last day.


Schedule—define the time and frequency when events should be pruned.

Date—To schedule pruning for one day per month, select Date and then select a day of the month. For example: 15.

Weekday—To schedule pruning once per week, select Weekday and then select a day of the week. For example: Tuesday.

Daily—To run pruning every day, select Daily.

Time—Enter the time in 24 hour format (hh:mm:ss). For example, to run pruning at 2 p.m., enter 14:00:00. To run pruning at 1 a.m., enter 01:00:00.

b. Select the Archive tab (Figure 3-7) and enter the following settings:

Figure 3-7 Archiving Events


Tip The archive settings are required during the initial setup. After a the server is up, you can disable auto-archiving if necessary. See the "Archiving Historical Events" section.


Enter and re-enter the administrator Password. This password is used to restore the archive file.

Historic Events Window (days)—Enter the number of days that events will be available in the live view. After the minimum number of days the events will be archived to a compressed file. For example, enter 30 to keep events in the live view for 30 days. After midnight on day 30, the events are subject to archiving (depending on the schedule defined in the following steps).

Enter a Schedule when the historic events will be removed from the pruned database and placed into a compressed archive file (archived files are listed above the entry fields).

Date—To schedule archiving for one day per month, select Date and then select a day of the month. For example: 15.

Weekday—To schedule archiving once per week, select Weekday and then select a day of the week. For example: Tuesday.

Daily—To run archiving every day, select Daily.

Time—Enter the time in 24 hour format (hh:mm:ss). For example, to run archiving at 2 p.m., enter 14:00:00. To run archiving at 1 a.m., enter 01:00:00.

(Optional) Select Copy to remote server to automatically copy the archived event files to a remote FTP or SFTP location.


Note Only the three most recent archive files are saved. If you do not save the archive file manually or by copying it to a remote server, then the oldest file will be permanently deleted when the fourth file is created.


FTP—for standard File Transfer Protocol servers.

SFTP—for secure file transfers using the Secure File Transfer Protocol (also known as the SSH File Transfer Protocol).

Address—the IP address or hostname of the remote server.

Username—the username required to log in to the server.

Password—the login password for the remote server.

Path—the directory path where the compressed archive will be copied. The path must exist on the remote server. If the directory is not available, the archive will fail.

c. Select Next to apply the settings and continue.


Tip Pruning and Archiving schedules must not overlap each other.


Step 9 (Optional) Install additional software license.

Figure 3-8 Initial Setup: License Installation


Note Enter all licenses except high availability (HA) on the active appliance. Enter only the HA license on the standby appliance. See Licenses in a Redundant Configuration for more information. See also Licensing: Frequently Asked Questions.


a. Locate the Product Authorization Key included with the Cisco Physical Access Manager appliance or purchased separately. See Purchasing Additional Feature Licenses.

b. In a Web browser, open the Cisco Product License Registration Web page.

http://www.cisco.com/go/license/

c. Follow the onscreen instructions to complete the form and enter the Product Authorization Key (PAK). When you are done, a license file with the extension .lic is sent to your email address.

d. Transfer the file to the drive of the PC used for the configuration.

e. In the License screen (Figure 3-8), click Browse to select the license file located on your local drive. when you select the file, the file name appears in the File field.

f. Select Finish to install the license file on the Cisco PAM appliance and activate the features.

Step 10 When you click Finish, the initial installation is applied, as shown in Figure 3-9. Click Done when all fields read Done.


Note If any errors occur, the setup returns to Step 2. If a serious error occurs, contact your Cisco support representative for assistance.


Figure 3-9 Initial Setup: Setup Progress

Step 11 Create a system backup as described in "Backing Up and Restoring Data". You should have at least one backup file to preserve critical system data. You also must have at least one backup to restore the server software using the recovery CD.

Step 12 Disconnect your PC from the Eth0 port and connect the Eth0 port to the IP network.


Configuring Cisco PAM on Virtual Machine (VM)

From 1.4.1 Release the Cisco PAM is configured virtually on VM Ware. The VM ware is installed in the UCS server by the UCS Admin. Once connected to the VM ware the initial setup screens appear automatically when you boot the Cisco PAM appliance for the first time, (or after a complete system restore). The instructions in this section are for a standalone server, or for the two servers in a redundant (high availability) configuration.

Before You Begin

Before You Begin

Before you power on the Cisco PAM appliance, you need the following:

A PC and web browser Internet Explorer 6.0 or higher.

In addition, gather the following information:

An IP address to launch CPAM in VM ware.


Note Ensure that the VM ware is already created through Vsphere client and the IP address is received.


IP, subnet, and gateway addresses for the Cisco PAM appliance:

For a standalone server installation, one IP address for Eth0 is required.

For a redundant (HA) server configuration, three IP addresses are required: One address for the active server, second address for the standby server and third a Shared IP Address setting.

(Optional) If using NTP synchronization, the address of the NTP server.

(Optional) The DNS server settings.

(Optional) An FTP or SFTP server address, username and password, if event archives will be backed up to a remote server.

Administrator password. If you are setting up the appliance for the first time, use the default password cpamadmin.

Configuration Procedure


Step 1 Open a web browser on your PC and enter the URL: https://<<cpam IP address>>


Note Be sure to include the s in https://. This connects your browser to the secure URL.


Step 2 Enter the default username and password as shown in Figure 3-1:

default username: cpamadmin

default password: cpamadmin

Step 3 Follow the remaining steps in the setup process, for more information, see Initial Setup Instructions.


Using the Web Admin Menus, Commands and Options

After the initial setup is complete, you can log into the Cisco PAM Server Administration utility to monitor the appliance or modify the configuration. The utility also includes commands to perform tasks such as rebooting the server, backing up data, and installing additional software. You can log in to the administration utility using either a direct connection, or through the Internet using the IP address configured for the Eth0 or Eth1 port.

Refer to the following topics for more information:

Accessing the Cisco PAM Server Administration Utility

Menus and Options in the Cisco PAM Server Administration Utility

Archiving Historical Events

Installing and Revising Language Packs

Changing or Recovering the Server Password

Obtaining and Installing Optional Feature Licenses

Displaying the Cisco PAM Appliance Serial Number

Performing a Graceful Failover with Redundant Appliances

Accessing the Cisco PAM Server Administration Utility

To use the Cisco PAM Server Administration utility, do the following:


Step 1 Log on to the appliance over the Internet or by using a direct connection:

For a direct connection, see Connecting a PC to the Appliance.

For an Internet connection, open a web browser and enter the IP address used for the Cisco PAM Server Administration utility. See Logging on to the Cisco PAM Server Administration Utility, or ask your system administrator for assistance.


Note The administration screens also appear immediately following the initial setup.


Step 2 Select a menu from the tabs along the top of the window, as shown in Figure 3-10. Each tab includes additional selections on the left, or additional drop-down menus.

Step 3 Select an option or command as described in the "Menus and Options in the Cisco PAM Server Administration Utility" section.

Step 4 For settings in the Setup menus, click Update to activate the changes.

Figure 3-10 Cisco PAM Server Administration Utility: Setup Menus


Menus and Options in the Cisco PAM Server Administration Utility

The following sections describe the configuration, administration, and monitoring tasks available in the Cisco PAM Server Administration utility.

Monitoring

Setup

Commands

Launch Client

Downloads

Monitoring

Monitoring displays the current and past state of the server, and includes the following submenus.

.

Table 3-1 Monitoring Menu 

Menu
Description

Status

Displays real-time information about the current state of the Cisco PAM appliance and high availability. Includes the server software version and serial number. Also includes options to stop or start services, including the following:

Admin State: Up means the appliance is available for use. Down means the appliance is unavailable for access control functions. This allows you to take the server offline for administrative functions and updates without actually shutting down the server.

Server Mode: In an HA configuration, the server mode can be either Active or Standby. See the "Using Redundant Appliances for High Availability" section.

Version: The release number of the current Cisco PAM appliance server software.

Serial Number: the serial number of the Cisco PAM appliance. For example, 00151729764C.

High Availability Audit: If HA is configured, the audit is enabled.

Peer Address: The IP address of the HA server paired with the current server. For example, 192.168.2.1.

Peer Hostname: The hostname of the HA server paired with the current server. For example, CPAM-75.

Synchronization Status: the status of the HA synchronization process. The options are:

Synchronized: HA synchronizations were completed without errors.

Failed to retrieve the Status: An error occurred while retrieving the Sync status. For example, the peer server is down or unreachable. See the webapp.log file for details.

Stopped: the appliance is in Admin Down state, and HA synchronization is stopped.

Error: An error was detected during synchronization. Additional details are displayed with the Error Code and Error String retrieved from the database.

In-progress: The synchronization process is in progress. At least one synchronization actions has not completed.

TFTP Service: Determines if the TFTP service is available for updating firmware images. See the "Upgrading Gateway Firmware Images Using Cisco PAM" section and the "Disabling the Cisco PAM TFTP Server" section.

Web Service API: Determines if Cisco PAM web services are available. The service is enabled by default but requires an optional license for activation. See the Cisco Physical Access Control API Reference Guide for more information.

Server Log

Displays real-time information regarding server tasks.

Setup Log

Displays real-time information regarding server setup tasks performed on the appliance.

Web Application Log

Displays real-time information regarding events related to server administration tasks.

Audit Log

Displays a history of tasks performed by the administrator username.

Console Log

Displays a real-time console log.

High Availability Audit Log

Displays real-time events related to a redundant server configuration.

URL Log

Displays the output (HTTP response) from URL actions.


Setup

Allows you to view and edit the server configuration using the following submenus.


Note Click Update to save and activate your changes.


Table 3-2 Setup Menu 

Menu
Description

User

The username, password and email of the administrator login.

Network

The IP address configuration for the appliance and for the Eth0 and Eth1 network ports. See Entering the Initial Server Configuration for more information.

DNS

The DNS settings for the appliance, if DNS is used.

Email

The email settings for the appliance, including SMTP Server Address and SMTP Email Address from. These settings are used to send notifications and other information from the server.

Click Test to send a test message and verify the settings. The test message is sent to the administrator email address entered in User settings.

Select Update to apply the settings.

Date & Time

The server date and time settings. If a network time protocol server is used, click NTP enable and enter the NTP Server Address settings.

Note We strongly recommend using NTP to synchronize the Cisco PAM appliance and Gateway module clocks to ensure correct event and messaging. See the "Change the NTP Setting for Multiple Gateways" section for instructions to set NTP on Gateway modules.

License

Displays the Cisco licenses installed on the appliance and allows you to install additional licenses.

Install: Install additional Cisco Physical Access Control feature licenses. See Obtaining and Installing Optional Feature Licenses.

Features: Displays the licensed modules currently installed in the appliance.

Files: Lists the license files installed on the appliance.

Log Level

Defines the log level for capturing log messages. Select a level for each log subject (such as Security). The log levels are Debug, Info, Warn, Error, and Fatal.

Backup

Creates a compressed backup file of all system and configuration data that can be used to restore a server. See Backing up the Cisco PAM Database.

Event

Prunes and archives historical events from the Cisco PAM database. Prunes events are moved to a separate database table. Archived events are saved in a password protected .zip file. See the Archiving Historical Events for more information.

Restore

Restores data from a backup or archive file. The server must be stopped using Stop Server in the Commands menu. See Restoring a Server Backup File.

Upgrade

Upgrades the server software. To upgrade the server, select Stop Server from the Commands menu, click Browse to select an upgrade file, and then click Upgrade. Select Start Server from the Commands menu when the upgrade is complete. See Upgrading the Cisco PAM Server Software.

Localization

Allows you to create and add language packs that display Cisco PAM menus and other text in a language other than English. You can also display both English and a second language at the same time. See the "Troubleshooting and Monitoring" section.

Note The server has to be stopped to enable Localization. You need to upload the required language pack, start the server and download the new client for the server.


Commands

Provides commands to stop, start and reboot the server. Also includes commands to gather current information from a running server for use in troubleshooting and monitoring. This menu includes the following:

Table 3-3 Commands Menu 

Command
Description

Start Server

Enables the Cisco PAM access control server functions and user logins.

Stop Server

Disables the Cisco PAM access control server functions. All user logins are denied. The appliance remains in operation and you can still log in to the Cisco PAM Server Administration utility using a direct connection. To restart the access control server, select Start Server.

Note When the server restarts, a message appears asking if you want to change the database password. Click Cancel or OK. This password is a security measure used for troubleshooting and technical support. It does not impact user operation,

Note All EDI projects run when the Cisco PAM appliance is stopped and restarted. If you do not want the projects to run after a server restart, stop the project(s) before restarting the server. See Importing, Starting, and Monitoring EDI Projects in Cisco PAM.

Reboot

Performs a hard reboot of the appliance which restarts the OS and the access control server.

Shut Down

Shuts down the appliance. All access control functions stop unless a standby appliance is installed and configured. To restart the appliance and access control server, you must physically power down and then power on the appliance.

Show Technical Support

Collects detailed information and logs for use by Cisco technical support.This command is processor intensive and can result in decreased system performance. Use the command only under the supervision of a Cisco support representative.

Processes

Displays the processes running on the system for use in troubleshooting.


Launch Client

Launches the Cisco PAM desktop client. If the client is not installed or is out of date on your workstation, an installation screen appears. Follow the onscreen prompts to install or upgrade the desktop client (if necessary), and launch the application.


Note If necessary, the required Java application is also installed. This link is the same as the client installation link on the log in page (Figure 3-2) and in the Downloads menu.


Downloads

Provides links to download additional software, including the following:

Table 3-4 Downloads Menu 

Download
Description

JRE 1.6 (Windows)

Installs only the required version of the JRE (Java Runtime Environment) on a Windows PC.

Cisco PAM Client (JRE required)

Installs Java, and then installs the Cisco PAM desktop client. This link is the same as the client installation link on the log in page (Figure 3-2).

Cisco EDI Studio (JRE required)

Installs the EDI studio required to configure data integration. See Chapter 14 "System Integration" for more information. This link is the same as the client installation link on the log in page (Figure 3-2).

SnapShell Driver

Snap Shell SDK

Installs the drivers and other software required by the SnapShell scanner. See the "Using a SnapShell License Scanner to Create Personnel Records" section.


Archiving Historical Events

If access control events are allowed to accumulate in the Cisco PAM database, the storage and backup requirements of the database tables can become unmanageable and affect system performance. To avoid this condition, use the event management feature to automatically prune old events from the main Cisco PAM database, and create compressed archive files of historic events. The archive file includes a password-protected SQL script, and can be run on an offline database to view the purged events.

This event management process is defined during initial system setup, as described in the "Entering the Initial Server Configuration" section. Use the instructions in this section to can change the pruning and archiving settings.

This section includes the following topics:

Understanding Live, Pruned and Archived Events

Pruning and Archiving Historical Events

Understanding Live, Pruned and Archived Events

Events are stored according to the following categories:

Live Events

Pruned Events

Archived Events

Live Events

Live events are recent events that are stored in the main Cisco PAM database table. Live events are visible in Events & Alarms and can be included in system backups.

Pruned Events

Pruned events are removed from the main events database table and placed in a separate events database, allowing you to reduce the size of the main database while keeping them accessible on the Cisco PAM system. Pruned events are not visible in Events & Alarms, but are included in reports. Pruned events can also be included in system backups.


Tip See the "Creating Reports from Pruned Events" section


The following conditions apply when pruning events:

Pruning will fail if any events or alarms have pending actions (such as an automated rule). Select the Clean up queues command to clear actions for old events or alarms.

Pruning deletes events from the live events database only if they were copied to the historical events database.

Alarms are deleted only if all alarm duplicates and annotations are past the live events time.


Tip The pruning process can impact system performance. Schedule pruning to occur during off-peak hours.


Archived Events

Archived events are removed from all Cisco PAM database tables and copied to a compressed file. The file includes a password-protected SQL script, and can be run on an offline database to view the purged events. Archived events are not visible in the Events & Alarms listings or Reports, and are not included in system backups.

Archiving historic events improves system performance and simplifies monitoring since only the latest, most relevant, events and alarms are displayed. System backup file sizes are also reduced. In addition, the historical event records are self-contained. Referenced objects, such as a person's name and card number, are retained even if the original record is deleted. Reports on historical events can also span a much longer time range than is normally possible for live events.

The saved file includes the date (mm/dd/year), the Cisco PAM version number, and other information. For example, cpam-09242012-1200001.4.1_0.3.6.archive.zip. The three most recent archive files are saved. When a fourth archive file is added, the oldest file is deleted. You can right click a filename to save it to a local or network drive, or use the option in the following procedure to automatically copy archive files to a remote server.

Archived event files can be restored to Cisco PAM, if necessary. Restored archive events do not appear in the Event and Alarm Monitoring windows, but you can run reports on them. See the "Creating Reports from Pruned Events" section for more information. Archived event files can also be used by other applications to view old events or run reports.

Pruning and Archiving Historical Events

Event management settings are entered during the initial server setup, as described in the "Entering the Initial Server Configuration" section. Use the following procedure to revise the pruning and archiving settings.

Procedure


Step 1 Log on the Cisco PAM Server Administration utility, as described in the "Logging on to the Cisco PAM Server Administration Utility" section.

Step 2 Choose Setup and then Event (Figure 3-11).

Figure 3-11 Pruning Events

Step 3 Select the Pruning tab, and enter the following settings:

a. Live Events Window (days)—Enter a value between 0 and 500 (inclusive). This is the number of days of events that will be available on live view. All the events older than the specified days will be removed at the pruning schedule time. For example, enter 30 to keep events in the live view for 30 days. After midnight on day 30, the events are subject to pruning and archiving (depending on the schedule defined in the following steps).


NoteTo ensure that events are regularly pruned, we recommend entering 30 days or less in the Live Events Window field. Entering a value greater than 30 can cause an excessive number of event entries to accumulate in the main database and negatively impact system performance.

The number is rounded to midnight of the last day.


b. Schedule—define the time and frequency when events should be pruned.

Date—To schedule pruning for one day per month, select Date and then select a day of the month. For example: 15.

Weekday—To schedule pruning once per week, select Weekday and then select a day of the week. For example: Tuesday.

Daily—To run pruning every day, select Daily.

Time—Enter the time in 24 hour format (hh:mm:ss). For example, to run pruning at 2 p.m., enter 14:00:00. To run pruning at 1 a.m., enter 01:00:00.

c. Pruning Hours— This field is enabled only when Daily is selected in Schedule.The default value is one.


Note The Pruning Hours field is available from Cisco PAM 1.4.1 release.


d. Select Update to save the changes.

Step 4 Select the Archive tab (Figure 3-12) and enter the following archive settings:

Figure 3-12 Archiving Events


NoteCompressed files containing archived events are listed above the entry fields. The file name includes the archive date & time. For example: March 01, 2011 11:16:08 AM PDT.

The three most recent archive files are saved. When a fourth archive file is added, the oldest file is deleted. You can right click a filename to save it to a local or network drive, or use the option in the following procedure to automatically copy archive files to a remote server. The saved file includes the date (mm/dd/year), the Cisco PAM version number, and other information. For example: cpam-09242012-1200001.4.1_0.3.6.archive.zip.

No of Historical Events are the number of historical pruned events that were pruned from the main database table. See the "Understanding Live, Pruned and Archived Events" section.


a. Enter and re-enter the administrator Password. Enter and re-enter the administrator Password. This password is used to restore the archive file (similar to backup files).

b. Historic Events Window (days)—Enter the number of days that events will be available for reports. After the minimum number of days the events will be archived to a compressed file. For example, enter 30 to keep events in the live view for 30 days. After midnight on day 30, the events are subject to archiving (depending on the schedule defined in the following steps).

c. Select Automatic Archive to enter a schedule when the historic events will be removed from the database and placed into a compressed archive file (archived files are listed above the entry fields).


Tip De-select Automatic Archive to run manual archive operations only, or to disable archiving on the standby appliance in an HA configuration.


Date—To schedule archiving for one day per month, select Date and then select a day of the month. For example: 15.

Weekday—To schedule archiving once per week, select Weekday and then select a day of the week. For example: Tuesday.

Daily—To run archiving every day, select Daily.

Time—Enter the time in 24 hour format (hh:mm:ss). For example, to run archiving at 2 p.m., enter 14:00:00. To run archiving at 1 a.m., enter 01:00:00.

d. (Optional) Right-click an archived filename and select a save option from the browser menu.

e. (Optional) Select Copy to remote server to automatically copy the archived event files to a remote FTP or SFTP location.


Note Only the three most recent archive files are saved. If you do not save the archive file manually or by copying it to a remote server, then the oldest file will be permanently deleted when the fourth file is created.


FTP: for standard File Transfer Protocol servers.

SFTP: for secure file transfers using the Secure File Transfer Protocol (also known as the SSH File Transfer Protocol).

Address—the IP address or hostname of the remote server.

Username—the username required to log in to the server.

Password—the login password for the remote server.

Path—the directory path where the compressed archive will be copied. The path must exist on the remote server. If the directory is not available, the archive will fail.


Note If the IP address, username, password, or path is incorrect, or if the server is not available, then the backup is not copied to the remote server. The backup is still created on the Cisco PAM server.


f. Click Update to save the changes.


Installing and Revising Language Packs

Optional language packs are installed on the Cisco PAM appliance to display Cisco PAM menus and other text in a language other than English. You can install more than one language pack, and users can select one of those languages when logging in to the Cisco PAM application (Figure 3-13). Users can also select Dual-language mode to display text and menus in both English and the selected language.

Figure 3-13 Login Screen

Although a language pack may be available for your deployment, you can create new language packs or edit the installed packs by downloading and editing a set of XML files used to display the menus and other text.

Usage Notes

If you upgrade the Cisco PAM appliance from release 1.2.0 or lower to release 1.3.0 or higher, you must also upgrade the system database to support localization. This is a one-time process performed by clicking an Enable Localization button the first time you access the localization feature. This procedure is also required if you restore a data backup from release 1.2.0 or lower to release 1.3.0 or higher. This process can take up to one hour (or more) to complete for large databases. See the "Creating or Revising a Language Pack" section for instructions.

Log files and the Cisco PAM Server Administration utility appear in English even if a language pack is installed.

Creating or Revising a Language Pack

To create a new language pack translation, download a set of XML template files for the language you want to use. You can download and edit a language pack that was previously uploaded, or download and edit a new set of template files.

Next, edit the XML files to include the translated text you want to appear in the Cisco PAM desktop application. Then save the revised files using the same filename and compress the directory containing the XML files.


Note The directory and compressed .zip archive can be any name you choose, but the XML files contained in that compressed .zip file must have the same file names as the originals.


Import the compressed language pack file into the Cisco PAM appliance using the Cisco PAM Server Administration utility. Finally, reinstall the Cisco PAM desktop application, which includes the new language pack.

Editing a language pack that was previously installed is the same process as creating a new language pack. Instead of downloading a new template, however, you download and edit the language pack files that were previously installed.

Procedure

Complete the following procedure to create or edit a language pack for any language.


Step 1 Log on to the appliance over the Internet or by using a direct connection:

For a direct connection, see Connecting a PC to the Appliance.

For an Internet connection, open a web browser and enter the IP address used for the Cisco PAM Server Administration utility. See Accessing the Cisco PAM Server Administration Utility, or ask your system administrator for assistance.

Step 2 (Optional) Perform a system backup, as described in "Backing Up and Restoring Data".


Tip Back up system data before performing any major operation to ensure the integrity of your existing data.


Step 3 Select Setup, and then select Localization (Figure 3-14).

Step 4 Enable localization, if necessary (Figure 3-14):

This step is only necessary if you are upgrading or restoring data from Release 1.2.0 or lower.

If your appliance is a new installation, skip to Step 5. You can also skip to Step 5 if localization was previously enabled on the appliance.

Figure 3-14 Enable Localization

a. Place the server in the Down state.

Click the Monitoring tab and select Stop in the Admin State entry.

Verify that the Admin State is Down.

b. Return to the Localization window and click Enable Localization (Figure 3-14).

c. Click OK when the confirmation message appears.

d. Wait for the message The localization feature is enabled to appear. This can take up to one hour or more for large databases.


Tip The Upload and Download buttons are also enabled when the conversion process is complete.


Step 5 To edit an existing language pack, click the Download link next to the installed language (Figure 3-15), and skip to Step 7.

Figure 3-15 Localization Menu in the Cisco PAM Server Administration Utility

Step 6 To create a new language pack, download a language template:

a. Select the Download templates radio button (Figure 3-16).

b. Choose a language from the Language menu.

c. Select Download.

d. Continue to Step 7.

Figure 3-16 Download Language Templates

Step 7 Select a location on your hard drive to save the compressed .zip file.

The filename includes the release number, and language code. For example: languagepack_zh_1.4.1_0.3.31

Step 8 Edit the XML files to include the translated text:

a. Unzip the compressed language pack directory.

b. Open each file in a Unicode-supported editor.

For example: in Windows, right-click the file name and select Open with and then XML Editor (Figure 3-17).

Figure 3-17 Download Language Templates

c. Enter the translated text for each Translation Unit.

For each Translation Unit, there are two item entries: one for English (en), and another for the language you are translating (Figure 3-18).

Figure 3-18 XML Language File

String id "key" identifies the language. The English (en) entry shows the English text, and an additional "key" entry identifies language you need to translate. For example, Spanish is represented as "es". Do not change these "key" values.

String id "value" is the actual text of the item. Replace the English sample with the translated text for your language. This is the text that will appear in the Cisco PAM application.


NoteDo not change the text value of the "en" item. This is the English text and allows both languages to appear in the Cisco PAM client application.

The items for English and the second language appear in a different order, depending on the language pack and XML file. For example, in some XML files, the English entry may appear first. In other files, the second language may appear first. Always verify that you are editing the correct language. Never modify the English (en) key or value.


d. Save each XML file using the same file names as the originals.

e. Repeat these steps to translate each required XML file in the language pack.

Step 9 Place the translated language pack files in a directory and compress the directory as a .zip archive.

The directory and compressed .zip archive can be any name you choose, but the XML files contained in that compressed .zip file must have the same file names as the originals.

Step 10 Place the active and standby Cisco PAM appliances in the Admin State Down state.

The server must be in Admin State Down to upload the compressed language pack file. If your deployment includes a redundant standby server, place the standby server in Down state first to prevent a failover.


Caution Placing the server in Admin State Down stops all Cisco PAM services. If a redundant Standby server is configured, you must also place the Standby server in the Admin State Down state.

a. Log on to the standby Cisco PAM appliance (if configured).

b. Select Monitoring and then Status (Figure 3-19).

c. Select Stop (next to Admin State).

Figure 3-19 Stop the Cisco PAM Server

a. Log on to the active Cisco PAM appliance.

b. Select Monitoring and then Status (Figure 3-19).

c. Select Stop (next to Admin State).

Step 11 Upload the revised language pack.

a. Select Setup and then select Localization.

b. Select the Upload language pack radio button (Figure 3-20).

c. Select the language you want to import from the drop-down menu.

d. Click Browse and select the compressed file that contains the revised XML files.

For example: languagepack_zh_1.4.1_0.3.31

e. Click Upload.

Figure 3-20 Apply the Language Pack

Step 12 Wait for the upload to complete and click OK when the confirmation message appears.

Step 13 Confirm that the correct language pack was installed (Figure 3-21).

Figure 3-21 Languages Installed on the Cisco PAM Server

Step 14 Restart the Cisco PAM server.


Note The server must be in Admin State Up to initialize the language pack and for users to access the system.


a. Select Monitoring and then Status.

b. Select Start next to Admin State.

Step 15 Download and install the new version of the Cisco PAM client application.


Note The new language will not be available until you uninstall and reinstall the client application.


a. If the Cisco PAM client is installed on your Windows PC, uninstall it.

Go to Start > Programs > Cisco Physical Access Manager > Uninstaller and follow the onscreen instructions.

Or go to Start > Control Panel > Uninstall a Program > Cisco Physical Access Manager and choose Uninstall.

b. Use one of the following methods to reinstall the desktop client:

In the Cisco PAM Server Administration utility, click Launch CPAM Client.

Select Downloads and then Cisco PAM Client (JRE required).

Click Launch CPAM Client on the web utility login page.


Tip See the "Installing or Updating the Cisco PAM Desktop Software" section for more information.


c. Follow the onscreen instructions to install and launch the updated Cisco PAM client.

Step 16 Select the new language when logging in to the Cisco PAM desktop client (Figure 3-22).

a. Launch the Cisco PAM application.

b. In the Log In window, choose the language you want to use (Figure 3-22).

c. (Optional) Select Dual-language mode to display both languages in the application.

d. Enter the server hostname or IP address, username, and password.

e. Click Log In.

Figure 3-22 Selecting a Language at the Cisco PAM Login

Step 17 Verify that the translated text appears correctly in the Cisco PAM application (Figure 3-23).

If you chose Dual-language mode, english appears after the translated text (in parentheses).

Figure 3-23 Translated Menus in Cisco PAM


Tip The Login screen (Figure 3-22) also displays the selected language the next time you log in.


Step 18 If corrections are required, return to Step 5 to download and edit the XML files for an existing language pack. You must uninstall and reinstall the CPAM client application each time you upload a language pack for the changes to appear.


Changing or Recovering the Server Password

This section includes instructions to change the server password, or to recover a forgotten password. To recover a forgotten password: click the Forgot Password? link on the login page. The Forgot Password? link is available only if the server email settings are configured (the link is used to send an email with password reset instructions).

If the Forgot Password? link is not enabled, you must recover the password by reinstalling the server software.


NoteThe cpamadmin username is the only username supported on the Cisco PAM Server Administration utility. The cpamadmin username cannot be changed and additional usernames cannot be added. The default password (also cpamadmin) must be changed during the initial server setup.

The same cpamadmin username and password is automatically created on the Cisco PAM desktop client during the initial server setup. After the initial server setup, however, the desktop cpamadmin username and password is managed separately: changes to the server password do not effect the desktop account. See Chapter 5 "Configuring User Access for the Cisco PAM Desktop Client" for more information.


This section includes the following information:

Changing the Cisco PAM Server Administration Utility Password

Resetting a Forgotten Password

Recovering a Lost Server Password

Changing the Cisco PAM Server Administration Utility Password

To change the password for the cpamadmin username on the Cisco PAM Server Administration utility, do the following:


Step 1 Log on to the appliance over the Internet or by using a direct connection:

For a direct connection, see Connecting a PC to the Appliance.

For an Internet connection, open a web browser and enter the IP address used for the Cisco PAM Server Administration utility. See Logging on to the Cisco PAM Server Administration Utility, or ask your system administrator for assistance.

Step 2 Select the Setup tab and then select the User menu, as shown in Figure 3-24.

Figure 3-24 Cisco PAM Server Administration Utility: Setup Menus

Step 3 Enter the current and new passwords in the appropriate fields.

Step 4 Click Update.


Note Changing the server password does not effect the cpamadmin user password for the Cisco PAM desktop client. See Chapter 5 "Configuring User Access for the Cisco PAM Desktop Client" for information on managing desktop client usernames and passwords.


Resetting a Forgotten Password

To reset a forgotten cpamadmin server password, click the Forgot Password? link on the login page and complete the following instructions.


NoteThe Forgot Password? link appears only if the feature is enabled (as described in Enabling the Forgot Password Feature). If the Forgot Password? link does not appear on the login page, follow the instructions in the "Recovering a Lost Server Password" section.

The server password is different from the Cisco PAM desktop client password. See Chapter 5 "Configuring User Access for the Cisco PAM Desktop Client" for information on managing desktop client usernames and passwords.


To reset a forgotten admin password for the server utility, do the following:


Step 1 Open the Cisco PAM Server Administration utility login page.

Step 2 Click the Forgot Password? link, as shown in Figure 3-25.

Figure 3-25 Forgot Password Link

When you click this link, an email containing password instructions is sent to the email address configured in the User setup page.

Step 3 Access the email in your email application, and click the included URL to open an online reset password form, as shown in Figure 3-26.


Note The email URL is only valid for 30 minutes, or until used to reset the password.


Figure 3-26 Reset Password Page

Step 4 Enter and reenter your new password, and then click Update.

Step 5 Log in using the new password.

Enabling the Forgot Password Feature

The Forgot Password? link appears on the login page only if the server email settings are configured, as described in the following steps:


Step 1 Log in to the Cisco PAM Server Administration utility.

Step 2 Enter the email address that will receive Forgot Password? emails.

a. Select the Setup tab and then select the User menu, as shown in Figure 3-27.

Figure 3-27 Email Recipient for Forgot Password

b. Enter an Email Address that will receive Forgot Password emails.

c. Click Update.

Step 3 Enter the SMTP settings used to send the Forgot Password emails.

a. In the Setup tab, click the Email menu, as shown in Figure 3-28.

Figure 3-28 Send Email Settings for Forgot Password

b. Enter the SMTP Server Address used to send outgoing messages. Outgoing messages also include event and other alarm information.

c. Enter an email address in SMTP Email Address from. This address appears in the From field for messages sent by the Cisco PAM appliance. This email address is also the Reply To address.

d. Click Test to verify the settings.

e. Click Update to save the settings.

Recovering a Lost Server Password

If the cpamadmin password is lost and the Forgot Password? feature is not enabled, do the following.


Step 1 Reinstall the server software and enter a new cpamadmin password, as described in Reinstalling the Cisco PAM Server Software from a Recovery CD. Reinstalling the Cisco PAM server software deletes all server information and settings.

Step 2 Restore the Cisco PAM data and settings from a backup file, as described in "Backing Up and Restoring Data".


Note The backup file does not include the old password. The password is entered during the restore.



Obtaining and Installing Optional Feature Licenses

The Cisco PAM appliance includes a base package of software licenses to enable access control

Release 1.2 includes a 4 module base license

Release 1.3.1 and later includes a 32 modules base license.

To enable additional licensed features, such as support for additional hardware modules or the Badge Designer, complete the instructions in this section.


NoteThe menus for licensed software features do not appear unless the license is installed on the Cisco PAM appliance.

If you are installing a new server, or reconfiguring a server after a system restore from a CD/DVD, see Entering the Initial Server Configuration to install licenses during the initial setup.

Licenses installed on a Cisco PAM appliance cannot be transferred to another appliance.

Licenses installed in a redundant (high availability) configuration are automatically transferred from the active appliance to the standby server during a failover.


This section includes the following topics:

Understanding Module Licenses

Licenses in a Redundant Configuration

Purchasing Additional Feature Licenses

Installing Additional Licenses

Displaying the Cisco PAM Appliance Serial Number

Displaying a Summary of Installed Licenses

Understanding Module Licenses

Module licenses can be installed to support 64, 128, 256, or 512 hardware modules. Modules include the Cisco Physical Access Control hardware, including the Gateway, Reader, Input and Output modules.

By default, the Cisco PAM appliance supports up to 32 Cisco hardware modules. To add additional capacity to your system, you must purchase and install additional module licenses. See Part Numbers for the Optional Feature Licenses for more information.

Module licenses are cumulative: each additional licence is added to the capacity of existing licenses. For example, if you initially installed a 64 module license, you can purchase an additional 128 module license to support a total of 192 Gateways.


Note For answers to common licensing questions, see Licensing: Frequently Asked Questions.


Licenses in a Redundant Configuration

If two appliances are installed in a redundant configuration, all installed licenses apply to both the active and standby appliances. If a failover occurs, the standby appliance automatically assumes all active licenses.

Only the high availability (HA) license is installed on the standby appliance. All other licenses are installed on the active appliance. See Entering the Initial Server Configuration.

Purchasing Additional Feature Licenses

To purchase additional licenses, do the following:


Step 1 Determine the part numbers for the optional licenses you want to purchase. See Table 3-5: Optional Feature Licenses and Part Numbers.

Step 2 Determine the Cisco PAM appliance serial number required to complete the purchase. See Displaying the Cisco PAM Appliance Serial Number for more information.

Step 3 Purchase the licences by contacting your Cisco sales representative or any Cisco reseller. For more information, visit http://www.cisco.com/en/US/ordering/index.shtml.

Step 4 When the purchase is complete, you are issued a Product Authorization Key (PAK) in paper form, or in an email message.

Step 5 Continue to Installing Additional Licenses for information on the two options used to download and install the license file using the PAK number.


Part Numbers for the Optional Feature Licenses

Table 3-5 lists the part numbers for the optional feature licenses.

Table 3-5 Optional Feature Licenses and Part Numbers

Part
Optional Feature Licence

CIAC-PAME-M64=

Cisco Physical Access Manager 64-module capacity upgrade license

CIAC-PAME-M128=

Cisco Physical Access Manager 128-module capacity upgrade license

CIAC-PAME-M512=

Cisco Physical Access Manager 512-module capacity upgrade license

CIAC-PAME-M1024=

Cisco Physical Access Manager 1024-module capacity upgrade license

CIAC-PAME-BD=

Cisco Physical Access Manager Badge Designer and Enroller

CIAC-PAME-HA=

Cisco Physical Access Manager High-Availability License

CIAC-PAME-EDI=

Cisco Physical Access Manager Enterprise Data License

CIAC-PAME-WSAPI=

Cisco Physical Access Manager Web Services API


Installing Additional Licenses

This section contains instructions to download and install additional license files after the Cisco PAM appliance is set up. If you are installing a new appliance, see Entering the Initial Server Configuration.

To use this method, obtain the license file from the Cisco Web site using a PC connected to the Internet, and transfer the file to the workstation used for server configuration.

Figure 3-29 Installing Optional Feature Licenses

Procedure


Step 1 Locate the Product Authorization Key (PAK) created with the purchase of the optional feature.

Step 2 In a Web browser, open the Cisco Product License Registration Web page.

http://www.cisco.com/go/license/

Step 3 Follow the onscreen instructions to complete the form and enter the Product Authorization Key (PAK). When you are done, a license file with the extension .lic is sent to your email address.

Step 4 Transfer the file to the drive of the PC used for the configuration.

Step 5 In the License screen (Figure 3-29), click Browse to select the license file located on your local drive. When selected, the file name appears in the File field.

Step 6 Select Update to install the license file on the Cisco PAM appliance and activate the features.

Step 7 Select the Features tab to verify that the new license was added. See Displaying a Summary of Installed Licenses for more information.

Step 8 Quit and relaunch the Cisco PAM desktop software to access the new feature menus.


Displaying a Summary of Installed Licenses

From the Cisco PAM Server Administration utility, select the Features tab in the Setup menu to view a list of installed feature licenses, as shown in Figure 3-30.

Figure 3-30 License Features List

Displaying the Cisco PAM Appliance Serial Number

To view the appliance serial number, do the following:


Step 1 Log on to the Cisco PAM Server Administration utility:

For a direct connection, see Connecting a PC to the Appliance.

For an Internet connection, open a web browser and enter the IP address used for the Cisco PAM Server Administration utility. See Logging on to the Cisco PAM Server Administration Utility, or ask your system administrator for assistance.


Note The administration screens also appear immediately following the initial setup.


Step 2 Select the Monitoring tab, and then select Status, as shown in Figure 3-31.

Step 3 Refer to the entry for Serial Number.

Figure 3-31 Cisco PAM Appliance Serial Number


Performing a Graceful Failover with Redundant Appliances

An automatic failover from the active appliance to the standby appliance occurs if the active appliance goes offline.

To trigger a graceful failover, stop the active appliance. Log on to the Cisco PAM Server Administration utility on the active appliance, and select Stop Server, Reboot, or Shut Down. See Using the Web Admin Menus, Commands and Options for more information.


Caution A system failover can result in a temporary loss of data. Log and other system messages sent from the Access Gateways and other hardware components may be dropped during the failover process. Cisco recommends performing a manual failover only when system usage is low.

Troubleshooting and Monitoring

See Using the Web Admin Menus, Commands and Options for information on the monitoring and troubleshooting features available in the Cisco PAM Server Administration utility. Most of the functions are used to gather information for Cisco technical support. For more information, contact your Cisco support representative.


Caution Using the Show Tech command is processor intensive and can result in poor system performance while the information is gathered from your system, Use the Show Tech command under the direction of a Cisco technical support representative only.

For information on feature licenses, see Licensing: Frequently Asked Questions.

Next Steps

When the initial setup is complete, the Cisco PAM appliance is ready to configure the access control features of your system, including doors, users, badges, and other features. See Chapter 4 "Getting Started With the Cisco PAM Desktop Software" for instructions to log in and get started.

For information on installing and configuring the Access Gateway and other physical modules, see the Cisco Physical Access Gateway User Guide.