Installation and Setup Guide for Resource Manager Essentials 4.0 on Solaris (With LMS 2.5)
Preparing to Use Resource Manager Essentials
Download this chapter
Preparing to Use Resource Manager EssentialsPreparing to Use Resource Manager Essentials
Download the complete book
Installation and Setup Guide for Resource Manager Essentials 4.0 on Solaris (PDF Format)Installation and Setup Guide for Resource Manager Essentials 4.0 on Solaris (PDF Format) (PDF - 2 MB)
give_us_feedback

Table Of Contents

Preparing to Use RME Applications

Preparation Overview

Accessing the Server

Logging In

Configuring the Server

Configuring the Proxy Server

Setting Device Credentials

Setting Up Inventory

Adding Devices in RME to Collect Inventory Data

Setting Up Syslog Analyzer

Configuring Devices for Syslog Analyzer

Configuring Cisco IOS Devices

Configuring Catalyst Devices

Verifying the Settings in the Syslog Configuration File

Verifying the Syslog Collector

Setting Up Software Management

Verifying Space Requirements for Downloaded Files

Setting Software Management Preferences

Setting Up TFTP

Enabling the TFTP Daemon

Creating the /tftpboot Directory

Setting Up rcp

Creating the rcp Remote User Account

Enabling the rcp Daemon

Selecting rcp as the Active File Transfer Method

Setting Up SCP

Using SCP For File Transfer

Prerequisites for Secure Copy

Information About Secure Copy

How SCP Works

How to Configure SCP

Allowing the User casuser to Use at and cron

Setting Up Configuration Management

Modifying Device Configurations

Ensuring Devices are rcp-enabled

Ensuring Devices are SSH-enabled

Configuring Devices for Syslog Analyzer

Modifying Device Security

Setting Up NetConfig

Verifying Device Configurations

Modifying Device Security

Verify Device Prompts

Transport Settings Setup

Logging Out


Preparing to Use RME Applications

After installing and setting up Resource Manager Essentials (RME 4.0), you must configure the server for RME and configure the RME applications for use.

This chapter assumes that you have performed the client setup tasks described in Installation and Setup Guide for Common Services 3.0 (Includes Ciscoview) on Solaris.

This chapter consists of:

Preparation Overview

Accessing the Server

Logging In

Configuring the Server

Configuring the Proxy Server

Setting Device Credentials

Setting Up Inventory

Setting Up Syslog Analyzer

Setting Up Software Management

Setting Up Configuration Management

Preparation Overview

Table 2-1 lists the prerequisite tasks for using RME applications. It contains references to more detailed information about each task.

Table 2-1 Preparing To Use RME Applications Task Overview 

Task
Steps
References

1. Configure the system.

Enter information about the proxy server, SMTP, and rcp

"Configuring the Server" section.

2. Setting device credentials

Configure items on the devices that are to be monitored by RME.

"Setting Device Credentials" section

3. Set up Inventory.

a. Create network inventory by adding device information one device at a time.

"Adding Devices in RME to Collect Inventory Data" section.

b. (Optional) Obtain login privileges to Cisco.com (Cisco.com).

If you do not have login privileges, go to the Cisco.com home page, www.cisco.com, to obtain a login.

c. (Optional) Perform the following Inventory setup tasks:

Schedule inventory polling and collection.

Set change report filters.

Display a detailed device report.

Inventory Online help.

4. Set up Syslog Analyzer.

a. Configure your routers and switches for Syslog Analyzer.

"Configuring Devices for Syslog Analyzer" section.

b. Verify settings in the Syslog configuration file.

"Verifying the Settings in the Syslog Configuration File" section.

c. Verify Syslog messages are being processed by Syslog Analyzer.

"Verifying the Syslog Collector" section.

5. Set up Software Management.

d. Set Software Management preferences.

"Setting Software Management Preferences" section.

e. Obtain login privileges to Cisco.com.

If you do not have login privileges, go to the Cisco.com, to obtain a login.

f. Set up Trivial File Transfer Protocol (TFTP).

"Setting Up TFTP" section.

g. Set up rcp.

"Setting Up rcp" section.

h. Allow user casuser to use at and cron.

"Allowing the User casuser to Use at and cron" section.

i. (Optional) Perform setup tasks:

Create a baseline of the devices in your network and populate the software image library.

Schedule the Synchronize Library job to run periodically.

Create one or more approver lists if you want to use the Job Approval option.

Distribute a software image to a device or group of devices.

Software Management Online help.

6. Set up Configuration Management.

j. Modify device security.

"Modifying Device Security" section.

k. Set up NetConfig:

Verify device configurations in configuration archive.

Modify device security.

Verify device prompts.

"Setting Up NetConfig" section and NetConfig online help.

l. (Optional) Perform NetConfig setup tasks:

Configure default job properties.

Assign template access privileges to users.

Enable Job Approval.

NetConfig Online help.


Accessing the Server

When you access the CiscoWorks Server, the CiscoWorks Login Manager appears.

To access the server from a client system, enter any one of these URLs in your web browser:

If SSL is disabled and if you installed CiscoWorks Common Services (Common Services) on the default port, and enter: 

http://server_name:1741

If SSL is enabled, and if you installed CiscoWorks Common Services (Common Services) on the default port, enter: 

https://server_name:443

where server_name is the hostname of the server on which you installed RME. If an alternative port was assigned during Common Services installation, enter: 

http://server_name:port_number

where server_name is the name of the server on which you installed Common Services and RME, and port_number is the alternative port assigned during the installation.

You may enter http://server_name:1741 in the SSL mode. The URL gets redirected to https and it still works.

See the User Guide for CiscoWorks Server for information about administrator logins.

Logging In

To perform server setup tasks, you must log in as the system administrator:

Step 1 Enter the administrator username and password in the Login Manager dialog box: 

User Name: admin

Password: password

Step 2 Click Login.

The CiscoWorks homepage appears.

Configuring the Server

You can configure system-wide information for RME applications using the System Configuration option. You should verify that the defaults are correct, if not enter the corrections.

Step 1 Select Common Services > Server > Admin > System Preferences.

The View / Edit System Preferences dialog box appears.

Step 2 Select one of the following textboxes to enter information or to verify that the configured information is correct:

SMTP Server

RCP User

CiscoWorks Email ID

See Table 2-2 for descriptions of the information in each dialog box tab.

Step 3 Click Apply to save the changes, or click Defaults to apply the default.

Step 4 Repeat Step 2 and Step 3 until you have verified or corrected all the information displayed in the System Configuration dialog box.

The dialog box is displayed until you select another option from the
navigation tree.

Configuring the Proxy Server

To configure the proxy server:

Step 1 Select Common Services > Server > Security > Cisco.com Connection Management > Proxy Server Setup.

The Proxy Server Setup dialog box appears.

Step 2 Enter the following information:

Host name/IP address—Proxy host or IP address.

Port—Proxy port Number.

Username—Login ID of the proxy server. This is optional.

Password—Password of the proxy server. This is optional.

Verify—Re-enter the same password as in Password, to confirm.

See Table 2-2 for descriptions of the information in each dialog box tab.

Step 3 Click Apply to save the changes.

This dialog box is displayed until you select another option from the navigation tree.

Table 2-2 System Configuration Dialog Box Information 

Tab Name
Description
Fields—Values to Enter

HTTP Proxy

Connects to Cisco.com. If server access to the outside world is controlled through a proxy server, you must configure this setting.

Proxy URL—System-wide proxy URL. There is no default.

RCP User

Specifies the user during remote file transfers from devices. Authenticates rcp transfers between devices and server.

User account must exist on UNIX systems and should also be configured on devices as local user in the ip rcmd configuration command.

See "Setting Up rcp" section.

User Name—Name used by a network device when it connects to the server to run rcp.

SMTP Server

Sends E-mail.

SMTP Server—Server name. Default is localhost.

CiscoWorks Email ID

Specifies the E-mail ID of the user.

Enter the E-mail ID.


Setting Device Credentials

Several important items must be configured correctly on every Cisco device that will be managed and monitored through RME.

Details about each application and the tasks involved in setting the credentials are available later in this document. For details see Table 2-1.

Table 2-3 lists all the applications and the device credentials required for proper functioning of the applications.

Table 2-3 Applications and the Device Credentials 

Application
Telnet Password
Enable Password
SNMP Read Only
SNMP Read / Write

NetConfig

Required

Required

Required

Not required1

Config Editor

Required

Required

Required

Not required2

ChangeAudit

Not required

Not required

Required

Not required

Configuration Management (Telnet)

Required

Required

Required

Not required

Configuration Management3 (TFTP)4

Not required

Not required

Required

Required

Inventory

Not required

Not required

Required

Not required

SWIM

Required5

Required5

Required

Required

Syslog

Not required

Not required

Required

Not required

1 After execution of a job, NetConfig provides an option to fetch the configuration using TFTP. SNMP Read/Write credentials are required in such cases.

2 After execution of a job, Config Editor provides an option to fetch the configuration using TFTP. SNMP Read/Write credentials are required in such cases.

3 Configuration download also uses TFTP. Hence, SNMP Read/Write credentials are required.

4 The file vlan.dat can be fetched only if telnet password and enable password are supplied.

5 Required in case of few devices like PIX devices, Cisco 2950 series switches.


Setting Up Inventory

As a network administrator, you need to be able to quickly troubleshoot problems on the network, know the Inventory of the devices RME manages and run various kinds of reports both pre-canned reports and custom reports. The Inventory application in RME caters to these requirements.

This section describes the tasks that you must perform to set up the Inventory application.

For detailed information see User Guide for Resource Manager Essentials 3.5.

Adding Devices in RME to Collect Inventory Data

You must have at least one managed device (a device whose inventory information is tracked by RME) to verify correct RME installation. To manage your network, you need to add the device information for all your managed devices.

You can add devices to RME either manually or automatically.

By default, devices are added to RME from Common Services' Device and Credential Repository automatically.

If you have disabled the option Automatically Manage Devices from Credential Repository using RME > Admin > Device Mgmt > Device Management Settings, you have to follow the procedure as described below (step 1 through
step 3).

To populate your network inventory:

Step 1 Select RME > Devices > Device Management > RME Devices.

Step 2 Select the list of devices that you want RME to manage from the device credential repository.

Step 3 Click Add Devices.

The Device Management Status Summary dialog box appears.

Step 4 Use the Device Management Status Summary dialog box to check the status of the device you specified.

The dialog box should contain:

Device State
Number of Devices

Normal

0

Pending

1

Pre-deployed

0

Suspended

0

Alias

0

Conflicting

0

Total Number of Devices

1


If the device responded quickly, the Managed row might already contain one device.

Step 5 Refresh the screen to update device status.

If the pending count goes from 1 to 0 after you click Device Management and the Managed row has one device, RME was installed and configured correctly.

You might need to wait several minutes for the device to become managed.

Step 6 Click Device Management on the Device Management Status Summary dialog box every minute or so to check current device status.

For additional information, see the Online help.

If you added a device and the Device Management Status Summary dialog box shows that the device status has not changed from Pending even after 15 minutes, check the status of all processes to make sure they are running normally.

To view the latest device status information, select Resource Manager Essentials > Devices > Device Management.

To determine if the ICServer process is running, select Common services > Server > Admin > Processes. (The ICServer and Config Management are the processes responsible for validating devices and changing their status from Pending.)

Even if the ICServer process has the state Running Normally, it might be in an error state. You need to stop and restart it.

To stop the ICServer process:

a. Select Common Services > Server > Admin > Processes.

The Process Management dialog box appears.

b. Select the process.

c. Click Stop.

To restart the ICServer process:

a. Select Common Services > Server > Admin > Processes.

The Process Management dialog box appears.

b. Select ICServer from the list of processes

c. Click Start.

The device status should change to Managed within a couple of minutes.

Setting Up Syslog Analyzer

Syslog Analyzer lets you centrally log and track messages generated by devices. You can use the logged error message data to analyze device and network performance. You can customize Syslog Analyzer to produce the information and message reports that are important to your operation.

See the Online help for more information about Syslog Analyzer.

Setting up Syslog Analyzer involves:

Configuring Devices for Syslog Analyzer

Verifying the Syslog Collector

Configuring Devices for Syslog Analyzer

Before you can use Syslog Analyzer, you must configure your devices to forward messages to RME or to a system on which you have installed the distributed Syslog Analyzer Collector. For more information about setting up devices for message logging, see the online help, the Cisco IOS software documentation on Cisco.com (for Cisco IOS devices), and the appropriate reference guides.

Configuring Cisco IOS Devices

To configure Cisco IOS devices:

Step 1 Use Telnet to access the device and log in.

The prompt changes to host>.

Step 2 Enter enable.

Step 3 Enter the enable password.

The prompt changes to host#.

Step 4 Enter configure terminal.

You are now in configuration mode, and the prompt changes to host(config)#.

To make sure logging is enabled, enter logging on.

To specify the RME server to receive the router syslog messages, enter logging 123.45.67.89 (where 123.45.67.89 is the IP address of the CiscoWorks server).

Step 5 Set the logging trap level by entering logging trap informational.

Severity level informational means all alert and informational messages will be logged to the server.

Step 6 Verify that Syslog is running:

a. From the CiscoWorks desktop, select Common Services > Server >
Admin > Processes.

The Process Management dialog box appears.

b. Verify that the entry for Syslog Collector has the status, Running normally.

Also, verify the entry for status SyslogCollector, if you are directing syslogs to that server.

Step 7 Verify that the Syslog configuration file settings are correct. See the ""Verifying the Settings in the Syslog Configuration File" section for instructions.

Configuring Catalyst Devices

To configure Catalyst devices:

Step 1 Use Telnet to access the device and log in.

The prompt changes to host>.

Step 2 Enter enable and the enable password.

The prompt changes to host(enable)

Step 3 To make sure logging is enabled, enter set logging server enable.

Step 4 Enter set logging server 123.45.67.89 (where 123.45.67.89 is the IP address of the server) to specify the server that is to receive the Catalyst switch syslog messages.

Step 5 Set the logging trap level by entering set logging all level 6 default.

Severity level 6 means all messages from levels 0-6 (from alerts to notifications) will be logged to the server.

Step 6 Verify that Syslog is running. To do this:

a. From the CiscoWorks desktop, select Common Services > Server >
Admin > Processes.

The Process Management dialog box appears.

b. Verify that the entry for Syslog Analyzer has the status, Running normally.

Step 7 Verify that the Syslog configuration file settings are correct. See the "Verifying the Settings in the Syslog Configuration File" section for instructions.

Content Service Switches Devices

To configure Content Service Switches (CSS) devices using Telnet:

Step 1 Telnet to the device and enter into the Global Configuration mode.

Step 2 Run the following commands: 

logging commands enable

logging host CiscoWorks IP address

logging facility local7

Content Engine Devices

To configure Content Engine (CE) devices using Telnet:

Step 1 Telnet to the device and enter into the Global Configuration mode.

Step 2 Run the following commands: 

logging host CiscoWorks IP address

logging facility local7

NAM Devices

To configure NAM devices using Telnet:

Step 1 Telnet to the device and enter into the Global Configuration mode.

Step 2 Run the following commands: 

remote-host CiscoWorks IP address

logging facility local7

PIX Devices

To configure PIX devices using Telnet:

Step 1 Telnet to the device and enter into the Global Configuration mode.

Step 2 Run the following commands:

logging host CiscoWorks IP address [in_if_name] CiscoWorks IP address [protocol /port] [format emblem]

logging facility local7

where,

in_if_name is the interface on which the syslog server resides.

CiscoWorks IP address is the address of the CiscoWorks server.

protocol is the protocol over which the syslog message is sent; either tcp or udp. PIX Firewall only sends TCP syslog messages to the PIX Firewall Syslog Server.

You can only view the port and protocol values you previously entered by using the write terminal command and finding the command in the listing—the TCP protocol is listed as 6 and the UDP protocol is listed as 17.

port is the port from which the PIX Firewall sends either UDP or TCP syslog messages. This must be same port at which the syslog server listens.

For the UDP port, the default is 514 and the allowable range for changing the value is 1025 through 65535.

For the TCP port, the default is 1470, and the allowable range is 1025 through 65535. TCP ports only work with the PIX Firewall Syslog Server.

format emblem is the option that enables EMBLEM format logging on a per-syslog-server basis. EMBLEM format logging is available for UDP syslog messages only and is disabled by default.

Note For details on how to configure devices using the NetConfig Syslog task, refer to the Configuring the Device Using NetConfig Syslog Task section in the User Guide for Resource Manager Essentials 4.0.

Verifying the Settings in the Syslog Configuration File

To check the path and permissions of the file pointed to by local7.info in the syslog configuration file /etc/syslog.conf on the server:

The first occurrence of local7 in the syslog.conf file, must contain the path for the Syslog message source.

Step 1 Make sure the facility.level definition is set to local7.info, and that the following line is present (note that there must be a tab between local7.info and the path/filename): 

local7.info     path/filename

where path/filename is the full path to a file.

Step 2 Make sure the syslog process (syslogd) can both read and write to the file.

If you modified the /etc/syslog.conf file, you must restart the syslog process (syslogd). Enter the following command to stop and restart syslogd: 

/etc/init.d/syslog start and /etc/init.d/syslog stop

If the start and stop command does not work, enter: 

kill -HUP `cat /etc/syslog.pid`

Step 3 Make sure the Message Source in the CiscoWorks Server is the same as the filename you specified in the syslog.conf file.

To check the path for the syslog.conf, look for the SYSLOG_FILES variable in the Collector.properties file available at the following location: 

$NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc
/data.

Verifying the Syslog Collector

To verify that the Syslog Collector is processing syslog messages from the network:

Step 1 Log in to a managed router that is configured to send Syslog messages to the server. You must have appropriate login privileges to make configuration changes.

Step 2 Make a nondestructive change to the router configuration. For example, to change the contents of the login banner enter: 

# enable

# configure terminal

The prompt changes to #>. 

#> banner motd /

This is a test /

#> end

Step 3 Wait approximately 2 minutes for the server to process the Syslog message

Step 4 Select RME > Reports > Report Generator.

The Report Generator dialog box appears.

Step 5 Select Syslog from the Select an Application drop-down menu.

Step 6 Select Standard Report from the Select a Report drop down menu.

The Standard Reports dialog box appears.

Step 7 Select the device for which you made a change. For more information, see the Online help.

Step 8 Click Finish.

The Syslog-Standard report appears.

Verify that the report contains the Syslog message that the configuration change generated.

Setting Up Software Management

Cisco is constantly improving the quality and functionality of device software. As a network administrator, you need to know what versions are currently running on your devices, and you must be aware of new software versions available to identify when upgrades are needed.

When software upgrades are required, you must plan for and manage the upgrade to minimize the disruption to the end users. The process of manually upgrading multiple devices on the network can be a very time-consuming and error-prone process.

Software Management application performs system software upgrades, boot loader upgrades, and software configuration operations on groups of routers and switches. For more information about setting up Software Management, see the Online help.

Setting up Software Management involves the following:

Verifying Space Requirements for Downloaded Files

Setting Software Management Preferences

Setting Up TFTP

Setting Up rcp

Allowing the User casuser to Use at and cron

Verifying Space Requirements for Downloaded Files

Software Management files downloaded to the server from the Cisco.com or the product CD-ROM are stored in the /var directory or its subdirectories. Make sure there is enough space in the /var directory for all files that you plan to download.

Before you can use Software Management, you must have sufficient space to store the software image files. You should have 4 to 20 MB of space for each IOS and Catalyst image. For, NAM and Content Engine images you must have 150 MB of space.

In addition, you need space for some smaller downloaded files and temporary files. To accommodate these needs, add at least 20% to the space needed for software image files for your final space calculation in the /var directory.

Note The space for each image varies according to the device type.

Setting Software Management Preferences

Software Management has many preferences you can set to control how the application behaves. To set preferences:

Step 1 Select RME > Admin > Software Mgmt > View/Edit Preferences.

The Edit Preferences dialog box appears.

Step 2 Change preferences as appropriate. For more information, see the Online help.

Step 3 After you complete the changes:

Click Apply to save your changes.

Click Defaults to display the default configuration.

Setting Up TFTP

A file transfer server must be installed on your system. You must enable a Trivial File Transfer Protocol (TFTP) server because it is the default file transfer server type.

During Software Management installation, if the installation tool cannot find a TFTP server, it tries to add one. If the installation tool cannot find or create a TFTP server, install and enable the TFTP server and verify that a /tftpboot directory exists, as explained in the following sections.

Enabling the TFTP Daemon

If you are using standard Solaris software, you can add and configure the TFTP server (TFTPD).

Step 1 Log in as superuser.

Step 2 Using a text editor, edit the /etc/inetd.conf file.

a. Look in the file /etc/inetd.conf for the line that invokes TFTPD. If the line begins with a pound sign (#), remove the pound sign with your text editor. Depending on your system, the line that invokes the TFTP server might look similar to: 

tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot

b. Save the changes to the edited file and exit your text editor.

Step 3 At the UNIX prompt, enter the following command to display the process identification number for the inetd configuration: 

# /usr/bin/ps -ef | grep -v grep | grep inetd

The system response is similar to: 

root  119   1  0  12:56:14 ?           0:00 /usr/bin/inetd -s

The first number in the output (119) is the process identification number of the inetd configuration.

Step 4 To enable your system to read the edited /etc/inetd.conf file, enter: 

# kill -HUP 119

where 119 is the process identification number identified in Step 3.

Step 5 Verify that TFTP is enabled by entering either: 

# netstat -a 

or 

# grep tftp

which should return output similar to: 

*.tftp Idle

or enter: 

# /opt/CSCOpx/bin/mping -s tftp localhost_machine_name

which returns the number of modules sent and received, for example: 

sent:5 recvd:5 . ..

If the output shows that zero modules were received, TFTP is not enabled. Repeat these steps, beginning with Step 1, to make sure you have enabled TFTP.

Creating the /tftpboot Directory

RME uses the /tftpboot directory when transferring files between the RME server and network devices. The files are removed after the transfer is complete, but multiple jobs (for example, image distribution, image import, or config file scan) could be running at the same time.

Each of these jobs requires its own space. Software image sizes, for example, can be up to 20 MB. To ensure that jobs run successfully, make sure there is sufficient space available in the /tftpboot directory.

If the /tftpboot directory does not exist on your system, you must create it:

Step 1 Enter: 

# mkdir /tftpboot

Step 2 Make sure all users have read, write, and execute permissions to the /tftpboot directory by entering: 

# chmod 777 /tftpboot

The /tftpboot directory now exists and has the correct permissions.

Setting Up rcp

You can enable a remote copy (rcp) server on the server and select it as the active file transfer server. If you select rcp as the active server and then try to transfer files to a device that does not support rcp, RME uses TFTP to transfer the files.

Creating the rcp Remote User Account

To use rcp, you must create a user account on the system to act as the remote user to authenticate the rcp commands issued by devices. This user account must own an empty .rhosts file in its home directory to which the user casuser has write access.

You can choose the name of this user account because you can configure the RME server to use any user account. The default user account name is cwuser. The examples in this procedure use the default name cwuser. If you choose to use a different name, substitute that name for cwuser.

To create and configure the rcp remote user account, follow these steps while logged in as root:

Step 1 To add a user account named cwuser to the system, enter: 

# useradd -m -c "user account to authenticate remote copy operations" 
\ cwuser

Step 2 Navigate to the cwuser home directory.

To create the .rhosts file, enter:

# touch .rhosts

To change the owner of the .rhosts file, enter:

# chown cwuser:casusers .rhosts

To change the permissions of the .rhosts file, enter:

# chmod 0664 .rhosts

If you did not use the default user name cwuser, use the user account that you created as the rcp remote user account.

a. Log on to the server as admin.

b. From the CiscoWorks Homepage, select Common Services > Server > Admin > System Preferences.

The System Preferences dialog box appears.

c. In the RCP User field, enter the name of the user account that you just created in the User Name field, then click Apply.

Enabling the rcp Daemon

To add and configure standard Solaris rcp server software:

Step 1 Log in as superuser.

Step 2 Using a text editor, edit the /etc/inetd.conf file.

a. Look in the file /etc/inetd.conf for the line that invokes rshd. If the line begins with a pound sign (#), remove the pound sign with a text editor. Depending on your system, the line that invokes the rshd server might look similar to: 

shell  stream  tcp   nowait  root   /usr/sbin/in.rshd   in.rshd

b. Save the changes to the edited file and exit the text editor.

Step 3 At the UNIX prompt, enter the following to display the process identification number for the inetd configuration: 

# /usr/bin/ps -ef | grep -v grep | grep inetd

The system response is similar to: 

root  119   1  0  12:56:14 ?           0:00 /usr/bin/inetd -s

The first number in the output (119) is the process identification number of the inetd configuration.

Step 4 To enable your system to read the edited /etc/inetd.conf file, enter: 

# kill -HUP 119

where 119 is the process identification number identified in Step 3.

Step 5 Verify that rshd is enabled by entering: 

# netstat -a | grep shell

which should return output similar to: 

*.shell    *.*     0 0 0 0 LISTEN

Selecting rcp as the Active File Transfer Method

If you have enabled rcp as the file transfer method, RME uses rcp to transfer device software images. For devices that do not support rcp, RME uses TFTP to transfer files.

You can disable rcp if you do not want RME to use it with any devices.

Step 1 Select RME > Admin > Software Mgmt > View/Edit Preferences.

Step 2 Set the protocol order so that RCP is the first protocol in the order.

Step 3 Click Apply.

Setting Up SCP

RME supports the Secure Copy (SCP) file transfer. It is a secure and authenticated method for copying router configuration or router image files. SCP relies on Secure Shell (SSH).

RME uses rcp with devices that support rcp. For other devices, RME uses TFTP.

The devices that support SCP protocol are Cisco 7200 series, Cisco 7500 series, Cisco 12000 series, Cisco 1700 series, Cisco 2600 series, Cisco 3620, Cisco 3640, Cisco 3660.

Using SCP For File Transfer

SCP is derived from rcp.

The following are the prerequisites for Secure Copy:

Configure SSH, authentication, and authorization on the router.

Ensure the router has a Rivest, Shamir, and Adelman (RSA) key pair. SCP relies on SSH for its secure transport.

The behavior of SCP is similar to that of remote copy (rcp), except that SCP relies on SSH for security. In addition, SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so the router can determine whether you have the correct privilege level.

SCP allows anyone who has appropriate authorization to copy any file that exists in the Cisco IOS File System (IFS) to and from a router by using the copy command. An authorized administrator may also perform this action from a workstation.

Prerequisites for Secure Copy

Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the router.

Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman (RSA) key pair.

Information About Secure Copy

To configure Secure Copy feature, you should understand the following concepts.

How SCP Works

How to Configure SCP

How SCP Works

The behavior of SCP is similar to that of remote copy (rcp), which comes from the Berkeley r-tools suite, except that SCP relies on SSH for security. In addition, SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so the router can determine whether the user has the correct privilege level.

SCP allows a user who has appropriate authorization to copy any file that exists in the Cisco IOS File System (IFS) to and from a router by using the copy command. An authorized administrator may also perform this action from a workstation.

How to Configure SCP

This section contains the following procedures:

Configuring SCP

Verifying SCP

Troubleshooting SCP

Configuring SCP

To enable and configure a Cisco router for SCP server-side functionality, perform the following steps:

 
Command
Purpose

Step 1  

enable

Example: 

Router > enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2  

configure terminal

Example: 

Router# configure terminal

Enters global configuration mode.

Step 3  

aaa new-model

Example: 

Router (config)# aaa new-model

Enables the AAA access control system.

Step 4  

aaa authentication login {default | 
list-name} method1 [method2...]

Example: 

Router (config)# aaa authentication 
login default local

Sets AAA authentication at login.

Step 5  

aaa authentication enable {default | 
list-name} method1 [method2...]

Example: 

Router (config)# aaa authentication 
enable default none

Sets AAA authentication at enable.

Step 6  

aaa authorization {network | exec | 
commands level | reverse-access | 
configuration} {default | list-name} 
[method1 [method2...]]

Example: 

Router (config)# aaa authorization 
exec default local

Sets parameters that restrict user access to a network.

Note The exec keyword runs authorization to determine if the user is allowed to run an EXEC shell; therefore, you must use it when you configure SCP.

Step 7  

username name [privilege level] 
{password encryption-type 
encrypted-password}

Example: 

Router (config)# username superuser 
privilege 15 password 0 superpassword

Establishes a username-based authentication system.

Note You may skip this step if a network-based authentication mechanism—such as TACACS+ or RADIUS—has been configured.

Step 8  

ip scp server enable

Example: 

Router (config)# ip scp server enable

Enables SCP server-side functionality.


Verifying SCP

To verify SCP server-side functionality, perform the following steps:

 
Command or Action
Purpose

Step 1  

enable

Example: 

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2  

show running-config

Example: 

Router# show running-config

Verifies the SCP server-side functionality.


Troubleshooting SCP

To troubleshoot SCP authentication problems, perform the following steps.

 
Command or Action
Purpose

Step 1  

enable

Example: 

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2  

debug ip scp

Example: 

Router# debug ip scp

Troubleshoots SCP authentication problems.


Allowing the User casuser to Use at and cron

Software Management uses at and cron to schedule Software Management image transfers to devices. The process that performs the download is executed as casuser, so the user casuser must be allowed to use at and cron.

To allow the user casuser to use at:

If an at.deny file exists in the /usr/lib/cron directory, make sure casuser is not listed in it. If necessary, remove casuser from the at.deny file using a text editor.

If an at.allow file exists in the /usr/lib/cron directory, make sure casuser is listed in it. If necessary, add casuser to the at.allow file, using a text editor.

If neither an at.allow nor an at.deny file exist in the directory /usr/lib/cron, create an at.allow file and add casuser to it, using a text editor.

To allow the user casuser to use cron:

If a cron.deny file exists in the /usr/lib/cron directory, make sure casuser is not listed in it. If necessary, remove casuser from the cron.deny file, using a text editor.

If a cron.allow file exists in the /usr/lib/cron directory, make sure casuser is listed in it. If necessary, add casuser to the cron.allow file, using a text editor.

If neither a cron.allow nor a cron.deny file exists in the /usr/lib/cron directory, create a cron.allow file and add casuser to it, using a text editor.

Setting Up Configuration Management

One of the most difficult but most important things to manage on network devices is the device configuration. Often a change to the device configuration leads to network performance issues and faults. The device configuration is the key to how a device operates on the network and traffic is passed.

As the network administrator, you need to be able to control and track changes to device configurations in order to minimize errors and assist in troubleshooting problems.

This can be very difficult if several people are making changes to the device configurations. It can also become very repetitive and time-consuming to make the same update to each individual device on the network. Configuration Management application can help simplify and automate these tasks.

Before Configuration Management can gather device configurations, you need to update the RME database with passwords (credentials) and modify device configurations.

Note rcp and SSH are required only if you wish to use them.

Modifying Device Configurations

You need to modify your device configurations so that Configuration Management can gather the configurations. After you perform the following procedures and your devices become managed, the configuration files are collected and stored in the configuration archive.

Ensuring Devices are rcp-enabled

Make sure the devices are rcp-enabled by logging into each device and entering the following commands in the device configurations: 

# ip rcmd rcp-enable

# ip rcmd remote-host local_username 123.45.678.90 remote_username 
enable

where 123.45.678.90 is the IP address or hostname of the system on which RME is installed. The default remote_username and local_username are casuser.

Ensuring Devices are SSH-enabled

Make sure the devices are SSH-enabled by logging into each device and entering the commands for the following kinds of devices:

For Catalyst Switches Running Cat OS

For Cisco IOS Routers

For Catalyst Switches Running Cat OS

To enable SSH on Catalyst switches:

Step 1 Generate an RSA key, by entering: 

sec-cat6000> (enable) set crypto key rsa 1024

A message similar to the following appears: 

Generating RSA keys..... [OK]

Step 2 Verify the RSA key, by entering: 

sec-cat6000> (enable) ssh_key_process: host/server key size: 1024/768

Step 3 Display the RSA key, by entering: 

sec-cat6000> (enable) show crypto key

A message similar to the following appears: 

RSA keys were generated at: Mon Jul 23 2001, 15:03:30 1024 65537 
1514414695360

5773328536717047857098506066347687468697169639403524406206785753387015
50888525

6996914783305378400669569876102078109594986481799653300180108447858634
72773067

6971852564183862430018810088305612411373816928200786743760582755731334
48529332

1996682019301329470978268059063378215479385405498193061651

Step 4 Specify the host or subnets which are allowed to use SSH to communicate with the switch.

For example, to specify that the IP addresses 172.18.124.0 and 255.255.255.0 be allowed to use SSH, enter:

If you do not perform this step, the switch will display the following error:
WARNING!! IP permit list has no entries! 

sec-cat6000> set ip permit 172.18.124.0 255.255.255.0

A message similar to the following appears: 

172.18.124.0 with mask 255.255.255.0 added to IP permit list.

Step 5 To enable SSH, enter: 

sec-cat6000> (enable) set ip permit enable ssh

A message similar to the following appears: 

SSH permit list enabled.

Step 6 Verify the SSH permit list, by entering: 

sec-cat6000> (enable) sho ip permit

A message similar to the following appears: 

Telnet permit list disabled.

Ssh permit list enabled.

Snmp permit list disabled.

Permit List Mask Access-Type

---------------- ---------------- -------------

172.18.124.0 255.255.255.0 telnet ssh snmp


Denied IP Address Last Accessed Time Type

----------------- ------------------ ------

For Cisco IOS Routers

To enable SSH on Cisco IOS Routers:

For example, if you want router1 to act as an SSH client to the another router, you can add SSH to a second router, say router2. The routers will then be in a client-server arrangement, with router1 acting as the server and router2 acting as the client.

The IOS SSH client configuration on router2 is the same as required for the SSH server configuration on router1.

Step 1 Configure the hostname for router1, by entering: 

hostname router1

A message similar to the following appears: 

username username password 0 password

Step 2 Configure the DNS domain on router1, by entering: 

ip domain-name domain-name

Step 3 Generate the SSH key to be used, by entering: 

cry key generate rsa

A message similar to the following appears: 

ip ssh time-out 60

ip ssh authentication-retries 2

Step 4 Enable SSH transport support for vtys:

By default, vtys transport is through Telnet. In this case, Telnet has been disabled and only SSH is supported. 

line vty 0 4

transport input SSH

Configuring Devices for Syslog Analyzer

Configure your devices for Syslog Analyzer if you want the device configurations to be gathered and stored automatically in the configuration archive when syslog messages are received. See the "Setting Up Syslog Analyzer" section or refer to the online help for more information.

Modifying Device Security

Configuration Management must be able to run certain commands on devices to archive their configurations. You must disable the security on devices that prevents Configuration Management from running the commands shown in Table 2-4.

Table 2-4 Required Configuration Management Commands  

Command Type
Command
Description

Catalyst commands

set len 0

Turns paging off for the Telnet session.

write term

Gets the running configuration.

IOS commands

term len 0

Turns paging off for the Telnet session.

show run

Gets the running configuration.

show config

Gets the startup configuration.


Setting Up NetConfig

The NetConfig function provides wizard-based templates to simplify and reduce the time it takes to roll out global changes to network devices. These templates can be used to execute one or more configuration commands on multiple devices at the same time.

For example, if you want to change passwords on a regular basis to increase security on devices, you can use the appropriate password template to update passwords on all devices at once. A copy of all updated configurations will be stored in the configuration archive.

This section describes how to set up NetConfig. This involves:

Verifying Device Configurations

Modifying Device Security

Verify Device Prompts

Transport Settings Setup

Verifying Device Configurations

NetConfig can configure devices that do not have archived configurations. However, rollback command generation may be faulty if the archived configuration is not present. Use the Configuration Archival Summary to:

Verify that devices you want to configure have an archived configuration.

Troubleshoot the devices that do not have an archived configuration.

To verify configuration archive status:

Step 1 Select RME > Config Mgmt > Archive Mgmt.

The Configuration Archival Summary dialog box appears with the archival status.

Step 2 Click on a device status to view details:

Click Successful to display information on archived configurations.

Click Failed to display information on configurations that could not be obtained. To update the archive for failed devices.

Click Partially Successful to display the Catalyst 5000 devices whose submodules were not pulled into the archive.

Step 3 Click Sync Archive.

For more information, see the Configuration Management Online help

Modifying Device Security

In addition to running the configuration commands that you assign to each job, NetConfig must be able to run certain commands on devices to configure them. You must disable the security on devices that prevents NetConfig from running the commands listed in Table 2-5.

Table 2-5 Required NetConfig Commands  

Command Type
Command
Description
IOS Commands

term len 0

Turns paging off for Telnet session

write term

Gets running configuration

show config

Gets startup configuration

write mem

Writes running configuration to startup configuration

config t

Enters config mode

exit

Exits config mode

Catalyst Commands

set len 0

Turns paging off for Telnet session

write term

Gets running configuration

Content Service Switch Commands

no terminal more

Disables support for more functions with the terminal.

show running-config

Gets all components of the running configuration.

show startup-config

Gets the CSS startup configuration (startup-config).

Content Engine Commands

term len 0

Turns paging off for Telnet session.

show run

Gets running configuration.

show config

Gets startup configuration.


Verify Device Prompts

NetConfig requires particular CLI prompt formats:

If the Telnet transport mechanism is used, the following prompts are applicable.

For IOS-based devices, Content Engine devices, and Content Service Switch devices:

The login prompt must end with a greater-than symbol (>).

The enable prompt must end with a pound sign (#).

For Catalyst devices:

The login prompt must end with a greater-than symbol (>).

The enable prompt must end with the text (enable).

If the secure shell (SSH) transport mechanism is used, the following prompts are applicable.

For IOS-based devices, Content Engine devices, and Content Service Switch devices:

The login prompt may end with any one of the following: (>), (#), (:), (%).

The login prompt may end with any one of the following: (>), (#), (:), enable prompt must end with a pound sign (#).

For Catalyst devices:

The login prompt may end with any one of the following: (>), (#), (:), (%).

The enable prompt must end with the text (enable).

Default prompts use this formatting. If you have changed your defaults, verify that the prompts meet these requirements, and change them if they do not.

Transport Settings Setup

Transport Settings Setup Window allows you to setup:

Transport Protocol Order for NetConfig, Archive Management and Config Editor Jobs

Password Policy for NetConfig, Archive Management and Config Editor Jobs

Transport Protocol Order for NetConfig, Archive Management and Config Editor Jobs

You can set the protocol order for NetConfig, Config Editor and Config Archive Jobs to download configurations and for NetConfig and Config Editor to fetch configurations.

This setup provides the flexibility of using your preferred protocol order for fetching and downloading the configuration.

Step 1 Select Resource Manager Essentials > Admin > Config Mgmt

The Transport Settings page appears.

Step 2 Select the Application Name from the drop down menu.

Step 3 Select a protocol from the Available Protocols pane and click Add. Then do the following:

If you want to remove a protocol or change the protocol order, you can remove the protocol using the Remove button and re-add the protocol, again.

The list of protocols that you have selected appears in the Selected Protocol Order pane.

If a configuration fetch or update operation fails, an error message appears. This message gives details only about the supported protocol for the particular device.

For the list of supported protocols, see Supported Device Table for Configuration Management application on Cisco.com.

Step 4 Click Apply.

A confirmation message appears.

Step 5 Click OK.

For more information, see Configuring Transport Protocols online help.

Password Policy for NetConfig, Archive Management and Config Editor Jobs

You have the option of entering your user name and password for job execution.

If you enter your username and password, RME ignores the username and password in the database and uses the newly entered username and password, instead.

If you do not enter your username and password, RME uses the username and password in its database.

This option of entering the username and password for job execution helps in high security installations where device passwords are changed at frequent intervals. In such instances, the passwords may be changed every 60-90 seconds.

Step 1 Select RME > Admin > Config Mgmt > Config Job Policies.

The Config Job Policies dialog box appears.

Step 2 Select Enable Job Password check box.

Step 3 Click Apply.

A confirmation message appears.

Step 4 Click OK.

For more information, see the Configuring Default Job Policies online help.

Logging Out

To end your administrator tasks, you must log out of CiscoWorks.

Step 1 Close all secondary browser windows. You should have only one browser window opened, displaying the CiscoWorks interface.

Step 2 Click Logout.

The Login Manager dialog box replaces the CiscoWorks homepage.