Table Of Contents
Using Device Management
Getting Started with Device Management
Name Resolution System
Name Resolution for Windows Devices Using NetBios
Name Resolution for Windows Devices Using Aliases
Types of Devices that ITM Monitors
Ports and Interfaces that ITM Manages
Understanding the Device Summary
What Are Device States?
What Are Network Devices and Media Servers?
Adding a Device
Importing Devices
Formatting an ITM Import File
Formatting an RME Version 2 CSV File
Verifying Device Import
Exporting Devices
Synchronizing ITM Inventory with RME Inventory
What Does RME Synchronization Do?
What Does RME Synchronization Not Do?
How Do I Start and Maintain RME Synchronization?
Using RME Synchronization
Suspending and Resuming RME Synchronization
Stopping and Starting the RME-ITM Change Probe Process
Stopping the RME-ITM Change Probe Process
Starting the RME-ITM Change Probe Process
Viewing the RME-ITM Change Probe Log File
Viewing ITM Devices Not in RME Inventory
Updating RME Synchronization Parameters on Remote RME Server
Editing Device Configuration
Changing Device Credentials
Determining the Media Server Account to Use for Cisco CallManager Access
Rediscovering a Device
Deleting a Device
Viewing Device Details
Understanding the Device Details Display
Viewing Discovery Status
Modifying SNMP Timeout and Retries
Understanding Cisco CallManager Security Certificates
Managing Cisco CallManager Security Certificates
Viewing and Importing a Cisco CallManager Security Certificate
Validating Cisco CallManager Security Certificates
Responding to Errors While Viewing or Validating Certificates
Using Device Management
These topics explain how to use IP Telephony Monitor (ITM) Device Management:
•
Getting Started with Device Management
•Understanding the Device Summary
•Synchronizing ITM Inventory with RME Inventory
•Editing Device Configuration
•Viewing Device Details
•Viewing Discovery Status
•Modifying SNMP Timeout and Retries
•Understanding Cisco CallManager Security Certificates
Getting Started with Device Management
Device management consists of working with devices; for example, adding, deleting, or exporting devices. Also, through Device Management, you can see a device's state and change its credentials, or configure global SNMP settings.
For ITM to monitor a device, the device must first be added to ITM. Devices can be added one at a time, or several devices can be imported together. As devices are added (or rediscovered) they can go through various device states (see the "What Are Device States?" section for details).
Note ITM also allows you to readd any device. You might want to readd a device that is in the Questioned state, to update its credentials, or you might want to update a device's Ethernet phone port information.
Name Resolution System
Figure 4-1 illustrates the algorithm used to assign a name (node name) to a discovered device. The goal of this algorithm is to provide ITM with a unique identifier that is always DNS-resolvable. Figure 4-1 also illustrates why it is important that when devices are added to ITM, they should be specified using DNS-resolvable names. ITM carries out this process of name resolution whether importing multiple devices using an import file, or adding one device through the Add/Import/Export Devices: Add page.
Figure 4-1 ITM Name Resolution Algorithm
For Windows devices running NetBios, see the "Name Resolution for Windows Devices Using NetBios" section.
For systems using aliases, see the "Name Resolution for Windows Devices Using Aliases" section.
As illustrated in Figure 4-1, ITM resolves names as follows:
1
|
ITM obtains a value of sysName for the device SNMP agent.
|
2
|
ITM tries to resolve sysName and obtain the IP address from DNS.
|
3
|
If the DNS lookup for sysName succeeds and returns an IP address (or addresses) associated with the SNMP agent, sysName becomes the node name.
|
4
|
If the DNS lookup for sysName fails, ITM checks to see if either the import file or the add device procedure specified the device by name. If either of them did, the import filename becomes node name.
|
5
|
If the DNS lookup for sysName fails and the device was not specified by name, ITM checks to see if either the import file or the add device procedure specified the device as an IP address. If either of them did, ITM tries to resolve the IP address using DNS.
|
6
|
If the DNS lookup for the IP address succeeds and returns a name, this name becomes the node name.
|
7
|
If the DNS lookup for the IP address fails, ITM tries to resolve a loopback IP address from the ipAddr table (as described in the next step).
|
8
|
If the DNS lookup for loopback IP address from the ipAddr table succeeds, the DNS name for the loopback IP address becomes the node name.
|
9
|
If the DNS lookup for the loopback IP address from the ipAddr table fails, DNS attempts to resolve a different IP address from the ipAddr table.
|
10
|
If DNS resolves a different IP address from the ipAddr table, the DNS name for the resolvable IP address from the ipAddr table becomes the node name.
|
11
|
If DNS cannot resolve any other IP addresses from the ipAddr table, the import file IP address becomes the node name.
|
Name Resolution for Windows Devices Using NetBios
As Figure 4-1 illustrates, after a device is added, ITM queries the SNMP agent for sysName, and a DNS lookup is performed on sysName. If you have configured Windows to use NetBios over TCP/IP and a DNS lookup fails, the Windows name resolver continues searching, using NetBios name resolution.
As a result, certain hosts (either Windows-based hosts or Windows-based router cards, such as Cisco CallManager) might be assigned their NetBios names. These names might not immediately correspond to any IP address or DNS name, which could initially lead to confusion. Additionally, in certain cases, the NetBios name resolution might depend on device status; for example, if a device is up and responding to NetBios name queries, its name will be resolved.
Note To avoid confusion on Windows, disable NetBios over TCP/IP on any Windows servers running ITM. If this solution is unacceptable, make sure NetBios names are consistent with the DNS naming scheme.
Name Resolution for Windows Devices Using Aliases
Under certain circumstances, ITM will resolve a device name to the device alias rather than the DNS name. This occurs on Windows devices if a system alias is specified in the Windows hosts file. In this case, the alias will always take precedence over the DNS name.
Types of Devices that ITM Monitors
For examples of the types of devices that ITM monitors, see Table 15-1.
Note For a detailed list of devices that ITM supports, see Supported Device Table for IP Telephony Monitor on Cisco.com. Log into Cisco.com and select Products & Services > Network Management CiscoWorks > CiscoWorks IP Telephony Monitor > Technical Documentation > Device Support Tables.
Ports and Interfaces that ITM Manages
The following describes the default ports and interfaces that ITM manages or unmanages:
•Ports (switches)—By default, ITM manages trunk ports but does not manage access ports. (An access port is a switch port that is connected to a host or device that ITM does not manage; that is, an end-station port.) ITM considers a port to be a trunk port if it connects to a Cisco network device running Cisco Discovery Protocol (CDP). In other words, a trunk port connects to a router, or to a switch that the same ITM server manages. ITM does not manage access ports by default.
•Interfaces (routers)—By default, ITM manages all interfaces listed in the ifTable.
Understanding the Device Summary
The device summary appears when you select IP Telephony Monitor > Device Management > Add/Import/Export Devices.
These topics explain how to use the Device Summary page:
•What Are Device States?
•What Are Network Devices and Media Servers?
•Adding a Device
•Importing Devices
•Verifying Device Import
•Exporting Devices
Figure 4-2 shows an example of the Add/Import/Export Devices page.
Figure 4-2 Add/Import/Export Devices Page
Table 4-1 describes the information displayed on the Add/Import/Export Devices page.
Table 4-1 Add/Import/Export Devices Page
Heading/Button
|
Description
|
Status
|
Lists the states a device can be in. For a description of each state, see the "What Are Device States?" section.
|
Number of Devices
|
The number of devices that are in each device state.
|
Add
|
To add a device. For a detailed description, see the "Adding a Device" section.
|
Import
|
To import devices using a file. For a detailed description, see the "Importing Devices" section.
|
Export
|
To export devices to a file. For a detailed description, see the "Exporting Devices" section.
|
Refresh
|
Refreshes the view.
|
What Are Device States?
A device can be in one of six states:
•Known—The device has been successfully imported, and is fully managed by ITM.
•Aware—The device has been successfully imported by some of the data collectors in ITM, but not all. If a device is in this state, you should take action to ensure that the device becomes known.
Note Data collector is a term used to refer to all back-end applications that are involved in device rediscovery and device data collection.
•Learning—ITM is discovering the device. This is the beginning state, when the device is first added or is being rediscovered.
•Questioned—ITM cannot manage the device. See the "Modifying SNMP Timeout and Retries" section.
•Pending—The device is being deleted. ITM is waiting for confirmation from all of its data collectors before purging the device and its details.
•Unknown—The device is not supported by ITM.
What Are Network Devices and Media Servers?
ITM categorizes a device as either a Network Device, or a Media Server or ICS. When you add a device, you must designate which category the device belongs to. If you add a device using the wrong category, ITM will not monitor the device correctly.
Note If you want ITM to monitor Cisco Unity, you must add it using the Media Server or ICS category.
When you add devices, use the following guidelines for device categories:
•Network Device—All routers and switches that support data and/or voice functionality should be added into this category.
•Media Server or ICS—All supported hardware on which Cisco CallManager, Cisco Unity, or IP telephony applications (Personal Assistant, Cisco Emergency Responder, Cisco Conference Connection, and so on) are installed should be added into this category.
Note For a complete list of supported hardware, log into Cisco.com and select Products & Services > Network Management CiscoWorks > CiscoWorks IP Telephony Monitor > Technical Documentation > Device Support Tables.
Adding a Device
You can add one device at a time using the Add/Import/Export Devices: Add page. If you want to add multiple devices at one time, you can do so in either of the following ways:
•Import a list of devices from a comma separated values (CSV) file—See the "Importing Devices" section.
•Synchronize the ITM device list with a remote CiscoWorks Resource Manager Essentials (RME) inventory—See the "Synchronizing ITM Inventory with RME Inventory" section.
Note RME synchronization is available only if you have downloaded and installed Incremental Device Update (IDU) 2 or later from the ITM download site: http://www.cisco.com/pcgi-bin/tablebuild.pl/item-3des.
Note If you only want to resume the managed state of a device that has already been added to ITM, you do not need to readd the device. You can suspend and resume the managed state of a device through the Detailed Device View page. For more details on suspending and resuming the managed state of a device, see the following:
•Suspending Device Monitoring
•Suspending/Resuming a Device Component
Before you Begin
•Verify which category the device you are adding belongs to: either Network Device, or Media Server or ICS. For a description of these categories, see the "What Are Network Devices and Media Servers?" section.
•If the device you are adding contains multiple entities (devices) to be managed, verify that all of its contained entities have the same SNMP read community string. For example, an ICS 7750 can have up to six contained devices. When adding an ICS 7750, only one set of SNMP and HTTP access credentials is specified.
Note To verify that all of the contained entities have the same SNMP read community string, use the following: for IOS-based devices, use the show running command, and for Catalyst devices, use the show snmp command.
•If you are using ITM Multi-View, see the "Using Multi-View Manager" section before importing any devices.
Step 1 Select IP Telephony Monitor > Device Management > Add/Import/Export Devices. The Add/Import/Export Devices page appears.
Note If you are connecting to the ITM server for the first time, a Security Alert window is displayed after you select nearly any option. Do not proceed without viewing and installing the security certificate. For more information, see the "Responding to Security Alerts" section.
Step 2 Select Add. The Add/Import/Export Devices: Add page appears.
Step 3 Select the device type. For a description of device types, see the "What Are Network Devices and Media Servers?" section.
•If you select Network Device, enter the following information for the device:
–IP address or hostname.
–Read community string. Verify by entering the community string a second time.
•If you select Media Server or ICS, enter the following information for the device:
Note In Device Management, Integrated Communication System (ICS) devices are treated as media servers, so select the Media Server or ICS category for ICS devices.
–IP address or hostname.
–Read community string. Verify by entering the community string a second time.
–(Optional) CCM access username. This is the username used to access the server.
–(Optional) CCM access password. Verify by entering the password a second time.
Note See the "Determining the Media Server Account to Use for Cisco CallManager Access" section for more information.
–Ethernet phone port number. This is the TCP port on the Cisco CallManager where the Skinny protocol runs. It is used by every Skinny client, real or synthetic. Cisco CallManager uses this port to communicate with the Cisco IP Phones on the network.
The default port is 2000, but is configurable on the Cisco CallManager. Set the port in ITM to match the one configured on the Cisco CallManager. You can verify the Ethernet phone port used by your Cisco CallManager on its Administrative pages.
Note Do not use commas (,) in any of the fields. Because ITM uses comma separated values (CSV) files for its export and import, if commas are present in these fields, the device information will not be properly imported or exported.
Step 4 Click OK.
To view the devices that are being added, select IP Telephony Monitor > Device Management > View Discovery Status.
Tips
•If a device discovery times out for several devices, increasing the timeout settings might fix the problem. For details on modifying the timeout setting, see the "Modifying SNMP Timeout and Retries" section.
•If a particular device is not responding, you might need to readd the device. Verify that the device's SNMP credentials are correct, and then readd the device. For details on changing device credentials, see the "Changing Device Credentials" section.
•If a device is in the Questioned state, you should take action to resolve the import problem.
A device can be in the Questioned state because of the following:
–SNMP Timeout—The SNMP read-only community string is incorrect. Update the device credentials. For details on modifying the timeout setting, see the "Modifying SNMP Timeout and Retries" section.
–Others—You can determine the exact reason a device is in the Questioned state by clicking the problem device in the device selector on the Edit Device Configuration page (for an explanation on how to use the Edit Device Configuration page, see the "Editing Device Configuration" section). In the right pane of the Edit Device Configuration page, error codes and error messages are displayed. Act accordingly to fix the problem.
The following are examples of the problems ITM might encounter:
–Wrong or insufficient credentials—To update the device credentials, see the "Changing Device Credentials" section.
–Device not operational during import—Verify that the device is operational.
–Device does not support MIB II.
–Data collector timeout—One of the data collectors did not respond in time. This can occur when the system is under a heavy load. To rediscover the device, see the "Rediscovering a Device" section.
•If a device is in the Aware state, you should take action to ensure that the device becomes known.
A device can be in the Aware state because of the following:
–CCM Authentication Failure—The device credentials might not be correct. To update the device credentials, see the "Changing Device Credentials" section.
–HTTP Server Down—The HTTP process in the device is down. Verify that the process on the media server or ICS device is down. If the device should be fully managed, start that process on the device.
–Insufficient Credentials—The CCM credentials were not provided when the device was added. To update device credentials, see the "Changing Device Credentials" section.
–Cisco CallManager Security Certificate Failure—The correct security certificate (for a Cisco CallManager that is using HTTPS) has not been installed on ITM. To correct the problem, import the security certificate for the Cisco CallManager media server and rediscover the media server. See Viewing and Importing a Cisco CallManager Security Certificate and Rediscovering a Device.
–HTTPS Query Failure—This failure has the same cause as Cisco CallManager Security Certificate Failure and can be corrected in the same way.
•If devices go undiscovered, seem to take an exceedingly long time to be discovered, or are imported with the default community string public instead of the actual community string on the device, the following procedure might fix the condition:
a. Stop the CiscoWorks daemon manager.
b. Check the DNS settings as follows and correct them if necessary:
–Make sure that the sysName is an exact match for its DNS name. The names are case-sensitive.
–Verify that the ITM can reach the devices using its DNS name. If not, verify that the devices are reachable using their IP addresses.
–If the devices can be reached using IP addresses, after you restart the CiscoWorks daemon manager in Step 3, add the devices to ITM again, using IP addresses in place of DNS names.
c. Restart the CiscoWorks daemon manager.
Importing Devices
You can import multiple devices at one time by using a comma separated values (CSV) file. The file can be either an ITM import-format CSV file or a Resource Manager Essentials Version 2 CSV file.
Note You can also import multiple devices by automatically adding devices from RME inventory. See the "Synchronizing ITM Inventory with RME Inventory" section.
RME synchronization is available only if you have downloaded and installed Incremental Device Update (IDU) 2 or later from the ITM download site: http://www.cisco.com/pcgi-bin/tablebuild.pl/item-3des.
Before you Begin
•Verify that your import file is formatted correctly. For details on formatting import files, see the following:
–"Formatting an ITM Import File" section
–"Formatting an RME Version 2 CSV File" section
•Place the import file on the server, in the NMSROOT\ImportFiles directory.
Note NMSROOT is the directory where IP Telephony Monitor is installed on your system. If you selected the default directory during installation, it is C:\Program Files\CSCOpx.
Step 1 Select IP Telephony Monitor > Device Management > Add/Import/Export Devices. The Add/Import/Export Devices page appears.
Note If you are connecting to the ITM server for the first time, a Security Alert window is displayed after you select nearly any option. Do not proceed without viewing and installing the security certificate. For more information, see the "Responding to Security Alerts" section.
Step 2 Select Import. The Add/Import/Export Devices: Import from File page appears.
Step 3 Enter the filename.
Note The file must be located on the server in the directory that is displayed next to the Server Path Location field name. If ITM is uninstalled, the directory where the files are stored is removed. As a precaution, you should store a copy of the files in a separate location.
Step 4 Click OK.
ITM performs the following actions:
•Checks the import file format and verifies the device information.
•If any errors are found, displays an Import Errors dialog box. The dialog box lists all of the errors found in the file. You must act according to what is specified in the dialog box.
Note You must correct all errors before you can add any devices to ITM.
•If any devices already exist in ITM, an Import Warning dialog box appears. The dialog box lists all of the devices that will be readded. You can either readd the devices, or cancel.
Note For ITM Multi-View users only: You cannot readd devices that already exist in any other partition. You can only readd devices that are in the default partition (0) or your current partition. For details on using ITM Multi-View, see the "Using Multi-View Manager" section.
•If no errors are discovered and only new devices are imported, an Import Successful dialog box appears. The dialog box displays the number of new devices added.
Tips
•If a device discovery times out for several devices, increasing the timeout settings might fix the problem. For details on modifying the timeout setting, see the "Modifying SNMP Timeout and Retries" section.
•If a particular device is not responding, you might need to readd the device. Verify that the device's SNMP credentials are correct, and then readd the device. For details on changing device credentials, see the "Changing Device Credentials" section.
•If a device is in the Questioned state, you should take action to resolve the import problem.
A device can be in the Questioned state because of the following:
–SNMP Timeout—The SNMP read-only community string is incorrect. Update the device credentials. For details on modifying the timeout setting, see the "Modifying SNMP Timeout and Retries" section.
–Others—You can determine the exact reason a device is in the Questioned state by clicking the problem device in the device selector on the Edit Device Configuration page (for an explanation on how to use the Edit Device Configuration page, see the "Editing Device Configuration" section). In the right pane of the Edit Device Configuration page, error codes and error messages are displayed. Act accordingly to fix the problem.
The following are examples of the problems ITM might encounter:
–Wrong or insufficient credentials—To update the device credentials, see the "Changing Device Credentials" section.
–Device not operational during import—Verify that the device is operational.
–Device does not support MIB II.
–Data collector timeout—One of the data collectors did not respond in time. This can occur when the system is under a heavy load. To rediscover the device, see the "Rediscovering a Device" section.
•If a device is in the Aware state you should take action to ensure that the device becomes known.
A device can be in the Aware state because of the following:
–CCM Authentication Failure—The device credentials might not be correct. To update the device credentials, see the "Changing Device Credentials" section.
–HTTP Server Down—The HTTP process in the device is down. Verify that the process on the media server or ICS device is down. If the device should be fully managed, start that process on the device.
–Insufficient Credentials—The CCM credentials were not provided when the device was added. To update the device credentials, see the "Changing Device Credentials" section.
–Cisco CallManager Security Certificate Failure—The correct security certificate (for a Cisco CallManager that is using HTTPS) has not been installed on ITM. To correct the problem, import the security certificate for the Cisco CallManager media server and rediscover the media server. See Viewing and Importing a Cisco CallManager Security Certificate and Rediscovering a Device.
–HTTPS Query Failure—This failure has the same cause as Cisco CallManager Security Certificate Failure and can be corrected in the same way.
Formatting an ITM Import File
An ITM import-format CSV file can be manually written or obtained by exporting existing devices managed by ITM (for detailed information on exporting, see the "Exporting Devices" section). If you need to change the device information in the file, it is very important that you understand what the device information in the file represents. If the file is not formatted correctly, your devices will not be imported properly.
In the import file, columns 4 through 6 are in Base64 Encoded format. The file header contains the phrase source=export. If you edit the values for columns 4 through 6 using clear text, you must change the file header to contain the phrase source=manual.
Note ITM contains sample import files for you to use. They are located on the server, in the NMSROOT\ImportFiles directory.
NMSROOT is the directory where IP Telephony Monitor is installed on your system. If you selected the default directory during installation, it is
C:\Program Files\CSCOpx.
The following is an example of the header:
Cisco Systems ITEM data import, version=1.0;type=CSV;source=manual;
You can only change source=manual to source=export, or source=export to source=manual.
The import file must contain:
•Seven columns. If a column is not used, you must enter !{[NOVALUE]}!
•A comma separating the columns.
Table 4-2 describes the columns of an ITM import file.
Table 4-2 ITM Import File
Column Number
|
Description
|
1
|
Device type: either 0 for a network device, or 1 for a media server. For a description of these categories, see the "What Are Network Devices and Media Servers?" section.
|
2
|
Name of the device (including domain, or just an IP address)
|
3
|
SNMP read-only community string
|
4
|
SNMP read-write community string (media servers only)
|
5
|
CCM access username (media servers only)
|
6
|
CCM access password (media servers only)
|
7
|
Ethernet phone port number (media servers only)
|
Note See the "Determining the Media Server Account to Use for Cisco CallManager Access" section for more information.
The following rules apply when changing information in the file:
•Columns 1 through 3 are required for both network devices and media servers.
•Columns 4 through 7 are not used for network devices.
•Column 4 is optional for media servers.
The following is an example of the contents of an ITM export file:
Cisco Systems ITEM data import, version=1.0;type=CSV;source=manual;
0,10.10.10.10,public,!{[NOVALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!,
!{[NOVAlUE]}!
1,My-CCM-1,public,private,administrator,myPasswd,2000
1,12.12.12.12,public,private,!{[NOVALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!
In the example, the first row reads as follows:
•The device is a network device
•The IP address is 10.10.10.10
•The SNMP read-only community string is public
•No value is listed for the SNMP read-write community string
•No value is listed for the CCM access username
•No value is listed for the CCM access password
•No value is listed for the Ethernet phone port number
Formatting an RME Version 2 CSV File
The Resource Manager Essentials (RME) Version 2 CSV file contains nineteen columns, but ITM uses only the first two columns to import devices into inventory.
Note ITM contains sample import files for you to use. They are located on the server, in the NMSROOT\ImportFiles directory.
NMSROOT is the directory where IP Telephony Monitor is installed on your system. If you selected the default directory during installation, it is
C:\Program Files\CSCOpx.
Table 4-3 describes the first two columns of an RME Version 2 CSV file.
Table 4-3 RME Version 2 CSV File
Column Number
|
Description
|
1
|
Name of the device (including domain, or just an IP address)
|
2
|
SNMP read-only community string
|
The following is an example of an RME Version 2 CSV file:
Cisco Systems NM data import, source = export utility; version = 2.0;
Type = Csv
10.204.134.155,public,private,!{[NOVALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}
!,!{[NOVALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!,Cisco02!,!{[NOVALUE]}!,!{[
NOVALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!,!{[
NOVALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!
my-ccm-2500b,public,private,!{[NOVALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!,
!{[NOVALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!,Cisco02!,!{[NOVALUE]}!,!{[NO
VALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!,!{[NO
VALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!
ccmabc-2500a,public,private,!{[NOVALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!,
!{[NOVALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!,Cisco02!,!{[NOVALUE]}!,!{[NO
VALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!,!{[NO
VALUE]}!,!{[NOVALUE]}!,!{[NOVALUE]}!
Verifying Device Import
After adding a device, you can verify that it has been imported by using the View Discovery Status page. For detailed information about the View Discovery Status page, see the "Viewing Discovery Status" section.
Step 1 Open the View Discovery Status page. See the "Viewing Discovery Status" section.
Step 2 In the Device Name column, locate the device you added.
Step 3 In the Status column, verify that your device is in the Known state. (The Last Discovered column also displays the time it was fully discovered.)
A Known state on the device indicates that it was imported successfully.
Note For a complete explanation of the device states, see the "What Are Device States?" section.
Tips
•If a particular device is not responding, you might need to readd the device. Verify that the device's SNMP credentials are correct, and then readd the device. For details on changing device credentials, see the "Changing Device Credentials" section.
•If a device is in the Questioned state, you should take action to resolve the import problem.
A device can be in the Questioned state because of the following:
–SNMP Timeout—The SNMP read-only community string is incorrect. Update the device credentials. For details on modifying the timeout setting, see the "Modifying SNMP Timeout and Retries" section.
–Others—You can determine the exact reason a device is in the Questioned state by clicking the problem device in the device selector on the Edit Device Configuration page (for an explanation on how to use the Edit Device Configuration page, see the "Editing Device Configuration" section). In the right pane of the Edit Device Configuration page, error codes and error messages are displayed. Act accordingly to fix the problem.
The following are examples of the problems ITM might encounter:
–Wrong or insufficient credentials—To update the device credentials, see the "Changing Device Credentials" section.
–Device not operational during import—Verify that the device is operational.
–Device does not support MIB II.
–Data collector timeout—One of the data collectors did not respond in time. This can occur when the system is under a heavy load. To rediscover the device, see the "Rediscovering a Device" section.
•If a device is in the Aware state, you should take action to ensure that the device becomes known.
A device can be in the Aware state because of the following:
–CCM Authentication Failure—The device credentials might not be correct. To update the device credentials, see the "Changing Device Credentials" section.
–HTTP Server Down—The HTTP process in the device is down. Verify that the process on the media server or ICS device is down. If the device should be fully managed, start that process on the device.
–Insufficient Credentials—The CCM credentials were not provided when the device was added. To update the device credentials, see the "Changing Device Credentials" section.
–Cisco CallManager Security Certificate Failure—ITM does not have the correct security certificate installed for a Cisco CallManager that is using HTTPS. To correct the problem, import the security certificate for the Cisco CallManager media server and rediscover the media server. See Viewing and Importing a Cisco CallManager Security Certificate and Rediscovering a Device.
–HTTPS Query Failure—This failure has the same cause as Cisco CallManager Security Certificate Failure and can be corrected in the same way.
Exporting Devices
During export, ITM creates an export-format CSV file that contains all of the devices that ITM is monitoring, along with their credentials. This file can be used to back up your device list, and to import devices into ITM. For information on formatting an ITM import file, see the "Formatting an ITM Import File" section.
Note To export to a file, there must be at least one device in ITM. If there are no devices present, the Export button is disabled.
Step 1 Select IP Telephony Monitor > Device Management > Add/Import/Export Devices. The Add/Import/Export Devices page appears.
Note If you are connecting to the ITM server for the first time, a Security Alert window is displayed after you select nearly any option. Do not proceed without viewing and installing the security certificate. For more information, see the "Responding to Security Alerts" section.
Step 2 Select Export. The Add/Import/Export Devices: Export to File page appears.
Step 3 Enter the filename.
Note The directory where the file is saved is predetermined. Your file will be located in this directory on the server. The directory is displayed next to Server Path Location.
Step 4 Click OK.
Note•If a file already exists on the server with the same name and contains devices that do not belong to the current partition, an error occurs. You must specify a new filename to export the file to.
•If a file already exists on the server with the same name and contains devices that belong to the current partition, a Confirmation dialog box appears. You must choose Yes to proceed or No to discontinue exporting.
•If the filename does not exist on the server, export will proceed without any issues.
Synchronizing ITM Inventory with RME Inventory
Note RME synchronization is available only if you have downloaded and installed Incremental Device Update (IDU) 2 or later from the ITM download site: http://www.cisco.com/pcgi-bin/tablebuild.pl/item-3des.
You can configure ITM to automatically add devices to ITM from a remote CiscoWorks Resource Manager Essentials (RME) 3.4 or 3.5, using RME synchronization. RME synchronization regularly queries RME for new and reconfigured devices and updates the device information in the ITM inventory. ITM then probes the devices to analyze their properties and status.
What Does RME Synchronization Do?
RME synchronization does the following:
•Adds up to the first 1,000 devices from the RME inventory to the ITM inventory.
•Updates device information in the ITM inventory after changes are made in the remote RME inventory.
•Reports the list of devices that are available in ITM but not in RME.
Note If RME synchronization adds a device supported by RME, but not supported by ITM, that device remains in the Questioned state in ITM. See the "What Are Device States?" section for more information.
What Does RME Synchronization Not Do?
RME synchronization adds and updates devices in ITM inventory. It does not do the following:
•It does not automatically delete devices during synchronization:
–If you delete a device from RME and the device has already been added to ITM, it remains in ITM; but, you can manually delete it. To find such devices, see the "Viewing ITM Devices Not in RME Inventory" section.
–If you delete a device from ITM, the device is not deleted from the RME inventory. Therefore, when RME synchronization again performs a query of the full RME inventory (after a restart of the system, for example), the deleted device will again be added to ITM inventory.
•It does not provide credentials for any media server added to ITM. If a media server is added to ITM by the RME synchronization process, the media server remains in an Aware device state until you update its credentials. See the "What Are Device States?" section and the "Changing Device Credentials" section.
How Do I Start and Maintain RME Synchronization?
To enable ITM to automatically synchronize its device inventory with a remote RME inventory, you should:
1. Install the RME-ITM Change Probe on a remote server with RME 3.4 or 3.5—You can download the RME-ITM Change Probe and obtain installation instructions as follows:
a. Log into Cisco.com.
b. Select Products & Services > Network Management CiscoWorks > CiscoWorks IP Telephony Monitor > Software Center > Download Software Image.
2. Start RME synchronization on the local ITM server—See the "Suspending and Resuming RME Synchronization" section.
3. Update the RME-ITM Change Probe on the remote RME server whenever you make the following modifications to ITM:
•Update ITM username and password.
•Move ITM to a different server.
You can also update the change probe on the remote server if you would like to change the frequency with which RME synchronization occurs. To do so, see the "Updating RME Synchronization Parameters on Remote RME Server" section.
4. For ITM Multi-View users only: Make sure a Partition Administrator checks partition 0 regularly to assign the devices from RME inventory to defined partitions.
Using RME Synchronization
The RME Synchronization page controls the synchronization process that is running on the local ITM server. You can open the RME Synchronization page, from one of the following:
•Alerts and Activities Display using the ITM Tools button—Allows you to:
–View RME synchronization status.
–Display any devices in ITM inventory that are not in RME inventory—See the "Viewing ITM Devices Not in RME Inventory" section.
•Configuration folder on the ITM desktop using RME Synchronization—In addition to allowing you to view RME synchronization status and ITM devices that are not in RME, allows you to suspend or resume RME synchronization. See the "Suspending and Resuming RME Synchronization" section.
Step 1 Select IP Telephony Monitor > Configuration > RME Synchronization. The RME Synchronization page appears, displaying the following information.
Field
|
Description
|
Usage Notes
|
RME on a remote host
|
IP address of server where RME is installed
|
If you move RME to a different server, you must install the RME-ITM Change Probe on the new remote RME server.
To download the RME-ITM Change Probe from Cisco.com, select Products & Services > Network Management CiscoWorks > CiscoWorks IP Telephony Monitor > Software Center > Download Software Image.
Note If you move ITM to a different server, update the RME parameters. See Updating RME Synchronization Parameters on Remote RME Server.
|
Frequency
|
Number of hours between start of one RME synchronization and start of the next
|
To change the value of this field, see Updating RME Synchronization Parameters on Remote RME Server.
|
Next Scheduled Update
|
Start date and time for next RME synchronization, or one of the following:
•Suspended—RME synchronization is suspended.
•Previous update skipped—RME synchronization did not occur on schedule and, therefore, schedule for the next update is not known.
|
The value for this field changes as processing occurs. You can also change it by:
•Suspending or resuming RME synchronization—See Suspending and Resuming RME Synchronization.
•Changing the frequency of RME synchronization—See Updating RME Synchronization Parameters on Remote RME Server.
Note Previous update skipped can indicate a process failure. For a failure on the local ITM server, ITM displays an error message. To determine whether a failure occurred on the remote RME server, you should check the ItmChangeProbe process—see Starting the RME-ITM Change Probe Process.
|
Status
|
One of the following:
•Active—ITM updates its inventory with information received from RME
•Suspended—ITM
does not update inventory with information received from RME
|
If status is Active, the Suspend button is displayed.
Note If you open the RME Synchronization page from the Alerts and Activities Display, Suspend and Resume buttons are not displayed.
If status is Suspended, the Resume button is displayed.
See Suspending and Resuming RME Synchronization.
|
Suspending and Resuming RME Synchronization
Suspending RME synchronization stops the processing of any data received from the RME-ITM Change Probe (on the RME server).
Note If you are using ITM Multi-View, you can suspend or resume RME synchronization from any partition. However, RME synchronization is suspended or resumed for all partitions.
Step 1 Select IP Telephony Monitor > Configuration > RME Synchronization. The RME Synchronization page opens.
Step 2 If Status is Active, you can suspend it as follows:
a. Click Suspend. A confirmation dialog box is displayed.
b. Click OK.
Note Suspending RME synchronization only stops ITM from processing the information sent by the RME-ITM Change Probe on the RME server.
c. (Optional) To prevent the RME-ITM Change Probe from continuing to send information from RME, see the "Stopping and Starting the RME-ITM Change Probe Process" section.
Step 3 If Status is Suspended, you can do the following:
a. Resume RME synchronization by clicking Resume.
Note Resuming enables ITM to update inventory when the next RME update occurs due to an event or the next scheduled synchronization update.
b. If you stopped the RME-ITM Change Probe on the RME server, you must start it again. See the "Stopping and Starting the RME-ITM Change Probe Process" section.
Stopping and Starting the RME-ITM Change Probe Process
The following procedures explain how to stop and start the RME-ITM Change Probe on the remote RME server.
Stopping the RME-ITM Change Probe Process
This procedure describes how to stop the RME-ITM Change Probe process (ItmChangeProbe) on the remote RME server. After you complete this procedure, the RME-ITM Change Probe stops sending inventory information from the remote RME.
Step 1 Log into CiscoWorks on the remote RME server.
Step 2 Select Server Configuration > Administration > Process Management > Stop Process.
Step 3 Select ItmChangeProbe from the process list.
Step 4 Click Finish.
If you disable the process and restart CiscoWorks, the ItmChangeProbe process will be restarted. To disable the process from automatic startup after you restart CiscoWorks, uninstall the RME-ITM ChangeProbe. For instructions, log into Cisco.com at the following URL:
http://cisco.com/cgi-bin/tablebuild.pl/item-3des
Then select the appropriate document:
•Readme for RME-ITM ChangeProbe 1.0 on Solaris
•Readme for RME-ITM ChangeProbe 1.0 on Windows
Starting the RME-ITM Change Probe Process
This procedure describes how to start the RME-ITM Change Probe process (ItmChangeProbe) on the remote RME server after you have stopped it. After you complete this procedure, the RME-ITM Change Probe starts sending inventory information from the remote RME.
Step 1 Log into CiscoWorks on the remote RME server.
Step 2 Select Server Configuration > Administration > Process Management > Start Process.
Step 3 Select ItmChangeProbe from the process list.
Step 4 Click Finish.
Viewing the RME-ITM Change Probe Log File
The RME-ITM Change Probe log file, RmeItmChangeProbe.log, is located on the RME server in NMSROOT/conf/itm. By default, only error messages are written to the log file. To change the logging level, use the following procedure.
Step 1 Log into the RME server:
•On UNIX:
Log in as root.
•On Windows:
Log in as a local administrator.
Step 2 Go to the directory with the ItmComParams.properties file:
•On Unix:
$NMSROOT/conf/dfm/ItmComParams.properties
•On Windows:
$NMSROOT\conf\dfm\ItmComParams.properties
Note NMSROOT is the directory where RME is installed on your system. If you selected the default directory during installation, on Windows it is C:\Program Files\CSCOpx and on UNIX it is /opt/CSCOpx.
Step 3 Edit the ItmComParams.properties file and change the value of LOG_LEVEL to one of the following.
Value
|
Description
|
ERROR
|
Log error messages (default value)
|
WARN
|
Log error and warning messages
|
INFO
|
Log error, warning, and informational messages
|
DEBUG
|
Log error, warning, informational, and debug messages
|
Note If you change this value while the RME-ITM Change Probe process is running, the logging level changes the next time the RME-ITM Change Probe takes an action (sends an event to ITM or runs a full synchronization).
Viewing ITM Devices Not in RME Inventory
When users delete devices from RME, ITM does not automatically delete them from the ITM inventory when RME synchronization occurs. You can locate such devices as follows:
Step 1 Select IP Telephony Monitor > Configuration > RME Synchronization. The RME Synchronization page appears.
Step 2 Click View. The Devices Not in RME Inventory tabular display opens, displaying the following information.
Field
|
Description
|
Device Name
|
DNS name of the device.
|
IP Address
|
IP address of the device.
|
Status
|
Status of the device in ITM. See What Are Device States?
|
Step 3 If you want to delete devices shown in the tabular display, see the "Deleting a Device" section.
For additional information on working with tabular displays, see the following topics:
•Paging and Sorting Tabular Displays
•Exporting Data from Tabular Displays
•Printing Tabular Displays
Updating RME Synchronization Parameters on Remote RME Server
When you install the RME-ITM Change Probe on a remote RME server, the following information is recorded on the RME server:
•ITM server
•ITM username
•ITM password
•Frequency with which to synchronize
You can change these values using a command line interface on the remote RME server as follows:
Step 1 Log into the remote RME server:
•On Solaris, log in as root.
•On Windows 2000, log in as a local administrator.
Step 2 Enter the following command, supplying the option and the value for each parameter you want to change:
•On Solaris, enter:
updateItmParams.sh -option value
The following example shows all parameters changed:
updateItmParams.sh -host 172.16.71.2 -username admin -password
5Mxz12 -freq 7
The following example shows only the frequency parameter changed:
updateItmParams.sh -freq 10
•On Windows 2000, enter:
updateItmParams -option value
The following example shows all parameters changed:
updateItmParams -host 172.16.71.2 -username admin -password 5Mxz12
-freq 7
The following example shows only the frequency parameter changed:
Option
|
Explanation
|
Usage Notes
|
host
|
IP address or server name where ITM is installed:
•On Solaris—hostname
•On Windows 2000—DNS name
|
None.
|
username
|
A valid CiscoWorks username for the ITM server
|
The user role for this username must permit the use of Add/Import/Export Devices in Device Management. See Understanding Your User Role for more information.
|
password
|
A valid CiscoWorks password for username
|
ITM encrypts the password that you enter.
|
freq
|
How often (in hours) to resynchronize
|
Enter a positive integer (for example, 10).
|
Step 3 To apply the changes, you must stop and start the ItmChangeProbe process. Enter the following commands:
If you want to update CiscoWorks usernames and passwords, see the following topic:
•Configuring Users
Editing Device Configuration
After you add devices, you can change their configuration setup. On the Edit Device Configuration page, you can do the following:
•Changing Device Credentials
•Rediscovering a Device
•Deleting a Device
The Edit Device Configuration page contains two panes. The left pane displays a device selector, from which you select the device or group that you want to configure. The right pane displays the information for the selected object.
You can select devices by selecting the check box to the left of the device or device group. To view the device or group details, you must click the device or group name. Doing so highlights the device or group, and its details appear in the right pane.
The devices that appear in the device selector are organized in folders by device state. (For a description of device states, see the "What Are Device States?" section.) The folders appear in the device selector only if there is a device to go in the folder. Figure 4-3 shows an example of the device selector. In this example, the devices are in three states: Aware, Known, and Questioned. ITM creates the following folders:
•All Actionable Devices in Inventory Services—This folder is created when there are Known or Aware devices in the inventory.
•All Aware Devices in Inventory Services—Two subfolders are also created, the first listing devices that encountered the CCM Authentication Failure error, and the second listing devices that encountered the HTTP Server Down error.
•All Known Devices in Inventory Services
•All Questioned Devices in Inventory Services—Two subfolders are also created, the first listing devices that encountered the SNMP Timeout error, and the second listing devices that encountered other errors. Descriptions of the errors are displayed in the right pane, next to Error Message.
Figure 4-3 Edit Device Configuration Page
Note If at any time while using the Edit Device Configuration page, you want to refresh the view, click the Refresh button.
Changing Device Credentials
You can change the credentials for multiple devices at the same time only if they are all the same device type. For example, they can all be media servers or all network devices. This also applies if the devices are all part of an ICS device.
Note If you need to change the IP address for a device, you must delete the device and then readd it with the new IP address.
Step 1 Select IP Telephony Monitor > Device Management > Edit Device Configuration. The Edit Device Configuration page appears.
Step 2 Select the device or group that you want to change the credentials for, by selecting the check box next to the device or group name.
Step 3 Click Change Credentials.
Step 4 Enter the following information for the device:
Note For media servers or ICS devices, you must enter all of the credential information, even if it is not changing. If a field is left blank, it will be interpreted as having no value and the previous credentials will be removed.
•If you are changing the credentials of a network device, the only change you can make is to the read community string. Enter the read community string and verify it by entering it a second time.
•If you are changing the credentials of a media server or ICS device, you can change the following:
–Read community string; verify by entering the community string a second time.
–CCM access username.
–CCM access password; verify by entering the password a second time.
Note See the "Determining the Media Server Account to Use for Cisco CallManager Access" section for more information.
Note You cannot change the Ethernet phone port using this page. To change the Ethernet phone port, you must readd the device to ITM with updated Ethernet phone port information.
Step 5 Click OK.
Determining the Media Server Account to Use for Cisco CallManager Access
To enable ITM to access a Cisco CallManager, you must supply the username and password for an account on the media server. The account to use depends upon the Cisco CallManager version and might also depend on whether multilevel administration access (MLA) is enabled for the Cisco CallManager. Table 4-4 lists the options.
Table 4-4 Username and Password for Accessing the Cisco CallManager
Cisco CallManager Version on Media Server
|
MLA Enabled
or Disabled for Cisco CallManager
|
Required Account
|
Earlier than 4.0
|
Enabled or disabled
|
Valid Windows 2000 administrator account on the media server.
|
4.0 or later1
|
Enabled
|
A multilevel administration access account with either full access or read-only access to the Standard Serviceability Functional Group.
|
Disabled
|
Valid Windows 2000 administrator account on the media server.
|
Rediscovering a Device
Through the Edit Device Configuration page, you can rediscover devices or device groups. When rediscovery takes place, if there are any changes to a device or group configuration, the new settings will overwrite any previous settings.
Rediscovery occurs only for active devices. Suspended devices do not go through rediscovery. If some of the devices you are selecting for rediscovery are suspended devices, ITM displays messages indicating that only the active devices will go through rediscovery.
Step 1 Select IP Telephony Monitor > Device Management > Edit Device Configuration. The Edit Device Configuration page appears.
Note If you are connecting to the ITM server for the first time, a Security Alert window is displayed after you select nearly any option. Do not proceed without viewing and installing the security certificate. For more information, see the "Responding to Security Alerts" section.
Step 2 Select the device or group that you want to rediscover.
Step 3 Click Rediscover.
Rediscovery is started. To view rediscovery status, select IP Telephony Monitor > Device Management > View Discovery Status.
Tip
•If a device rediscovery times out for several devices, increasing the timeout settings might fix the problem. For details on modifying the timeout setting, see the "Modifying SNMP Timeout and Retries" section.
Deleting a Device
When a device is deleted from ITM, it is completely removed. If you later decide that you want to monitor the device again, you must add the device to ITM.
Note If you delete a device from ITM that is in RME inventory and you are using RME synchronization, the device is added to ITM again during subsequent RME synchronization updates. See the "Synchronizing ITM Inventory with RME Inventory" section.
RME synchronization is available only if you have downloaded and installed Incremental Device Update (IDU) 2 or later from the ITM download site: http://www.cisco.com/pcgi-bin/tablebuild.pl/item-3des.
Note If you only want to suspend the managed state of a device, you do not need to delete the device from ITM. You can suspend and resume the managed state of a device through the Detailed Device View page. For more details on suspending and resuming the managed state of a device, see the following:
•Suspending Device Monitoring
•Suspending/Resuming a Device Component
Note Depending upon the load that exists on the system, ITM takes approximately 15 to 40 seconds to delete a device.
Step 1 Select IP Telephony Monitor > Device Management > Edit Device Configuration. The Edit Device Configuration page appears.
Note If you are connecting to the ITM server for the first time, a Security Alert window is displayed after you select nearly any option. Do not proceed without viewing and installing the security certificate. For more information, see the "Responding to Security Alerts" section.
Step 2 Select the device or group that you want to delete.
Step 3 Click Delete.
Step 4 In the confirmation box, click Yes.
Viewing Device Details
On the View Device Details page, you select the devices for which you want to see device details. The Device Details display opens and displays the information for the devices.
The Device Details display provides basic information about the device such as name, IP address, when it was added, and so on. (For a description of the Device Details display, see the "Understanding the Device Details Display" section.)
Note If you require more detailed information about a device, use the Detailed Device View. It provides information about device components, including hardware and software information, environment, connectivity, interface components, and so on. (For a description of the Detailed Device View, see the "Viewing Device Elements in Detail" section.)
Figure 4-4 shows an example of the View Device Details page. Devices are organized in folders according to their device state. (For a description of device states, see the "What Are Device States?" section.)
Figure 4-4 View Device Details Page
Step 1 Select IP Telephony Monitor > Device Management > View Device Details. The View Device Details page appears.
Step 2 For each device for which you want to view details, expand the folders where the device is located.
Step 3 Select a device by clicking the box next to it. Do this for each device for which you want to view details. If you want to view details for all of the devices in a group, click the box next to the group.
Step 4 Click View.
The Device Details display appears.
Understanding the Device Details Display
The Device Details display shows details for the devices that you select. See the "Viewing Device Details" section for information on selecting devices.
Figure 4-5 shows an example of the Device Details display.
Figure 4-5 Device Details Display
Table 4-5 describes the information displayed in the Device Details display.
Table 4-5 Device Details Display
Heading/Button
|
Description
|
Device Name
|
Device name.
|
IP Address
|
Device IP address.
|
Status
|
Current state the device is in.
|
Function
|
Description or function of the device.
|
First Added
|
The first time the device was added into ITM.
|
Last Discovered
|
The time and date the device was last discovered.
|
|
Downloads the Device Details display to a file on your computer.
|
|
Displays the report in a printer-friendly format.
|
Viewing Discovery Status
In ITM, the View Discovery Status page displays the discovery status of a device. If you are using ITM Multi-View Manage, see the "Viewing Partition Membership Details" section.
Step 1 Select IP Telephony Monitor > Device Management > View Discovery Status. The View Discovery Status page appears.
Note If you are connecting to the ITM server for the first time, a Security Alert window is displayed after you select nearly any option. Do not proceed without viewing and installing the security certificate. For more information, see the "Responding to Security Alerts" section.
Figure 4-6 shows an example of the View Discovery Status page.
Figure 4-6 View Discovery Status Page
Table 4-6 describes the information displayed on the View Discovery Status page.
Table 4-6 View Discovery Status Page
Heading/Button
|
Description
|
Device Name
|
Device name.
|
Status
|
Current state the device is in.
|
ITM Processing
|
Possible values are Active or Suspended.
•Active—ITM is monitoring the device
•Suspended—ITM is not monitoring the device
|
Last Discovered
|
The time and date the device was last discovered.
|
Refresh
|
Refreshes the view.
|
Modifying SNMP Timeout and Retries
If an SNMP query does not respond in time, ITM will time out. It will then retry contacting the device for as many times as listed under the snmpretries attribute in the configuration file. The timeout period is doubled for every subsequent retry. For example, if the timeout value is 4 seconds and the retries value is 3, ITM waits for 4 seconds before the first retry, 8 seconds before the second retry, and 16 seconds before the third retry.
The SNMP timeout and retries are global settings.
The default values are:
•Timeout—4 seconds
•Retries—3
Figure 4-7 shows an example of the Modify SNMP Configuration page.
Figure 4-7 Modify SNMP Configuration Page
Step 1 Select IP Telephony Monitor > Device Management > Modify SNMP Configuration. The Modify SNMP Configuration page appears.
Note If you are connecting to the ITM server for the first time, a Security Alert window is displayed after you select nearly any option. Do not proceed without viewing and installing the security certificate. For more information, see the "Responding to Security Alerts" section.
Step 2 Select a new SNMP timeout setting.
Step 3 Select a new Number of Retries setting.
Step 4 Click Apply.
Step 5 In the confirmation box, click Yes.
Understanding Cisco CallManager Security Certificates
Cisco CallManager 4.1 or later supports enabling Secure Socket Layers (SSLs) on virtual directories. For secure communication between ITM and Cisco CallManager:
1. On Cisco CallManager 4.1 or later, enable SSL on these virtual directories:
–CCMApi—ITM uses services in this virtual directory to perform AXL/SOAP database queries.
–Soap—ITM uses services in this virtual directory to perform AXL/SOAP device queries.
Note By default, SSL is not enabled on the CCMApi and Soap virtual directories.
For information on enabling SSL (using Windows Internet Information Services (IIS)), see Cisco CallManager Security Guide for the appropriate release of Cisco CallManager.
2. On the server where ITM is installed, view and install any required Cisco CallManager security certificates. See Viewing and Importing a Cisco CallManager Security Certificate.
Note If you do not install required security certificates, ITM cannot monitor connectivity between devices and the Cisco CallManager; the Cisco CallManager remains in the Aware state.
3. To ensure that you maintain up-to-date security certificates on the ITM server, periodically validate Cisco CallManager security certificates. Validation does the following:
–Checks expiry dates.
–Verifies that the security certificates stored on the server with ITM are the same as those on the Cisco CallManager.
See Validating Cisco CallManager Security Certificates.
Managing Cisco CallManager Security Certificates
Note The Manage CCM Security Certificates page is available only if you have downloaded and installed Incremental Device Update (IDU) 5 or later from the ITM download site: http://www.cisco.com/pcgi-bin/tablebuild.pl/item.
The information in this topic is applicable only for media servers running Cisco CallManager 4.1 or later. You should perform this procedure after any of the following:
•You import a media server that is running Cisco CallManager 4.1 or later.
•You enable SSL on the CCMApi or Soap virtual directory on a media server (running Cisco CallManager 4.1 or later).
•A media server running Cisco CallManager 4.1 or later goes into the Aware state.
Step 1 Select IP Telephony Monitor > Device Management > Manage CCM Security Certificates.
Note ITM checks each Cisco CallManager media server to determine whether it requires a security certificate and checks the ITM server to determine whether a certificate has been imported.
The Manage CCM Security Certificates page appears, displaying the following information.
Column
|
Description
|
Usage Notes
|
Cisco CallManager Media Server
|
Media server DNS name or IP address
|
—
|
IP Address
|
Media server IP address
|
—
|
Certificate Status
|
Not Imported—A valid certificate exists on the Cisco CallManager media server. ITM requires the certificate.
|
You must import the certificate.
|
Imported—The certificate has been imported into ITM; whether the certificate is valid is not yet known.
|
To validate the certificate, you can:
•View the certificate; when you do so, ITM updates the certificate status.
•Validate all certificates.
|
Not Required—The Cisco CallManager is not using HTTPS.
|
—
|
Certificate Status (continued)
|
Validated—The certificate has been imported into ITM and matches the valid certificate on the Cisco CallManager media server.
Note This status is displayed only immediately after you view, import, or validate certificates.
|
You can:
•Validate the certificate again.
•View the certificate (however, you cannot import it again).
|
No Longer Valid—The certificate on the ITM server does not match the current, valid certificate in Cisco CallManager.
Note This status is displayed only immediately after you view or validate certificates.
|
You must import the certificate.
|
Not Validated—An error occurred; for example, the Cisco CallManager is not responding or the certificate in the Cisco CallManager has expired.
|
See the error messages that are displayed and take steps to correct the problem.
|
From this page, you can view, import, and validate security certificates.
Note If ITM is installed on the same server as Gateway Statistics Utility (GSU), a GSU user might have already installed the security certificate for a Cisco CallManager. (GSU uses the Soap virtual directory on the Cisco CallManager to perform SOAP perfmon queries.)
Viewing and Importing a Cisco CallManager Security Certificate
Use this procedure to update and view the security certificate status for a Cisco CallManager media server and to import the certificate. (To update the security certificate status for all Cisco CallManager media servers, see Validating Cisco CallManager Security Certificates.)
Step 1 Select IP Telephony Monitor > Device Management > Manage CCM Security Certificates. The Manage CCM Security Certificates page appears.
Step 2 Select a media server and click View Certificate.
Note If the certificate status is Not Required, the radio button for the media server is grayed out. For a description of each certificate status, see Managing Cisco CallManager Security Certificates.
ITM validates the security certificate. One of the following appears:
•An error dialog box—Displays validation errors.
•The View Security Certificate on Cisco CallManager Media Server page—Displays updated certificate details obtained from the Cisco CallManager media server.
Step 3 If an error dialog box is displayed, click OK and take steps to resolve the problem; see Responding to Errors While Viewing or Validating Certificates.
Step 4 If the View Security Certificate on Cisco CallManager Media Server page is displayed:
•If the certificate status is Not Validated, the certificate on the Cisco CallManager has expired. See user documentation for the Cisco CallManager for information on how to manage security certificates.
•If you want to view the public key and signature, click the View link for:
–Public Key—Opens the Public Key for Security Certificate: media server name window. Click Close to close this window.
–Signature—Opens the Signature for Security Certificate: media server name window. Click Close to close this window.
•If you can install the certificate, click Import Certificate.
Note The Import Certificate button is grayed out if the certificate cannot be imported. This is the case when the certificate status is Validated or Not Validated.
The Manage CCM Security Certificates page appears, displaying updated information.
Note Installing a security certificate from a Cisco CallManager on the server where ITM resides enables communication between ITEM applications on the same server and all virtual directories in the Cisco CallManager.
Validating Cisco CallManager Security Certificates
Use this procedure to update the certificate status for all media servers displayed on the Manage CCM Security Certificates page.
Step 1 Select IP Telephony Monitor > Device Management > Manage CCM Security Certificates. The Manage CCM Security Certificates page appears.
Step 2 Click Validate Certificates.
Note Validation is performed for all Cisco CallManager media servers. You do not need to select any Cisco CallManager media servers.
One of the following appears:
•Information dialog box—Displays a message that indicates certificate validation was successful for all Cisco CallManager media servers.
•Error dialog box—Lists Cisco CallManager media servers and errors that occurred while validating certificates.
Step 3 Click OK. The Manage CCM Security Certificates page appears with updated certificate status.
Step 4 If errors occurred, see Responding to Errors While Viewing or Validating Certificates
Responding to Errors While Viewing or Validating Certificates
Table 4-7 lists errors that might occur while managing Cisco CallManager security certificates and suggests how to respond to them.
Table 4-7 Cisco CallManager Security Certificate Errors
Errors
|
What to do
|
Cisco CallManager not responding—Cisco CallManager or HTTP server might be down or unreachable.
|
1. Verify network reachability.
2. Make sure that Cisco CallManager and the HTTP server process are running.
3. Try to view, import, or validate the certificate again.
|
•Certificate required, but missing in Cisco CallManager.
•Security certificate on the Cisco CallManager media server has expired.
|
See user documentation for the Cisco CallManager for information on how to manage security certificates on the Cisco CallManager.
|
Certificate not required—HTTPS has been disabled in Cisco CallManager.
|
Refresh the page by clicking Manage CCM Security Certificates; the certificate status should be Not Required.
|
A general error occurred while reading the certificate from Cisco CallManager.
|
See the DeviceManagement.log file on the ITM server for more details.
|
Feedback
