Table Of Contents
Configuring System Operations
Understanding Distributed Deployment
Activating Secondary Servers
Removing Secondary Servers
Promoting a Secondary Server
Understanding Local Mode
Understanding Full replication
Specifying a Hardware Replacement
Scheduled Backups
Creating, Duplicating, and Editing Scheduled Backups
Backing Up Primary and Secondary Instances
Synchronizing Primary and Secondary Instances After Backup and Restore
Editing Instances
Viewing and Editing a Primary Instance
Viewing and Editing a Secondary Instance
Deleting a Secondary Instance
Activating a Secondary Instance
Registering a Secondary Instance to a Primary Instance
Deregistering Secondary Instances from the Distributed System Management Page
Deregistering a Secondary Instance from the Deployment Operations Page
Promoting a Secondary Instance from the Distributed System Management Page
Promoting a Secondary Instance from the Deployment Operations Page
Replicating a Secondary Instance from a Primary Instance
Replicating a Secondary Instance from the Distributed System Management Page
Replicating a Secondary Instance from the Deployment Operations Page
Using the Deployment Operations Page to Create a Local Mode Instance
Understanding Software Updates
Creating, Duplicating, Editing, and Deleting Software Repositories
Creating, Duplicating, Editing, and Deleting a Software File or Patch
Applying Local Software Updates
Applying a Software Update to the ACS Instance
Managing Software Repositories from the Web Interface and CLI
Configuring System Operations
You can configure and deploy ACS instances so that one ACS instance becomes the primary instance and the other ACS instances can be registered to the primary as secondary instances. An ACS instance represents ACS software that runs on a network. An ACS deployment may consist of a single instance, or multiple instances deployed in a distributed manner, where all instances in a system are managed centrally. All instances in a system will have an identical configuration.
Use the Distributed System Management page to manage all the instances in a deployment. You can only manage instances from the primary instance. You can invoke the Deployment Operations page from any instance in the deployment but it only controls the operations on the local server.
 |
Note  You can register any primary instance or any secondary instance to another primary instance; however, the primary instance you wish to register cannot have any secondary instances registered to it.
|
The primary instance, created as part of the installation process, centralizes the configuration of the registered secondary instances. Configuration changes made in the primary instance are automatically replicated to the secondary instance. You can force a full replication to the secondary instance if configuration changes do not replicate to the secondary instance.
Related Topic
•Understanding Distributed Deployment
•Understanding Software Updates
Understanding Distributed Deployment
You can configure multiple ACS servers in a deployment. Within any deployment, you designate one server as the primary server and all the other servers are secondary servers. In general, you make configuration changes on the primary server only, and the changes are propagated to all secondary servers, which can then view the configuration data as read-only data. A small number of configuration changes can be performed on a secondary server, including configuration of the server certificate, and these changes remain local to the server.
Secondary servers do not know the status of other secondary servers. However, a low-level communication is required and traffic should be allowed between secondary servers in an ACS distributed server domain.
ACS allows you to deploy an ACS instance behind a firewall. Table 17-1 lists the ports that must be open on the firewall for you to access ACS through the various management interfaces.
Table 17-1 Ports to Open in Firewalls
Service
|
Port
|
ACS Web Interface/Web Service
|
443
|
Database replication
|
TCP 2638
|
RADIUS server
|
•1812 and 1645 (RADIUS authentication and authorization)
•1813 and 1646 (RADIUS accounting)
If your RADIUS server uses port 1812, ensure that your PIX firewall software is version 6.0 or later. Then, issue the following command to use port 1812:
aaa-server radius-authport 1812
|
Replication over the Message Bus
|
TCP 61616
|
RMI
|
TCP 2020 (for RMI registry service)
|
TCP 2030 (for incoming calls)
|
SNMP (for request)
|
UDP 161
|
SNMP (for notifications)
|
UDP 162
|
SSH
|
22
|
TACACS+ server
|
TCP 49
|
View Collector
|
UDP 20514
|
The Distributed System Management page can be used to monitor the status of the servers in a deployment and perform operations on the servers.
Related Topics
•Activating Secondary Servers
•Removing Secondary Servers
•Promoting a Secondary Server
•Understanding Local Mode
•Understanding Full replication
•Specifying a Hardware Replacement
Activating Secondary Servers
To add a server to a deployment, you must perform two steps:
1. From the secondary server, issue a request to register on the primary server by selecting the Deployment Operations option.
2. Activate the secondary instance on the primary server. You must activate the secondary instance on the primary instance in order for the secondary instance to receive configuration information; this provides a mechanism of admission control. However, there is an option to automatically activate newly added secondary instances, rather than performing a manual activation request.
Related Topics
•Removing Secondary Servers
•Promoting a Secondary Server
•Understanding Local Mode
•Understanding Full replication
•Specifying a Hardware Replacement
Removing Secondary Servers
To permanently removed a secondary server from a deployment, you must first deregister the secondary server and then delete it from the primary. You can make the request to deregister a server from either the secondary server to be deregistered or from the primary server.
Related Topics
•Activating Secondary Servers
•Understanding Distributed Deployment
Promoting a Secondary Server
There can be one server only that is functioning as the primary server. However, you can promote a secondary server so that is assumes the primary role for all servers in the deployment. The promotion operation is performed either on the secondary server that is to assume the primary role or on the primary server.
|
Note When the primary server is down, do not simultaneously promote two secondary servers.
|
Related Topics
•Activating Secondary Servers
•Removing Secondary Servers
•Understanding Local Mode
•Understanding Full replication
Understanding Local Mode
You can use the local mode option:
•If the primary server is unreachable from a secondary server (for example, there is a network disconnection) and a configuration change must be made to a secondary server, you can specify that the secondary server go into Local Mode.
•If you want to perform some configuration changes on a trial basis that would apply to only one server and not impact all the servers in your deployment, you can specify that one of your secondary servers go into Local Mode.
In Local Mode, you can make changes to a single ACS instance through the local web interface, and the changes take effect on that instance only. The Configuration Audit Report available in the Monitoring & Report Viewer has an option to report only those configuration changes that were made in the local mode. You can generate this report to record the changes that you made to the secondary server in Local Mode. For more information on reports and how to generate them from ACS, see Chapter 13 "Managing Reports".
When the connection to the primary server resumes, you can reconnect the disconnected secondary instance in Local Mode to the primary server. From the secondary instance in Local Mode, you specify the Admin username and password to reconnect to the primary instance. All configuration changes made while the secondary server was in Local Mode are lost.
Related Topics
•Activating Secondary Servers
•Understanding Full replication
Understanding Full replication
Under normal circumstances, each configuration change is propagated to all secondary instances. Unlike ACS 4.x where full replication was performed, in ACS 5.1, only the specific changes are propagated. As configuration changes are performed, the administrator can monitor (on the Distributed System Management page) the status of the replication and the last replication ID to ensure the secondary server is up to date.
If configuration changes are not being replicated as expected, the administrator can request a full replication to the server. When you request full replication, the full set of configuration data is transferred to the secondary server to ensure the configuration data on the secondary server is re synchronized.
|
Note Replication on the Message Bus happens over TCP port 61616. Full replication happens over the Sybase DB TCP port 2638.
|
Related Topics
•Activating Secondary Servers
•Promoting a Secondary Server
•Understanding Local Mode
Specifying a Hardware Replacement
You can perform a hardware replacement to allow new or existing ACS instance hardware to re-register to a primary server and take over an existing configuration already present in the primary server. This is useful when an ACS instance fails and needs physical replacement. There are three steps required to perform the hardware replacement procedure:
1. From the web interface of the primary instance, you must mark the server to be replaced as deregistered.
2. From the secondary server, register to the primary server. In addition to the standard admin credentials for connecting to the primary server (username/password), you must specify the replacement keyword used to identify the configuration in the primary server. The keyword is the hostname of the instance that is to be replaced.
3. You must active the secondary server on the primary, either automatically or by issuing a manual request.
Related Topics
•Viewing and Editing a Primary Instance
•Viewing and Editing a Secondary Instance
•Activating a Secondary Instance
•Registering a Secondary Instance to a Primary Instance
•Deregistering Secondary Instances from the Distributed System Management Page
•Promoting a Secondary Instance from the Distributed System Management Page
•Using the Deployment Operations Page to Create a Local Mode Instance
Scheduled Backups
You can schedule backups to be run at periodic intervals. You can schedule backups from the primary web interface or through the local CLI. The Scheduled Backups feature backs up ACS configuration data.
|
Note You cannot back up data from an earlier version of ACS and restore it to a later version. Backup and restore must be performed on the same version of ACS. If you need the data on a different version of the ACS, you can perform an upgrade after you restore the data. Refer to the Installation and Setup Guide for Cisco Secure Access Control System 5.1 for more information on upgrading ACS to later versions.
|
Related Topic
Creating, Duplicating, and Editing Scheduled Backups
Creating, Duplicating, and Editing Scheduled Backups
You can create a scheduled backup only for the primary instance. To create, duplicate, or edit a scheduled backup:
Step 1 Choose System Administration > Operations > Scheduled Backups.
The Scheduled Backups page appears. Table 17-2 describes the fields listed in the Scheduled Backups page.
Table 17-2 Scheduled Backups Page
Option
|
Description
|
Backup Data
Filename created by backup includes a time stamp and file type information appended to the prefix entered
|
Filename Prefix
|
Enter a filename prefix to which ACS appends the backup time stamp. For example, if you enter ACSBackup as the filename prefix and backup is run on June 05, 2009 at 20:37 hours, then ACS creates the backup file ACSBackup-090506-2037.tar.gpg.
|
Repository
|
Click Select to open the Software Update and Backup Repositories dialog box, from which you can select the appropriate repository in which to store the backup file.
|
Schedule Options
|
Time of Day
|
Choose the time of the day at which you want ACS to back up the ACS configuration data. Backups can be scheduled on a daily, weekly, or monthly basis.
•Daily—Choose this option for ACS to back up the ACS configuration data at the specified time every day.
•Weekly—Choose this option and specify the day of the week on which you want ACS to back up the ACS configuration data every week.
•Monthly—Choose this option and specify the day of the month on which you want ACS to back up the ACS configuration data every month.
|
Step 2 Click Submit to schedule the backup.
Related Topic
Backing Up Primary and Secondary Instances
Backing Up Primary and Secondary Instances
ACS provides you the option to back up the primary and secondary instances at any time apart from the regular scheduled backups. For a primary instance, you can back up the following:
•ACS configuration data only
•ACS configuration data and ADE-OS configuration data
|
Note For secondary instances, ACS only backs up the ADE-OS configuration data.
|
To run an immediate backup:
Step 1 Choose System Administration > Operations > Distributed System Management.
The Distributed System Management page appears.
Step 2 From the Primary Instance table or the Secondary Instances table, select the instance that you want to back up.
|
Note You can select only one primary instance, but many secondary instances for a backup.
|
Step 3 Click Backup.
The Distributed System Management - Backup page appears with the fields described in Table 17-3.
Table 17-3 Distributed System Management - Backup Page
Option
|
Description
|
Backup Data
Filename created by backup includes a time stamp and file type information appended to the prefix entered
|
Filename Prefix
|
Enter a filename prefix to which ACS appends the backup time stamp. For example, if you enter ACSBackup as the filename prefix and backup is run on June 05, 2009 at 20:37 hours, then ACS creates the backup file ACSBackup-090506-2037.tar.gpg.
|
Repository
|
Click Select to open the Software Update and Backup Repositories dialog box, from which you can select the appropriate repository in which to store the backup file.
|
Backup Options (only applicable for primary instances)
|
ACS Configuration Backup
|
Click this option if you want to back up only the ACS configuration data.
|
ACS Configuration and ADE-OS Backup
|
Click this option if you want to back up both the ACS configuration data and the ADE-OS configuration data.
|
Step 4 Click Submit to run the backup immediately.
Related Topic
Scheduled Backups
Synchronizing Primary and Secondary Instances After Backup and Restore
When you specify that a system backup is restored on a primary instance, the secondary instance is not updated to the newly restored database that is present on the primary instance.
To make sure the secondary instance is updated, from the secondary instance, you need to request a hardware replacement to rejoin the restored primary instance. First, you must deregister the secondary instance from the primary instance. From the web interface of the secondary instance, choose Systems Administration > Operations > Local Operations > Deployment Operations, then click Deregister from Primary. After this step, you can perform the hardware replacement of the secondary instance to the primary instance again by choosing Systems Administration > Operations > Local Operations > Deployment Operations; then specify the primary hostname or IP address and the admin credential, select Hardware Replacement, specify the hostname of the secondary instance, and click Register to Primary.
Editing Instances
When you Choose System Administration > Operations > Distributed System Management, you can edit either the primary or secondary instance. You can take a backup of primary and secondary instances. The Distributed System Management page allows you to do the following:
•Viewing and Editing a Primary Instance
•Viewing and Editing a Secondary Instance
•Backing Up Primary and Secondary Instances
•Synchronizing Primary and Secondary Instances After Backup and Restore
Viewing and Editing a Primary Instance
|
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.
|
To edit a primary instance:
Step 1 Choose System Administration > Operations > Distributed System Management.
The Distributed System Management page appears with two tables:
•Primary Instance table—Shows the primary instance.
|
Note The primary instance is created as part of the installation process.
|
•Secondary Instances table—Shows a listing and the status of the secondary instances. See Viewing and Editing a Secondary Instance for more information.
The Distributed System Management Page displays the information described in Table 17-4:
Table 17-4 Distributed System Management Page
Option
|
Description
|
Primary Instance
|
Name
|
The hostname of the primary instance.
|
IP Address
|
The IP address of the primary instance.
|
Online Status
|
Indicates if the primary instance is online or offline. A check mark indicates that the primary instance is online; x indicates that the primary instance is offline.
|
Replication ID
|
The transaction ID that identifies the last configuration change on the primary instance. This value increases by 1 for every configuration change. Valid values are 1 to infinity.
|
Last Update
|
Time stamp of the last database configuration change. The time stamp is in the form hh:mm dd:mm:yyyy.
|
Version
|
The current version of the ACS software running on the primary ACS instance. Valid values can be the version string or, if a software upgrade is initiated, Upgrade in progress.
|
Description
|
A description of the primary instance.
|
Edit
|
Select the primary instance and click this button to edit the primary instance.
|
Backup
|
Select the primary instance and click this button to back up the primary instance. See Backing Up Primary and Secondary Instances for more information.
|
Secondary Instances
|
Name
|
The hostname of the secondary instance.
|
IP Address
|
The IP address of the secondary instance.
|
Online Status
|
Indicates if the secondary instance is online or offline. A check mark indicates that the secondary instance is online; x indicates that the secondary instance is offline.
|
Replication Status
|
Replication status values are:
•UPDATED—Replication is complete on the secondary instance. Both Management and Runtime services are current with configuration changes from the primary instance.
•PENDING—Request for full replication has been initiated or the configuration changes made on the primary have not yet been propagated to the secondary.
•REPLICATING—Replication from the primary to the secondary is processing.
•LOCAL MODE—The secondary instance does not receive replication updates from the deployment and maintains its own local configuration.
•DEREGISTERED—The secondary instance is deregistered from the primary instance and is not part of the deployment.
•INACTIVE—The secondary instance is inactive. You must select this instance and click Activate to activate this instance.
•N/A—No replication on primary instance.
|
Replication Time
|
Time stamp of the last replication. The time stamp is in the form hh:mm dd:mm:yyyy.
|
Version
|
The current version of the ACS software running on the secondary ACS instance. Valid values can be the version string or, if a software upgrade is initiated, Upgrade in progress.
|
Description
|
A description of the secondary instance.
|
Edit
|
Select the secondary instance that you want to edit and click this button to edit it.
|
Delete
|
Select the secondary instance that you want to delete and click this button to delete it.
|
Activate
|
If the option to auto-activate the newly registered secondary instance is disabled, the secondary is initially placed in the inactive state. Click Activate to activate these inactive secondary instances.
|
Deregister1
|
Disconnects the secondary instance from the primary instance. Stops the secondary instance from receiving configuration updates from the primary instance. Deregistration restarts the deregistered node.
Note When full replication is in progress on an instance, do not attempt to deregister that instance. Wait until the full replication is complete and the secondary instance is restarted before you deregister the secondary instance.
|
Promote
|
Requests to promote a secondary instance to the primary instance. All updates to the current primary instance are stopped so that all replication updates can complete. The secondary instance gets primary control of the configuration when the replication updates complete.
Note The secondary instance must be active before you can promote it to the primary instance.
|
Full Replication
|
Replicates the primary instance's database configuration for the secondary instance. ACS is restarted.
Note When full replication is in progress on an instance, do not attempt to deregister that instance. Wait until the full replication is complete and the secondary instance is restarted before you deregister the secondary instance.
|
Backup
|
Select the secondary instance that you want to back up and click this button to take a backup. See Backing Up Primary and Secondary Instances for more information.
|
Step 2 From the Primary Instance table, click the primary instance that you want to modify, or check the Name check box and click Edit.
Step 3 Complete the fields in the Distributed System Management Properties page as described inTable 17-5:
Table 17-5 Distributed System Management Properties Page
Option
|
Description
|
Instance Data
|
Hostname
|
The name of the ACS host machine.
|
Launch Session for Local GUI
|
Click this button to launch a new instance of the selected ACS machine. You are required to log in to the primary or secondary instance.
Note This option appears only when you view or edit another instance.
|
Role
|
Specifies a primary or secondary instance or Local.
|
IP Address
|
The IP address of the primary or secondary instance.
|
Port
|
The port for Management service.
|
MAC Address
|
MAC address for the instance.
|
Description
|
A description of the primary or secondary instance.
|
Check Secondary Every (only applies for primary instance)
|
The rate at which the primary instance sends a heartbeat status request to the secondary instance. The default value is 60 seconds. The minimum value is 30 seconds and the maximum value is 30 minutes.
|
Statistics Polling Period (only applies for primary instance)
|
The rate at which the primary instance polls the secondary instance for statistical and logging information. The default value is 60 seconds. The minimum value is 60 seconds; however, you can specify a value of 0 which indicates to turn off polling and logging. The maximum value is 30 minutes.
|
Enable Auto Activation for Newly Registered Instances (only applies for primary instance)
|
Check this check box to automatically activate the registered secondary instance.
|
Instance Status
|
Status
|
Indicates if the primary instance or secondary instance is online or offline.
|
Version
|
The current version of the ACS software.
|
Replication Status (only applies for secondary instances)
|
Replication status values are:
•UPDATED—Replication is complete on ACS instance. Both management and runtime services are current with configuration changes from the primary instance.
•PENDING—Request for full replication has been initiated.
•REPLICATING—Replication from the primary to the secondary is processing.
•DEREGISTERED—Deregistered the secondary instance from the primary.
•N/A—No replication on primary instance.
|
Last Update Time (only applies for primary instance)
|
Time stamp of the last database configuration change. The time stamp is in the form hh:mm dd:mm:yyyy.
|
Last Replication Time (only applies for secondary instances)
|
Time stamp of the last replication. The time stamp is in the form hh:mm dd:mm:yyyy.
|
Last Replication ID (only applies for primary instance)
|
The transaction ID that identifies the last configuration change on the secondary instances. This value increases by 1 for every configuration change. Valid values are 1 to infinity.
|
Primary Replication ID (only applies for secondary instances)
|
The transaction ID that identifies the last configuration change on the primary instance. This value increases by 1 for every configuration change. Valid values are 1 to infinity.
|
Step 4 Click Submit.
The Primary Instance table on the Distributed System Management page appears with the edited primary instance.
Related Topics
•Replicating a Secondary Instance from a Primary Instance
•Viewing and Editing a Secondary Instance
Viewing and Editing a Secondary Instance
|
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.
|
To edit a secondary instance:
Step 1 Choose System Administration > Operations > Distributed System Management.
The Distributed System Management page appears with two tables:
•Primary Instance table—Shows the primary instance.
•Secondary Instances table—Shows a listing and the status of the secondary instances registered to the primary instance.
See Table 17-4 to view column definitions.
Step 2 From the Secondary Instances table, click the secondary instances that you want to modify; or, check the check box for the Name and click Edit.
Step 3 Complete the fields in the Distributed System Management Properties page as described inTable 17-5.
Step 4 Click Submit.
The Secondary Instances table on the Distributed System Management page appears with the edited secondary instance.
Related Topics
•Editing Instances
•Viewing and Editing a Primary Instance
Deleting a Secondary Instance
|
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.
|
To delete a secondary instance:
Step 1 Choose System Administration > Operations > Distributed System Management.
The Secondary Instances table on the Distributed System Management page appears with a list of secondary instances.
Step 2 Deregister the secondary instance you wish to delete. Refer to Deregistering Secondary Instances from the Distributed System Management Page.
Step 3 Check one or more check boxes next to the secondary instances that you want to delete.
Step 4 Click Delete.
The following warning message appears:
Are you sure you want to delete the selected item/items?
Step 5 Click OK.
The Secondary Instances table on the Distributed System Management page appears without the deleted secondary instance(s).
Activating a Secondary Instance
|
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.
|
To activate a secondary instance:
Step 1 Choose System Administration > Operations > Distributed System Management.
The Distributed System Management page appears with two tables:
•Primary Instance table—Shows the primary instance.
•Secondary Instances table—Shows a listing and the status of the secondary instances registered to the primary instance.
See the Table 17-4 to view column descriptions.
Step 2 From the Secondary Instances table, check the check box next to the secondary instances that you want to activate.
Step 3 Click Activate.
Step 4 The Secondary Instances table on the Distributed System Management page appears with the activated secondary instance. See the Table 17-5 for valid field options.
Related Topics
•Viewing and Editing a Secondary Instance
•Deleting a Secondary Instance
•Replicating a Secondary Instance from a Primary Instance
•Registering a Secondary Instance to a Primary Instance
•Deregistering a Secondary Instance from the Deployment Operations Page
•Promoting a Secondary Instance from the Distributed System Management Page
•Using the Deployment Operations Page to Create a Local Mode Instance
Registering a Secondary Instance to a Primary Instance
|
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.
|
To register a secondary instance to a primary instance:
Step 1 Choose System Administration > Operations > Local Operations > Deployment Operations.
The Deployment Operations page appears, displaying the information described in Table 17-6:
.
Table 17-6 System Operations: Deployment Operations Page
Option
|
Description
|
Instance Status
|
Current Status
|
Identifies the instance of the node you log into as primary or secondary, and identifies whether you are running in local mode.
|
Primary Instance
|
The hostname of the primary instance.
|
Primary IP
|
The IP address of the primary instance.
|
Registration (only active for an instance not running in Local Mode)
|
Primary Instance
|
The hostname of the primary server that you wish to register with the secondary instance.
|
Admin Username
|
Username of an administrator account.
|
Admin Password
|
The password for the administrator's account.
|
Hardware Replacement
|
Check to enable a new or existing ACS instance hardware to re-register to a primary instance and acquire the existing configuration already present in the primary instance. This is useful when an instance fails and needs physical replacement.
|
Recovery Keyword
|
The name of the instance that is to be replaced. This value is the hostname of the system that is being replaced. After you submit this information, this instance connects to the primary instance. The primary instance finds the associated ACS instance records based on the keyword, and marks each record as registered.
|
Register to Primary
|
Connects to the remote primary and registers the secondary instance to the primary instance.
|
Backup
|
Backup
|
Backs up the current instance.
|
Local Mode
|
Admin Username
|
Username of an administrator account.
|
Admin Password
|
The password for the administrators account.
|
Reconnect
Note This option appears only on the local mode node and prompts you for credentials.
|
Click Reconnect to reconnect to the primary instance.
Once you reconnect to the primary instance, you lose the configuration changes that you have made to the local secondary instance.
If you want to retain the configuration changes that you have made to the local secondary instance, you must:
1. Deregister the local secondary instance (this instance would become your new primary)
2. Deregister all the instances from the deployment.
3. Register all the instances to the new primary, whose configuration changes you want to retain.
|
Request Local Mode
Note This option appears only on a registered secondary page.
|
Request to place the secondary instance in local mode. This enables administrators to make configuration changes only to this instance. Any changes made to the secondary instance are not automatically updated when you reconnect to the primary instance. You must manually enter your changes for the secondary instance.
|
Deregistration
|
Deregister from Primary
|
Deregisters the secondary from the primary instance. The secondary instance retains the database configuration from when it was deregistered. All nodes are marked as deregistered and inactive, and the secondary instance becomes the primary instance.
Note When full replication is in progress on an instance, do not attempt to deregister that instance. Wait until the full replication is complete and the secondary instance is restarted before you deregister the secondary instance.
|
Promotion
|
Promote to Primary
|
Request to promote a secondary instance to primary instance. All updates to the current primary instance are stopped so that all replication updates can complete. The secondary instance gets primary control of the configuration when the replication updates complete.
|
Replication
|
Force Full Replication
|
Replicates the primary instance's database configuration for the secondary instance.
Note When full replication is in progress on an instance, do not attempt to deregister that instance. Wait until the full replication is complete and the secondary instance is restarted before you deregister the secondary instance.
|
Step 2 Specify the appropriate values in the Registration section.
Step 3 Click Register to Primary.
The system displays the following warning message:
This operation will register this ACS Instance as a secondary to the specified Primary Instance. ACS will be restarted. You will be required to login again. Do you wish to continue?
Step 4 Click OK.
|
Note When you register a secondary to a primary instance, you can use any account created on the primary instance. The credentials that you create on the primary instance are applied to the secondary instance.
|
Step 5 Log in to the ACS machine after restart.
Step 6 Choose System Administration > Operations > Local Operations > Deployment Operations.
The Deployment Operations page appears with the secondary instance registered to the primary instance.
Deregistering Secondary Instances from the Distributed System Management Page
|
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.
|
To deregister secondary instances from the Distributed System Management page:
Step 1 Choose System Administration > Operations > Distributed System Management.
The Distributed System Management page appears.
Step 2 From the Secondary Instances table, check one of check boxes next to the secondary instances that you want to deregister.
Step 3 Click Deregister.
The system displays the following warning message:
This operation will deregister this server as a secondary with the primary server. ACS will be restarted. You will be required to login again. Do you wish to continue?
Step 4 Click OK.
Step 5 Log in to the ACS machine.
Step 6 Choose System Administration > Operations > Distributed System Management.
The Distributed System Management page appears with the secondary instance deregistered from the primary instance.
Related Topics
•Viewing and Editing a Secondary Instance
•Deleting a Secondary Instance
•Activating a Secondary Instance
•Deregistering a Secondary Instance from the Deployment Operations Page
•Promoting a Secondary Instance from the Distributed System Management Page
•Using the Deployment Operations Page to Create a Local Mode Instance
Deregistering a Secondary Instance from the Deployment Operations Page
|
Note In this case, the secondary instance is the local machine you are logged in to.
|
|
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.
|
To deregister a secondary instance from the Deployment Operations page:
Step 1 Choose System Administration > Operations > Local Operations > Deployment Operations.
The Deployment Operations page appears with the secondary instance that you are logged in to. See Table 17-6 for valid field options.
Step 2 Click Deregister from Primary.
The system displays the following warning message:
This operation will deregister this server as a secondary with the primary server. ACS will be restarted. You will be required to login again. Do you wish to continue?
Step 3 Click OK.
Step 4 Log in to the ACS machine.
Step 5 Choose System Administration > Operations > Local Operations > Deployment Operations.
The Deployment Operations page appears with the secondary instance you were logged in to deregistered from the primary instance.
Related Topics
•Viewing and Editing a Secondary Instance
•Deleting a Secondary Instance
•Activating a Secondary Instance
•Deregistering Secondary Instances from the Distributed System Management Page
•Promoting a Secondary Instance from the Distributed System Management Page
•Using the Deployment Operations Page to Create a Local Mode Instance
Promoting a Secondary Instance from the Distributed System Management Page
|
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.
|
To promote a secondary instance to a primary instance from the Distributed System Management page:
Step 1 Choose System Administration > Operations > Distributed System Management.
The Distributed System Management page appears. See Table 17-4 for valid field options.
Step 2 From the Secondary Instances table, check the box next to the secondary instance that you want to promote to a primary instance.
Step 3 Click Promote.
The Distributed System Management page appears with the promoted instance.
Related Topics
•Viewing and Editing a Secondary Instance
•Deleting a Secondary Instance
•Activating a Secondary Instance
•Deregistering Secondary Instances from the Distributed System Management Page
•Using the Deployment Operations Page to Create a Local Mode Instance
Promoting a Secondary Instance from the Deployment Operations Page
|
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.
|
To promote a secondary instance to a primary instance from the Deployment Operations page:
Step 1 Choose System Administration > Operations > Distributed System Management.
The Deployment Operations page appears. See the Table 17-6 for valid field options.
Step 2 Register the secondary instance to the primary instance. See Registering a Secondary Instance to a Primary Instance.
Step 3 Choose System Administration > Operations > Distributed System Management.
The Deployment Operations page appears.
Step 4 Check the box next to the secondary instance that you want to promote to a primary instance.
Step 5 Click Promote to Primary.
The Distributed System Management page appears with the promoted instance.
Related Topics
•Viewing and Editing a Secondary Instance
•Deleting a Secondary Instance
•Replicating a Secondary Instance from a Primary Instance
•Activating a Secondary Instance
•Deregistering Secondary Instances from the Distributed System Management Page
•Promoting a Secondary Instance from the Distributed System Management Page
•Using the Deployment Operations Page to Create a Local Mode Instance
Replicating a Secondary Instance from a Primary Instance
You can use two different pages to replicate a secondary instance:
•Replicating a Secondary Instance from the Distributed System Management Page
•Replicating a Secondary Instance from the Deployment Operations Page
Replicating a Secondary Instance from the Distributed System Management Page
|
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.
|
|
Note All ACS appliances must be in sync with the AD domain clock.
|
To replicate a secondary instance:
Step 1 Choose System Administration > Operations > Distributed System Management.
The Distributed System Management page appears.
Step 2 From the Secondary Instances table, check one of check boxes next to the secondary instances that you want to replicate.
Step 3 Click Full Replication.
The system displays the following warning message:
This operation will force a full replication for this secondary server. ACS will be restarted. You will be required to login again. Do you wish to continue?
Step 4 Click OK.
Step 5 Log in to the ACS machine.
Step 6 Choose System Administration > Operations > Distributed System Management.
The Distributed System Management page appears. On the Secondary Instance table, the Replication Status column shows UPDATED. Replication is complete on the secondary instance. Management and runtime services are current with configuration changes from the primary instance.
Replicating a Secondary Instance from the Deployment Operations Page
|
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.
|
|
Note All ACS appliances must be in sync with the AD domain clock.
|
To replicate a secondary instance:
Step 1 Choose System Administration > Operations > Local Operations > Deployment Operations.
The Deployment Operations page appears. See the Table 17-6 for valid field options.
Step 2 Click Force Full Replication.
|
Note The Force Full Replication button only appears if the secondary instance is the local machine you are logged in to.
|
The system displays the following warning message:
This operation will force a full replication for this secondary server. ACS will be restarted. You will be required to login again. Do you wish to continue?
Step 3 Click OK.
Step 4 Log in to the ACS machine.
Step 5 Choose System Administration > Operations > Distributed System Management.
The Distributed System Management page appears. On the Secondary Instance table, the Replication Status column shows UPDATED. Replication is complete on the secondary instance. Management and runtime services are current with configuration changes from the primary instance.
Using the Deployment Operations Page to Create a Local Mode Instance
When the secondary instance is in local mode it does not receive any configuration changes from the primary instance. The configuration changes you make to the secondary instance are local and do not propagate to the primary instance.
|
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.
|
Step 1 Choose System Operations > Operations > Local Operations > Deployment Operations.
The Deployment Operations page appears. See the Table 17-4 for valid field options.
Step 2 Specify the appropriate values in the Registration section for the secondary instance you want to register.
Step 3 Click Register to Primary.
The system displays the following warning message:
This operation will register this ACS Instance as a secondary to the specified Primary Instance. ACS will be restarted. You will be required to login again. Do you wish to continue?
Step 4 Click OK.
Step 5 Log in to the ACS local machine.
Step 6 Choose System Administration > Operations > Local Operations > Deployment Operations.
The Deployment Operations page appears.
Step 7 Click Request Local Mode.
The secondary instance is now in local mode.
|
Note Once you reconnect the secondary instance to a primary instance you will lose the configuration changes you made to the local secondary instance. You must manually restore the configuration information for the primary instance. You can use the configuration information on the ACS Configuration Audit report to manually restore the configuration information for this instance.
|
Understanding Software Updates
You can use the ACS web interface to apply software patches for updating your ACS instances. A software patch is represented by the fifth digit in the software version. For example, ACS 5.1.0.34.1 is a patch for software version 5.1.0.34.
A software update is different than an upgrade. You must use the Command Line Interface (CLI) to upgrade your ACS. For information on upgrade, refer to http://www.cisco.com/en/US/docs/net
_mgmt/cisco_secure_access_control_system/5.1/installation/guide/acs5_1_install_guide.html.
When you define a software patch in the Centralized Software Updates page, ACS retrieves the specified patch file from the repository or from your local disk and checks for the format of the software file (whether it is a patch file).
When you apply a software patch, ACS checks whether the software file is intended for the ACS version that is installed on selected ACS instances. For example, a software patch file, ACS 5.1.0.34.1 can only be installed on ACS instances that run ACS 5.1.0.34.
You can use a file browser to obtain the software patch file from your local hard disk. Alternatively, ACS can retrieve the software patch file from a repository that you choose.
|
Note If you specify a repository, ensure that the software patch file is available in that repository.
|
Creating, Duplicating, Editing, and Deleting Software Repositories
|
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.
|
To create, duplicate, edit, or delete a software repository:
Step 1 Choose System Administration > Operations > Software Repositories.
The Software Repositories page appears with the information described in Table 17-7:
Table 17-7 Software Repositories Page
Option
|
Description
|
Name
|
The name of the software repository.
|
Protocol
|
The name of the protocol (DISK, FTP, SFTP, TFTP, NFS) you want to use to transfer the upgrade file.
|
Server Name
|
The name of the server.
|
Path
|
The name of the path for the directory containing the upgrade file. You must specify the protocol and the location of the upgrade file; for example, ftp://acs-home/updates.
|
Description
|
A description of the software repository.
|
Step 2 Perform one of these actions:
•Click Create.
•Check the check box next to the software repository that you want to duplicate and click Duplicate.
•Click the software repository that you want to modify; or, check the check box for the name and click Edit.
•Check one or more check boxes next to the software repository that you want to delete and click Delete.
The Software Update Repositories Properties Page page appears.
Step 3 Complete the fields in the Software Repositories Properties Page as described in Table 17-8:
Table 17-8 Software Update Repositories Properties Page
Option
|
Description
|
General
|
Name
|
Name of the software repository.
|
Description
|
Description of the software repository.
|
Repository Information
|
Protocol
|
The name of the protocol that you want to use to transfer the upgrade file. Valid options are:
•DISK—If you choose this protocol, you must provide the path.
•FTP—If you choose this protocol, you must provide the server name, path, and credentials.
•SFTP—If you choose this protocol, you must provide the server name, path, and credentials.
•TFTP—If you choose this protocol, you must enter the name of the TFTP server. You can optionally provide the path.
•NFS—If you choose this protocol, you must provide the server name and path. You can optionally provide the credentials. If you choose this protocol, make sure that ACS has full access to the NFS file system. You must have read-write and allow root access permissions on the NFS file system.
|
Server Name
|
Name of the FTP, SFTP, TFTP, or NFS server.
|
Note that the actual location that the repository points to is /localdisk/<path>
|
Path
|
The name of the path for the directory containing the upgrade file. You must specify the protocol and the location of the upgrade file; for example, ftp://acs-home/updates.
|
User Credentials
|
Username
|
Administrator name.
|
Password
|
Administrator password.
|
Step 4 Click Submit.
The new software repository is saved. The Software Repository page appears, with the new software repository that you created, duplicated, or edited.
Related Topics
•Creating, Duplicating, Editing, and Deleting a Software File or Patch
•Managing Software Repositories from the Web Interface and CLI
Creating, Duplicating, Editing, and Deleting a Software File or Patch
|
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.
|
To create, duplicate, edit, or delete a software image or patch:
Step 1 Choose System Administration > Operations > Centralized Software Updates.
The Centralized Software Updates page appears with the information displayed in Table 17-9:
Table 17-9 Centralized Software Updates Page
Option
|
Description
|
Name
|
The name of the software file or patch.
|
Version
|
The current version of the ACS software.
|
Software Repository
|
The name of the repository location you wish to store your software update and patch files as well as ACS back up files.
|
Software Filename
|
The name of the software update or patch files.
|
Description
|
The description of the software update or patch files.
|
Step 2 Perform one of these actions:
•Click Create.
•Check the check box next to the software file or patch that you want to duplicate and click Duplicate.
•Click the software file or patch that you want to modify; or, check the check box for the Name and click Edit.
•Check one or more check boxes next to the software file or patch that you want to delete and click Delete.
The Centralized Software Updates Properties Create page appears.
Step 3 Complete the fields in the Centralized Software Updates Properties Create page as described in Table 17-10:
Table 17-10 Centralized Software Updates Properties Create Page
Option
|
Description
|
Software Update Information
|
Name
|
The name of the upgrade or patch file.
|
Description
|
Description of the upgrade or patch file.
|
Software File Location
|
Upload Software Update
|
Choose this radio button to browse for the software file that you wish to use to upgrade from your local hard drive.
|
Retrieve Software Update from Repository
|
Choose this radio button to select the software file that you wish to use to upgrade from a repository. If you choose this option, you must:
•Select the repository that contains the software file.
•Enter the name of the software file.
|
Step 4 Click Submit.
The new software file or patch is saved. The Centralized Software Updates page appears, with the new software file or patch that you created, duplicated, or edited.
Related Topics
•Creating, Duplicating, Editing, and Deleting Software Repositories
•Managing Software Repositories from the Web Interface and CLI
Applying Local Software Updates
You can select the local ACS instance to which to apply an upgrade or patch.
|
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.
|
Step 1 Choose Operations > Local Operations > Local Software Updates.
Step 2 Complete the fields as described in Table 17-11:
Table 17-11 Apply Local Software Updates Page
Option
|
Description
|
Name
|
The name of the software file or patch.
|
Version
|
The current version of the ACS software.
|
Software Repository
|
The name of the repository location that contains your software update and patch files.
|
Software Filename
|
The name of the software update or patch files.
|
Description
|
The description of the software update or patch files.
|
Step 3 Click Apply Software Update.
Applying a Software Update to the ACS Instance
|
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.
|
To apply a software update to an ACS Instance:
Step 1 Choose System Administration > Operations > Centralized Software Updates.
The Centralized Software Updates page appears. See Table 17-9for valid field options.
Step 2 Check the check box next to the software file you want to use for the update.
Step 3 Click Apply Software Update.
The Centralized Software Updates Apply page appears.
Step 4 Complete the fields in the Centralized Software Updates Apply page as described in Table 17-12:
Table 17-12 Centralized Software Updates Apply Page
Option
|
Description
|
Name
|
The name of the ACS instance you wish to upgrade.
|
IP Address
|
The IP address of the ACS instance you wish to upgrade
|
Role
|
Specifies the instance type: primary or secondary.
|
Version
|
The current version number of the ACS application.
|
Description
|
The description of the ACS instance you wish to upgrade.
|
Apply Software Update
|
Click this button to apply the software update to the selected instance.
|
Step 5 Check the check box next to the ACS instance you want to update.
Step 6 Click Apply Software Update to update the ACS instance software by using the software file.
You get the following message:
This operation will update the software version on the selected ACS instance.
After the new version is loaded the ACS instance will be restarted and any connected
administrators will need to login again.
Step 7 Click OK to apply the software update.
Related Topics
•Creating, Duplicating, Editing, and Deleting Software Repositories
•Managing Software Repositories from the Web Interface and CLI
Managing Software Repositories from the Web Interface and CLI
You can manage repositories from the web interface or the CLI. Keep in mind the rules for creating or deleting repositories from the web interface or CLI:
•If you create a repository from the CLI, that repository is not visible from the web interface, and can only be deleted from the CLI.
•If you create a repository from the web interface, it can be deleted from the CLI; however, that repository still exists in the web interface. If you use the web interface to create a repository for a software update, the repository is automatically created again in the CLI.
•If you delete a repository using the web interface, it is also deleted in the CLI.
Related Topics
•Creating, Duplicating, Editing, and Deleting Software Repositories
•Creating, Duplicating, Editing, and Deleting a Software File or Patch
Feedback