Cisco DCNM Installation and Licensing Guide, Release 6.x
Configuring Cisco DCNM Servers
Downloads: This chapterpdf (PDF - 188.0KB) The complete bookPDF (PDF - 1.8MB) | Feedback

Table of Contents

Configuring Cisco DCNM Servers

Configuring Secure Client Communications

Information About Secure Client Communications

Encrypted Client-Server Communications

Firewall Support for Client-Server Communications

Configuring Secure Client Communications

Adding a CA signed SSL Certificate in DCNM

Enabling Cisco DCNM-LAN SSL

Enabling Encrypted Client-Server Communications

Disabling Encrypted Client-Server Communications

Specifying a Secondary Server Bind Port

Configuring SMTP Servers

Information About SMTP Servers

Configuring for SMTP Servers

Configuring Cisco DCNM Servers

This chapter describes how to configure Cisco Data Center Network Manager for LAN (DCNM-LAN) servers.

This chapter includes the following sections:

Configuring Secure Client Communications

This section describes how to configure Cisco Data Center Network Manager for LAN (DCNM-LAN) for secure client-server communications.


Note Use the HTTPs option for secured communication between the server and client.


This section includes the following topics:

Information About Secure Client Communications

This section includes the following topics:

Encrypted Client-Server Communications

By default, communication between the Cisco DCNM-LAN client and server is unencrypted; however, you can enable secure client-server communications, which uses Transport Layer Security (TLS), a protocol based on the Secure Sockets Layer (SSL) 3.0 protocol. In particular, communications between the Cisco DCNM-LAN client and the EJB port on the Cisco DCNM-LAN server are encrypted when you enable secure client communications.

Enabling secure client communications does not affect how users download, install, and log into the Cisco DCNM-LAN client.

Firewall Support for Client-Server Communications

Cisco DCNM-LAN supports client-server connections across gateway devices such as a firewall; however, you must configure any gateway devices to allow the connections that the client must open to the Cisco DCNM-LAN server.

By default, the secondary server bind port is assigned a random port number when the Cisco DCNM-LAN server starts. To support client-server communications across a gateway device, you must configure the Cisco DCNM-LAN server to use a specific port for the secondary server bind service.

Adding a CA signed SSL Certificate in DCNM


Step 1 From command prompt, navigate to <DCNM install root>/dcm/java/jre1.7/bin/

Step 2 Generate the public-private key pair in DCNM keystore

k eytool -genkeypair -alias mykey -keyalg RSA -keystore "D:\Cisco Systems\dcm\jboss-as-7.2.0.Final\standalonkeytool -genkeypair -alias <alias-name> -keyalg RSA -keystore "<DCNM install root>\dcm\jboss-as-7.2.0.Final\standalone\configuration\fmserver.jks" -storepass fmserver_1_2_3e\configuration\fmserver.jks" -storepass fmserver_1_2_3

For Example: keytool -genkeypair -alias mykey -keyalg RSA -keystore "D:\CiscoSystems\dcm\jboss-as-7.2.0.Final\standalone\configuration\fmserver.jks" -storepass fmserver_1_2_3

Step 3 Generate the certificate signing request (CSR) from the public key generated in step 1.

keytool -certreq -alias <alias-name-from-Step-1> -file <csr-file-name> -keystore "<DCNM install root>\dcm\jboss-as-7.2.0.Final\standalone\configuration\fmserver.jks" -storepass fmserver_1_2_3

For Example: keytool -certreq -alias mykey -file certreq.pem -keystore "D:\CiscoSystems\dcm\jboss-as-7.2.0.Final\standalone\configuration\fmserver.jks" -storepass fmserver_1_2_3

Step 4 Submit the CSR to certificate signing authority to digitally sign it and download the certificate along with the root intermediate (if applicable).

Step 5 Import the intermediate certificate first, then the root certificate, and finally the signed certificate by following these steps:

    • keytool -importcert -alias <unique-alias-name> -file <intermediate cert file location> -keystore "<DCNM install root>\dcm\jboss-as-7.2.0.Final\standalone\configuration\fmserver.jks" -storepass fmserver_1_2_3
    • keytool -importcert -alias <unique-alias-name> -file <root cert file location> -keystore "<DCNM install root>\dcm\jboss-as-7.2.0.Final\standalone\configuration\fmserver.jks" -storepass fmserver_1_2_3
    • keytool -importcert -alias <alias-name-from-Step-1> -file <CA signed cert file location> -keystore "<DCNM install root>\dcm\jboss-as-7.2.0.Final\standalone\configuration\fmserver.jks" -storepass fmserver_1_2_3

For Example:

    • keytool -importcert -alias inter -file inter.pem -keystore "D:\Cisco Systems\dcm\jboss-as-7.2.0.Final\standalone\configuration\fmserver.jks" -storepass fmserver_1_2_3
    • keytool -importcert -alias root -file root.pem -keystore "D:\Cisco Systems\dcm\jboss-as-7.2.0.Final\standalone\configuration\fmserver.jks" -storepass fmserver_1_2_3
    • keytool -importcert -alias mykey -file mykey.pem -keystore "D:\Cisco Systems\dcm\jboss-as-7.2.0.Final\standalone\configuration\fmserver.jks" -storepass fmserver_1_2_3

Step 6 Stop the DCNM services.

Step 7 Open the following files:

<Install root>/dcm/JBoss- 7.2.0.Final/standalone/configuration/standalone-san.xml

<Install root>/dcm/JBoss- 7.2.0.Final/standalone/configuration/ standalone-lan.xml

Step 8 Search for key-alias="sme" and replace with key-alias="<key-alias in the Step 1 above>"

Step 9 Restart the DCNM Services.

Enabling Cisco DCNM-LAN SSL

Install Cisco DCNM on a single or clustered environement as described in the Cisco DCNM installation section.


Note Ensure you launch the Cisco DCNM-LAN client atleast once before enabling SSL.



Step 1 From the server machine, copy the certification file .dcnm/certs.

Step 2 When HTTPS is not enabled, copy the fmtrust.jks file from the server machine under <dcnm-server-install-folder>\dcm\jboss-4.2.2.GA\server\fm\conf to the client machine under .dcnm\certs (located in user home ) folder on the client machine. Once the file is copied, rename the file to truststore.

Step 3 When HTTPS is enabled, copy the fmserver.jks from the server machine under <dcnm-server-install-folder>\dcm\jboss-4.2.2.GA\server\fm\conf to the client machine under .dcnm\certs (located in user home ) folder on the client machine. Once the file is copied, rename the file to truststore.

Step 4 When Cisco DCNM is installed on Microsoft Windows, locate the dcnm-wrapper.conf file under <dcnm-server-install-folder>\dcm\dcnm\config. You will need to do the following in the dcnm-wrapper.conf file. Replace

wrapper.java.additional.10="-Djavax.net.ssl.keyStore=../../jboss-4.2.2.GA/server/dcnm/conf/cert/keystore" wrapper.java.additional.11="-Djavax.net.ssl.keyStorePassword=admin#1_2_3"
 

with

wrapper.java.additional.10="-Djavax.net.ssl.keyStore=../../jboss-4.2.2.GA/server/fm/conf/fmserver.jks"wrapper.java.additional.11="-Djavax.net.ssl.keyStorePassword=fmserver_1_2_3"

 

When Cisco DCNM is installed on Linux, locate the dcnm-run.sh file under <dcnm-server-install-folder>/dcm/ jboss-4.2.2.GA /bin. You will need to do the following in the dcnm-run.sh. Replace

JAVA_OPTS="-Djavax.net.ssl.keyStore=$JBOSS_HOME/server/dcnm/conf/cert/keystore -Djavax.net.ssl.keyStorePassword=admin#1_2_3 $JAVA_OPTS"

 

with

JAVA_OPTS="-Djavax.net.ssl.keyStore=$JBOSS_HOME/server/fm/conf/fmserver.jks -Djavax.net.ssl.keyStorePassword=fmserver_1_2_3 $JAVA_OPTS"


 

Enabling Encrypted Client-Server Communications

You can enable TLS to encrypt client-server communications.

If your Cisco DCNM-LAN deployment is a clustered-server deployment, you must perform this procedure on each server in the cluster.

DETAILED STEPS


Step 1 Stop the Cisco DCNM-LAN server. If you are enabling secure client communications on a server cluster, use the stop-dcnm-cluster script. For single-server deployments, do one of the following:

    • Microsoft Windows—Choose Start > All Programs > Cisco DCNM Server > Stop DCNM Server .
    • RHEL—Use the Stop_DCNM_Server script.

For more information about stopping Cisco DCNM-LAN, see the Cisco DCNM Fundamentals Guide, Release 5.x .

Step 2 In a text editor, open the jboss-service.xml file that is at the following location:

INSTALL_DIR \dcm\jboss-4.2.2.GA\server\dcnm\deploy\ejb3.deployer\META-INF\jboss-service.xml

where INSTALL_DIR is the Cisco DCNM installation directory. On Microsoft Windows, the default installation directory is C:\Program Files\Cisco Systems. On RHEL systems, the default installation directory is /usr/local/cisco.

Step 3 Find the following section in the file. Verify that the section you find matches the following lines exactly.

<!--mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:type=Connector,transport=SslEjb3Connector,handler=ejb3">
<depends>jboss.aop:service=AspectDeployer</depends>
<attribute name="InvokerLocator">sslsocket://${jboss.bind.address}:${cisco.dcnm.remoting.sslejbport:3843}</attribute>
<attribute name="Configuration">
<handlers>
<handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
</handlers>
</attribute>
</mbean-->
 

The section is commented out using the standard XML comment markers, <!-- and -->.

Step 4 Uncomment the section as follows:

a. From the first line of the section, remove the following three characters from before mbean:

!--
 

The changed line should read as follows:

<mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:type=Connector,transport=SslEjb3Connector,handler=ejb3">
 

b. From the last line of the section, remove the following two characters after mbean:

--
 

The changed line should read as follows:

</mbean>
 

Step 5 Find the following section in the file. Verify that the section you find matches the following lines exactly.

<mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:type=Connector,name=DefaultEjb3Connector,handler=ejb3">
<depends>jboss.aop:service=AspectDeployer</depends>
<attribute name="InvokerLocator">socket://${jboss.bind.address}:${cisco.dcnm.remoting.ejbport:3873}</attribute>
<attribute name="Configuration">
<handlers>
<handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
</handlers>
</attribute>
</mbea

The section is not commented. Use the standard XML comment marker to comment.

Step 6 Use the standard XML comment markers to comment out the section, as follows:

a. In the first line of the section, add the following three characters from before mbean:

!--
 

The changed line should read as follows:

<!--mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:type=Connector,transport=SslEjb3Connector,handler=ejb3">
 

b. In the last line of the section, add the following two characters after mbean:

--
 

The changed line should read as follows:

</mbean-->

Step 7 Save and close the jboss-service.xml file.

Step 8 In a text editor, open the jboss-service.xml file that is at the following location:

INSTALL_DIR \dcm\jboss-4.2.2.GA\server\dcnm\conf\jboss-service.xml


Note This is a different jboss-service.xml file than you opened in Step 2.


Step 9 Find the following section in the file.

cisco.dcnm.remoting.transport=socket
cisco.dcnm.remoting.port=3873
cisco.dcnm.remoting.ejbport=3873
cisco.dcnm.remoting.sslejbport=3843
cisco.dcnm.remoting.client.invokerDestructionDelay=0
 

The port numbers at the end of the last three lines may vary from this example, depending upon whether the default port numbers were changed during the Cisco DCNM-LAN server installation.

Step 10 Change the cisco.dcnm.remoting.transport value to sslsocket. The changed line should read as follows:

cisco.dcnm.remoting.transport=sslsocket
 

Step 11 Change the cisco.dcnm.remoting.port value to match the value specified for cisco.dcnm.remoting.sslejbport. For example, if the Cisco DCNM-LAN server is configured to use the default SSL port, the cisco.dcnm.remoting.sslejbport value is 3843 and the changed line would read as follows:

cisco.dcnm.remoting.port=3843
 

Step 12 Change the cisco.dcnm.remoting.client.invokerDestructionDelay value to 30000. The changed line should read as follows:

cisco.dcnm.remoting.client.invokerDestructionDelay=30000
 

Step 13 Save and close the jboss-service.xml file.

Step 14 Do one of the following:

    • If your Cisco DCNM-LAN deployment is a clustered-server deployment, repeat this procedure on each server in the cluster and then start the servers, beginning with the master server first. Allow at least one minute between starting each server.
    • If your deployment is a single-server deployment, start the Cisco DCNM-LAN server.

For more information about starting a single Cisco DCNM-LAN or a cluster of Cisco DCNM-LAN servers, see the Cisco DCNM Fundamentals Guide, Release 5.x .


 

Disabling Encrypted Client-Server Communications

You can disable secure client communications.

If your Cisco DCNM-LAN deployment is a clustered-server deployment, you must perform the following steps on each server in the cluster.

DETAILED STEPS


Step 1 Stop the Cisco DCNM-LAN server. If you are disabling secure client communications on a server cluster, use the stop-dcnm-cluster script. For single-server deployments, do one of the following:

    • Microsoft Windows—Choose Start > All Programs > Cisco DCNM Server > Stop DCNM Server .
    • RHEL—Use the Stop_DCNM_Server script.

For more information about stopping Cisco DCNM-LAN, see the Cisco DCNM Fundamentals Guide, Release 5.x .

Step 2 In a text editor, open the jboss-service.xml file that is at the following location:

INSTALL_DIR \dcm\jboss-4.2.2.GA\server\dcnm\deploy\ejb3.deployer\META-INF\jboss-service.xml

where INSTALL_DIR is the Cisco DCNM installation directory. On Microsoft Windows, the default installation directory is C:\Program Files\Cisco Systems. On RHEL systems, the default installation directory is /usr/local/cisco.

Step 3 Find the following section in the file. Verify that the section you find matches the following lines exactly.

<mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:type=Connector,transport=SslEjb3Connector,handler=ejb3">
<depends>jboss.aop:service=AspectDeployer</depends>
<attribute name="InvokerLocator">sslsocket://${jboss.bind.address}:${cisco.dcnm.remoting.sslejbport:3843}</attribute>
<attribute name="Configuration">
<handlers>
<handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
</handlers>
</attribute>
</mbean>
 

The section is commented out using the standard XML comment markers.

Step 4 Use the standard XML comment markers to comment out the section, as follows:

a. To the first line of the section, add the following three characters before mbean:

!--
 

The changed line should read as follows:

<!--mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:type=Connector,transport=SslEjb3Connector,handler=ejb3">
 

b. To the last line of the section, add the following two characters after mbean:

--
 

The changed line should read as follows:

</mbean-->
 

Step 5 Find the following section in the file. Verify that the section you find matches the following lines exactly.

<mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:type=Connector,name=DefaultEjb3Connector,handler=ejb3">
<depends>jboss.aop:service=AspectDeployer</depends>
<attribute name="InvokerLocator">socket://${jboss.bind.address}:${cisco.dcnm.remoting.ejbport:3873}</attribute>
<attribute name="Configuration">
<handlers>
<handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
</handlers>
</attribute>
</mbean>

The section is not commented out using the standard XML comment markers.

Step 6 Use the standard XML comment markers to comment out the section, as follows:

a. In the first line of the section, add the following three characters from before mbean:

!--
 

The changed line should read as follows:

<!--mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:type=Connector,transport=SslEjb3Connector,handler=ejb3">
 

b. In the last line of the section, add the following two characters after mbean:

--
 

The changed line should read as follows:

</mbean-->
 

Step 7 Save and close the jboss-service.xml file.

Step 8 In a text editor, open the jboss-service.xml file that is at the following location:

INSTALL_DIR \dcm\jboss-4.2.2.GA\server\dcnm\conf\jboss-service.xml


Note This is a different jboss-service.xml file than you opened in Step 2.


Step 9 Find the following section in the file.

cisco.dcnm.remoting.transport=sslsocket
cisco.dcnm.remoting.port=3843
cisco.dcnm.remoting.ejbport=3873
cisco.dcnm.remoting.sslejbport=3843
cisco.dcnm.remoting.client.invokerDestructionDelay=30000
 

The port numbers at the end of the last three lines may vary from this example, depending upon whether the default port numbers were changed during Cisco DCNM-LAN server installation.

Step 10 Change the cisco.dcnm.remoting.transport value to socket. The changed line should read as follows:

cisco.dcnm.remoting.transport=socket
 

Step 11 Change the cisco.dcnm.remoting.port value to match the value specified for cisco.dcnm.remoting.ejbport. For example, if the Cisco DCNM-LAN server is configured to use the default EJB port, the cisco.dcnm.remoting.ejbport value is 3873 and the changed line would read as follows:

cisco.dcnm.remoting.port=3873
 

Step 12 Change the cisco.dcnm.remoting.client.invokerDestructionDelay value to 0. The changed line should read as follows:

cisco.dcnm.remoting.client.invokerDestructionDelay=0
 

Step 13 Save and close the jboss-service.xml file.

Step 14 Do one of the following:

    • If your Cisco DCNM-LAN deployment is a clustered-server deployment, repeat this procedure on each server in the cluster and then start the servers, beginning with the master server first. Allow at least one minute between starting each server.
    • If your deployment is a single-server deployment, start the Cisco DCNM-LAN server.

For more information about starting a single Cisco DCNM-LAN or a cluster of Cisco DCNM-LAN servers, see the Cisco DCNM Fundamentals Guide, Release 5.x .


 

Specifying a Secondary Server Bind Port

You can configure a Cisco DCNM-LAN server to use a specific secondary server bind port.

If your Cisco DCNM-LAN deployment is a clustered-server deployment, you must perform this procedure on each server in the cluster.

DETAILED STEPS


Step 1 Stop the Cisco DCNM-LAN server. If you are enabling secure client communications on a server cluster, use the stop-dcnm-cluster script. For single-server deployments, do one of the following:

    • Microsoft Windows—Choose Start > All Programs > Cisco DCNM Server > Stop DCNM Server .
    • RHEL—Use the Stop_DCNM_Server script.

For more information about stopping Cisco DCNM-LAN, see the Cisco DCNM Fundamentals Guide, Release 5.x .

Step 2 In a text editor, open the remoting-bisocket-service.xml file that is at the following location:

INSTALL_DIR \dcm\jboss-4.2.2.GA\server\dcnm\deploy\jboss-messaging.sar\
remoting-bisocket-service.xml

where INSTALL_DIR is the Cisco DCNM installation directory. On Microsoft Windows, the default installation directory is C:\Program Files\Cisco Systems. On RHEL systems, the default installation directory is /usr/local/cisco.

Step 3 Find the following section in the file. Verify that the section you find includes the secondaryBindPort line.

<!-- Use these parameters to specify values for binding and connecting control connections to work with your firewall/NAT configuration
<attribute name="secondaryBindPort">48227</attribute>
<attribute name="secondaryConnectPort">48227</attribute>
-->
 

By default, the section is commented out using the standard XML comment markers, <!-- and -->.

If you have previously specified a secondary server bind port, the section is not commented out.

Step 4 If the section is commented out, uncomment the secondaryBindPort line, as follows:

a. At the end of the second line of the section, add the following three characters from after configuration:

-->
 

The changed line should read as follows:

to work with your firewall/NAT configuration-->
 

b. At the beginning of the fourth line of the section, add the following four characters:

<!--
 

The changed line should read as follows:

<!-- <attribute name="secondaryConnectPort">abc</attribute>
 

After you uncomment the section, it should read as follows:

<!-- Use these parameters to specify values for binding and connecting control connections to work with your firewall/NAT configuration-->
<attribute name="secondaryBindPort">48227</attribute>
<!--<attribute name="secondaryConnectPort">48227</attribute>
-->
 

Step 5 In the secondaryConnectPort line, specify a port number between the opening and closing attribute elements. For example, if you want to specify port 47900, the secondaryBindPort line should read as follows:

<attribute name="secondaryBindPort">47900</attribute>
 

Step 6 Save and close the remoting-bisocket-service.xml file.

Step 7 Do one of the following:

    • If your Cisco DCNM-LAN deployment is a clustered-server deployment, repeat this procedure on each server in the cluster and then start the servers, beginning with the master server first. Allow at least one minute between starting each server.
    • If your deployment is a single-server deployment, start the Cisco DCNM-LAN server.

For more information about starting a single Cisco DCNM-LAN or a cluster of Cisco DCNM-LAN servers, see the Cisco DCNM Fundamentals Guide, Release 5.x .


 

Configuring SMTP Servers

This section describes how to configure Cisco Data Center Network Manager for LAN (DCNM-LAN) servers to use SMTP servers.

This section includes the following topics:

Information About SMTP Servers

The Cisco DCNM-LAN client supports a feature where you can specify rising or falling threshold rules for sample variables in collected statistical data. When one of these thresholds has been crossed, you can specify that an e-mail alert be sent. The Cisco DCNM-LAN server can be configured to send e-mail to an SMTP server.

Configuring for SMTP Servers

Cisco DCNM-LAN servers are configured to use SMTP servers by setting a property value.

DETAILED STEPS


Step 1 Stop the Cisco DCNM-LAN server. If you are enabling SMTP communications on a server cluster, use the stop-dcnm-cluster script. For single-server deployments, do one of the following:

    • Microsoft Windows—Choose Start > All Programs > Cisco DCNM Server > Stop DCNM Server .
    • RHEL—Use the Stop_DCNM_Server script.

For more information about stopping Cisco DCNM-LAN, see the Cisco DCNM Fundamentals Guide, Release 5.x .

Step 2 In a text editor, open the mail-service.xml file at the following location:

INSTALL_DIR \dcm\jboss-4.2.2.GA\server\dcnm\deploy\mail-service.xml

where INSTALL_DIR is the Cisco DCNM installation directory. On Microsoft Windows, the default installation directory is C:\Program Files\Cisco Systems. On RHEL systems, the default installation directory is /usr/local/cisco.

Step 3 Find the mail.smtp.host property value and modify it to specify the SMTP gateway server.

For example:

<!-- Specify the SMTP gateway server -->
<property name="mail.smtp.host" value="smtp.nosuchhost.nosuchdomain.com"/
 

Step 4 Save and close the mail-service.xml file.

Step 5 Do one of the following:

    • If your Cisco DCNM-LAN deployment is a clustered-server deployment, repeat this procedure on each server in the cluster and then start the servers, beginning with the master server first. Allow at least one minute between starting each server.
    • If your deployment is a single-server deployment, start the Cisco DCNM-LAN server.

For more information about starting a single Cisco DCNM-LAN or a cluster of Cisco DCNM-LAN servers, see the Cisco DCNM Fundamentals Guide, Release 5.x .