Cisco Policy Suite User Administration

Introduction

This document describes how to create, configure, and update users (user administration) in Quantum Policy Suite (QPS). This is more specific to QPS Release 5.5 and later. User management is described for these three sections within QPS:

• User Management for QPS VM (all the VMs; such as PCRFClient0x, Lb0x, and QNS0x )
• User Management for Control Center
• User Management for Policy Builder (PB-Subversion [PB-SVN] Repository)

Note: QPS was renamed to Cisco Policy Suite (CPS) in Version 8.0.0.

User Management for QPS VM

This section explains about user management in QPS VM (LB, PCRFClient, QNS, and so on).

Create a New Local User with a Default Group

By default, a local user addition creates the group name the same as the user name. Group addition is not mandatory.

1. Enter the useradd -m -d /home/<user id> -c "Local User" <user id> command in order to create the user id. In this example it is 'aravibal'.

   

2. Enter the passwd <user id> command in order to set the password for the newly created user.

   

3. Grant access to the newly created local user. Edit the /etc/security/access.conf file and add this line:

   "+:<User ID>:ALL

4. Edit the /etc/ssh/sshd_config file and add the new user to the end of the line 'AllowUsers'.

   

5. Enter the service sshd restart command in order to restart the Secure Shell Daemon (SSHD) service.

   

6. Log in as the new user and enter the the ssh localhost -l <newly_created_user id> command in order to show the user id and group name.

   

Create a New Local User With a New Group

1. Enter the groupadd <groupname> command in order to create a new group.

   

2. Enter the cat /etc/group command in order to check your newly created group id in the file /etc/group.

   

3. Enter the useradd -m -d /home/<user id> -c "Local User" <user id>  -g<new group name> command in order to create the new local user with the new group.

   

4. Complete steps 3 thru 6 in the Create a New Local User with a Default Group section.

Modify the User Account

Complete this section in order to modify settings for password aging, lock, unlock, and account expiry.

Enter the chage -l <user id> command in order to check the password expiration age.

The system administrator can complete these actions as needed:

• Enter the chage -M <number of days > <user id> command in order to set the password expiry date for any user.

  The number of days is calculated from the current system date. For example, if you would like to set the password expiration after 25 days enter chage -M 25 <user ID>. The option -M updates both the password expires and maximum number of days between password change.

  

• Enter the chage -E "YYYY-MM-DD" <user id> command in order to set the account expiry date for any user. The date should be given in "YYYY-MM-DD" format.

  

• Enter the chage -m 0 -M 99999 -I -1 -E -1 <user id> command in order to disable the password aging.
  • -m 0 sets the minimum number of days between password change to 0
  • -M 99999 sets the maximum number of days between password changes to 99999
  • -I -1 (number minus one) sets the 'Password inactive' to never
  • -E -1 (number minus one) sets 'Account expires' to never

  

• Enter one of the these commands in order to lock or unlock a user:
  • lock the user - passwd -l <user id>
  • unlock the user - passwd -u <user id>
• Enter the passwd -S <user id> command in order to check whether the account status is locked.

  This output consists of seven fields, the second field indicates if the user account has a locked password (L), has no password (NP), or has a usable password (P).

  Note: In Release 5.5 the -S option works, but only with one user at a time. You will have to check if you have the -a option available in Release 6.0. For example, enter the passwd -Sa command.

  

• Enter the passwd <user ID> command in order to reset the passwords for all user ids, inclusive of the admin user. For example, passwd broadhop1.
• Enter the faillog -a command in order to check the failed log in attempts for all users.

  

• Enter the userdel <user id> command in order to delete the user. The userdel -r <user ID> command removes the user's home directory. For example, userdel -r aravibal.

User Management for Control Center

Control Center (CC) is not available in earlier versions of QPS, that is CC is not available in QPS Release 2.5.7. The CC GUI is available only in QPS Release 5.3 and later.

Edit this XML file in PCRFClient01, '/etc/broadhop/authentication-provider.xml', in order to add a new user id or change the password in CC. There are two authorities for CC, read-only and admin.

<user name="userid" password="password" authorities="ROLE_READONLY"/>

<user name="userid" password="password" authorities="ROLE_SUMADMIN"/>

Remove the appropriate line from this XML file in order to delete a user.

User Management for Policy Builder

This section explains about user administration in PB.

Create a User

1. Enter the htpasswd -b /var/www/svn/password <username> <password> command on pcrfclient01 in order to add an SVN user.

   Note: In some cases the password file is hidden as .htpasswd. You might need to enter htpasswd -b /var/www/svn/.htpasswd <username> <password>.

   

2. Edit the line admins = broadhop, <username> in the /var/www/svn/users-access-file file in order to provide read/write access to the user.

   

Modify a User

1. Enter the htpasswd /var/www/svn/password <username> command in order to reset the password for a current user in PB (SVN repository). For example, htpasswd /var/www/svn/password broadhop2.

   Note: In some cases the password file is hidden as .htpasswd. You might need to enter htpasswd -b /var/www/svn/.htpasswd <username> <password>.

   

2. Enter the htpasswd  -D password <user id> command in order to delete users in PB (PB-SVN repository). For example, htpasswd -D password broadhop1.

   

3. Enter these commands in order to determine which user recently committed a change in PB and who are all the users that have committed changes.
   • #svn log http://pcrfclient01/repos/configuration/  | more
   • #svn log http://pcrfclient01/repos/configuration/ | grep '^r[0-9]' | awk '{print $3}' | sort | uniq

Useful Information

• The system default user 'qns' does not have a password.

• Use 'pwck' and 'grpck' in order to check the integrity of /etc/passwd, /etc/shadow, and /etc/group.

• Multiple users in PB is available in QPS Release 6.0 and later. In earlier versions PB can have multiple users to log in and make changes, but this results in an override.

• If you would like to keep idle session time, enter the export TMOUT=120 command. (Users will be logged out if they are inactive for two minutes= 120 seconds.)

• You can check in the /var/log/httpd/access_log when the user connects to PB (SVN repository).

• All the user authentication failures related to PB can be checked in /etc/httpd/logs/error_log.

• Information related to authentication and authorization privileges can be found in /var/log/secure. For example, SSHD logs all the messages which include unsuccessful log ins.