Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Elastic Services Controller 2.3 Install and Upgrade Guide

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco Elastic Services Controller 2.3 Install and Upgrade Guide

Chapter Title

Post Installation Tasks

Results

Updated:
November 1, 2016

Chapter: Post Installation Tasks

Post Installation Tasks

This chapter contains the following sections:

Logging in to the ESC Portal


Note

  • The ESC portal is enabled by default. You must ensure that the ESC portal is not disabled during installation. For more information on enabling or disabling the ESC portal, see Installing Cisco Elastic Services Controller Using the QCOW Image.

  • When you log in to the ESC portal for the first time you are prompted to change the default password.

To log in to the ESC portal, do the following:

Before You Begin
    Step 1   Using your web browser, enter the IP address of ESC and port 9001.

    Example:

    For example, if the IP address of ESC is 192.0.2.254, enter:

    https://192.0.2.254:9001 [ login via https]

    A Security Alert message is displayed.

    Step 2   Click Yes to accept the security certificate. The Login page is displayed.
    Step 3   Enter the username and password and click Login .

    If you are logging in for the first time, the login page reappears, prompting you to change your password.

    Step 4   Enter the old password in the Old Password field, then enter a new password in the New Password and Confirm Password fields.
    Step 5   Click Update Password or press Enter.
    Note   

    • If the UI becomes unresponsive, restart the UI by executing the restart esc_ui from the ESC shell prompt.

    • ESC Portal only supports one user.

    • Currently, a pre-installed self-signed certificate supports HTTPS. The user must confirm the self-signed certificate before proceeding with the ESC Portal.

    • In HTTPS communication mode, if the URL protocol type returned by OpenStack is not HTTPS, the access to the VNF Console may be disabled. For security reasons, while running in HTTPS more non-secure communication will be rejected.

    Changing the ESC Password

    You will be forced to change the default password on first time login. Portal will not let you bypass this step and will keep returning you to this page until you change the default password. After the first time password change, you can change your password using the procedures described in this section. Also, if the user has multiple browsers or tabs or the SAME user is logged on by 2 or more computers and one of the user changes the password then everyone will be logged off and asked to re-enter the new password. The user session has an expiry of 1 hour so if the user is inactive on the portal for an hour then portal will expire the session and the user will have to re-login. If you forgot your password, you can also reset the password.

    This section discusses how to change the passwords.

    Changing the Administrator Password Using the Command Line Interface

    After you install ESC, to change the Confd admin password, do the following:

      Step 1   Log in to the ESC VM. 
      $ ssh USERNAME@ESC_IP
      Step 2   Switch to the root user. 
      $ su root
      Step 3   Load the ConfD CLI: 
      $ /opt/confd-5.2.1/bin/confd_cli  -u admin
      Step 4   Set the new admin password: 
      $ configure
$ set aaa authentication users user admin password <new password>
      Step 5   Save the changes. 
      $ commit

      Changing the ESC Portal Password Using the escadm Tool

        Step 1   Log in to ESC VM.
        Step 2   Switch to the root user.
        Step 3   To reset to the default password (admin/cisco123), use the following command: 
        escadm ui set
        Step 4   To replace the existing password with a new one, use the following command: 
        escadm ui set --username admin --password <new password>

        Changing the ESC Portal Password Using the ESC Portal UI

        To change an existing ESC portal password using ESC portal UI, do the following:

          Step 1   Log in to ESC portal using your username and password.
          Step 2   Choose Accounts Setting on the Navigation menu.
          Step 3   Enter the old password in the Old password field, then enter a new password in the New Password and Confirm Password fields.
          Step 4   Click Update Password.
          What to Do Next

          After completing the post installation steps in ESC, create OpenStack resources: Tenant, Image, Flavor, Network, and Subnet. For more information see Cisco Elastic Services Controller User Guide

          Authenticating REST Requests

          ESC REST API uses http basic access authentication where the ESC client will have to provide a username and password when making ESC REST requests. The user name and password will be encoded with Base64 in transit, but not encrypted or hashed. HTTPS will be used in conjunction with Basic Authentication to provide the encryption.

          This section discusses how to enable the REST authentication, change the default password of the REST interface, and how to send authorized REST request from the ESC client.

          Enabling REST Authentication

          By default, the REST authentication is disabled. To enable it the pass the argument --enable-auth to ESC bootvmp.py, ESC installation script.

          ESC also supports https communication over port 8443. ESC will generate a self-signed certificate that the client will need to trust to get the https communication going. By default, the REST https is disabled and restricted to localhost. To enable it pass the argument --enable-https-rest to ESC bootvm.py, ESC installation script.

          Note

          Make sure to pass either --enable-https-rest or --enable-http-rest or both the arguments to the bootvm.py script along with the --enable-auth argument, to enable the authentication. To enable https after ESC VM is booted, run the script /opt/cisco/esc/esc-scripts/enableHttpsRest.sh.

          Changing the REST Interface Password

          The REST interface has only one default username/password (admin/cisco123). The password can be updated using escadm tool from the ESC VM CLI. You can also update the password through the REST API.

            Step 1   Log in to ESC VM.
            Step 2   Switch to the root user.
            Step 3   To reset to the default password (admin/cisco123), use the following command: 
            escadm rest set
            Step 4   To replace the existing password with a new one, use one of the below options:

            • Using the escadm tool from the ESC VM CLI: 

              escadm rest set --username admin --password <new password>

            • Using the REST API: 

              http://[ESCVM_IP]:8080/ESCManager/v0/authentication/setpassword?userName=admin&password=yourPassword

              or 

              https://[ESCVM_IP]:443/ESCManager/v0/authentication/setpassword?userName=admin&password=yourPassword

            Sending an Authorized REST Request

            To send an authorized request, the ESC client should send the request with the following header: 

            Authorization: Basic YWRtaW46Y2lzY28xMjM=

            where YWRtaW46Y2lzY28xMjM= is the Base64 enconded string of the default username/password (admin:cisco123).

            Most libraries and web clients have an interface for providing the username/password and the application will encode the username/password and add the HTTP Basic Auth header.

            Example using the default admin/cisco123 credentials:

            For HTTP:

            http://[ESCVM_IP]:8080/ESCManager/v0/tenants/

            For HTTPS:

            https://[ESCVM_IP]:8443/ESCManager/v0/tenants/

            Configuring Openstack Credentials

            If ESC was deployed without passing VIM credentials, you can set VIM credentials through ESC VIM and through VIM User APIs (REST or Netconf API ).

            Note
            ESC will accept the northbound configuration request only if the following conditions are met:

            • ESC has a VIM or a VIM user configured through APIs(REST/Netconf).

            • ESC has a VIM or a VIM user configured, and ESC is able to reach the VIM.

            • ESC has a VIM or a VIM user configured, and ESC is able to authenticate the user.

            Configuring using Netconf API

            • Passing VIM credential using Netconf : 

              
<esc_system_config xmlns="http://www.cisco.com/esc/esc">
  <vim_connectors>
    <!--represents a vim-->
    <vim_connector>
      <!--unique id for each vim-->
      <id>my-ucs-30</id>
      <!--vim type [OPENSTACK|VMWARE|VAGRANT|...]-->
      <type>OPENSTACK</type>
      <properties>
        <property>
          <name>os_auth_url</name>
          <value>http://<ip address>:5000/v2.0</value>
        </property>
      </properties>
	  <users>
        <user>
          <id>admin</id>
          <credentials>
            <properties>
              <property>
                <name>os_password</name>
                <value>cisco123</value>
              </property>
              <property>
                <name>os_tenant_name</name>
                <value>admin</value>
              </property>
            </properties>
          </credentials>
        </user>
      </users>
    </vim_connector>
  </vim_connectors>
</esc_system_config>

            • Updating VIM Connector using Netconf: 

              
<esc_system_config xmlns="http://www.cisco.com/esc/esc">
  <vim_connectors>
    <vim_connector nc:operation="replace">
      <id>example_vim</id>
      <type>OPENSTACK</type>
      <properties>
        <property>
          <name>os_auth_url</name>
          <value>http://<ip address>:5000/v2.0</value>
        </property>
      </properties>
    </vim_connector>
  </vim_connectors>
</esc_system_config>

            • Updating VIM user using Netconf: 

              <esc_system_config xmlns="http://www.cisco.com/esc/esc">
  <vim_connectors>
    <vim_connector>
      <id>example_vim</id>
        <users>
          <user nc:operation="replace">
            <id>my_user</id>
            <credentials>
             <properties>
              <property>
                <name>os_password</name>
                <value>cisco123</value>
              </property>
              <property>
                <name>os_tenant_name</name>
                <value>admin</value>
              </property>
            </properties>
           </credentials>
          </user>
        </users>
    </vim_connector>
  </vim_connectors>
</esc_system_config>

            • Deleting VIM connector using Netconf: 

              
<esc_system_config xmlns="http://www.cisco.com/esc/esc">  <vim_connectors>
    <vim_connector nc:operation="delete">
      <id>example_vim</id>
    </vim_connector>
  </vim_connectors>
</esc_system_config>
            • Deleting VIM Connector using command: 
              $/opt/cisco/esc/esc-confd/esc-cli/esc_nc_cli delete-vim-connector <vim connector id

            • Deleting VIM user using command: 

              $/opt/cisco/esc/esc-confd/esc-cli/esc_nc_cli delete-vim-user <vim connector id> <vim user id>

            Configuring using REST API

            • Adding VIM using REST: 
              POST /ESCManager/v0/vims/
HEADER: content-type, callback

<?xml version="1.0"?>
<vim_connector xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <!--unique id for each vim-->
  <id>my-ucs-30</id>
  <!--vim type [OPENSTACK|VMWARE|VAGRANT|...]-->
  <type>OPENSTACK</type>
  <properties>
    <property>
      <name>os_auth_url</name>
      <value>http://10.85.103.37:5000/v2.0</value>
    </property>
  </properties>
</vim_connector>

            • Adding VIM user using REST: 

              POST /ESCManager/v0/vims/{vim_id}/vim_users
HEADER: content-type, callback

<?xml version="1.0"?>
<user xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <id>admin</id>
  <credentials>
    <properties>
      <property>
        <name>os_password</name>
        <value>cisco1234</value>
      </property>
      <property>
        <name>os_tenant_name</name>
        <value>admin</value>
      </property>
    </properties>
  </credentials>
</user>

            • Update VIM using REST: 

              PUT /ESCManager/v0/vims/{vim_id}
HEADER: content-type, callback

<?xml version="1.0"?>
<vim_connector xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <!--unique id for each vim-->
  <id>my-ucs-30</id>
  <!--vim type [OPENSTACK|VMWARE|VAGRANT|...]-->
  <type>OPENSTACK</type>
  <properties>
    <property>
      <name>os_auth_url</name>
      <value>http://10.85.103.37:5000/v2.0</value>
    </property>
  </properties>
</vim_connector>

            • Update VIM user using REST: 

              PUT /ESCManager/v0/vims/{vim_id}/vim_users/{user_id}
HEADER: content-type, callback

<?xml version="1.0"?>
<user xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <id>admin</id>
  <credentials>
    <properties>
      <property>
        <name>os_password</name>
        <value>cisco1234</value>
      </property>
      <property>
        <name>os_tenant_name</name>
        <value>admin</value>
      </property>
    </properties>
  </credentials>
</user>

            • Delete VIM using REST: 

              DELETE /ESCManager/v0/vims/{vim_id}

            • Delete VIM user using REST: 

              DELETE /ESCManager/v0/vims/{vim_id}/vim_users/{user_id}
            • Notification example after each VIM or VIM user configuration is done : 
              
<?xml version="1.0" encoding="UTF-8"?>
<notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0">
  <eventTime>2016-10-06T16:24:05.856+00:00</eventTime>
  <escEvent xmlns="http://www.cisco.com/esc/esc">
    <status>SUCCESS</status>
    <status_code>200</status_code>
    <status_message>Created vim connector successfully</status_message>
    <vim_connector_id>my-ucs-30</vim_connector_id>
    <event>
      <type>CREATE_VIM_CONNECTOR</type>
    </event>
  </escEvent>
</notification>
              Important Notes:

              • ESC 2.3 only support one VIM and one VIM user combination per ESC instance. If the VIM and a user is already configured, request to create more will be rejected.

              • VIM username and password can be updated at anytime. VIM endpoint will not be able to update after a resource is created through ESC.

              • After VIM is connected and VIM user is authenticated, VIM and VIM user can no longer be deleted, only VIM username and password can be updated.

              • The name of a VIM property or VIM user credentials property is not case sensitive, e.g. OS_AUTH_URL and os_auth_url is the same to ESC.

            Reconfiguring ESC Virtual Machine

            This section covers the following:

            • Reconfiguring Rsyslog

            • Reconfiguring NTP

            • Reconfiguring DNS

            • Reconfiguring Hosts

            • Reconfiguring Timezone

            Reconfiguring Rsyslog

            Rsyslog parameters are optional. If there is a need for customization after booting an ESC VM, you can edit the files in ESC VM (/etc/rsyslog.d/).

              Step 1   Editing the Rsyslog file:
              • If you haven't specified the log forwarding configuration at the bootup time, you may create a file under /etc/rsyslog.d/ like /etc/rsyslog.d/log-forwarding.conf.
              • If you have specified the log forwarding through installation, you may just need to edit the file. The file could be /etc/rsyslog.d/20-cloud-config.conf. In this file, to forward logs to multiple rsyslog servers, edit the following line: 
                *.* @[server_ip]:port
                Note   

                • Use '@@' before specifying server ip address (if TCP is the protocol used to forward logs to the rsyslog server).

                • Use '@' before specifying server ip address (if UDP is the protocol used to forward logs to the rsyslog server).

                • server_ip can either be ipv4/ipv6 address of the rsyslog server.

                • '[ ]' around the server_ip is required to separate it from ' :port# ', if an ipv6 server address is specified.

              For further information on Rsyslog configuration, see the Red Hat documentation.

              Step 2   Configuring the ESC log file:Configure which ESC log files you want to forward to the rsyslog server:
              1. Navigate to /etc/rsyslog.d/ Create or modify a configuration file, such as log-esc.conf. Make a copy of sample log-esc.conf .
              2. Specify the following block for every file you want to forward to rsyslog server. 
                $InputFileName /var/log/esc/escmanager.log
$InputFileTag esc-manager:
$InputFileStateFile stat-esc-manager
$InputFileSeverity info
$InputRunFileMonitor
                For example: 
                $InputFileName /var/log/esc/file1.log
$InputFileTag file1:
$InputFileStateFile stat-file1
$InputFileSeverity info
$InputRunFileMonitor

$InputFileName /var/log/esc/file2.log
$InputFileTag file2:
$InputFileStateFile stat-file2
$InputFileSeverity info
$InputRunFileMonitor
              Step 3   Restart the rsyslog service 
              # service rsyslog restart
              Step 4   Configure the server side to receive forwarded logs.
              1. On a designated server, go to /etc/rsyslog.conf, and uncomment the lines shown below, depending on if you want to listen to logs from clients based on TCP or UDP: 
                #$ModLoad imudp
#$UDPServerRun 514
              2. Exit the file. Run this command as the last step. 
                sudo service rsyslog restart
                Now, the server is listening for logs on port 514, using TCP/UDP.

              Reconfiguring NTP

                Step 1   Open the NTP configuration file /etc/ntp.conf in a text editor such as vi, or create a new one if it does not already exist: 
                # vi /etc/ntp.conf
                Step 2   Add or edit the list of public NTP servers. If you don't specify the NTP server through the installation, the file should contain the following default lines, but feel free to change or expand these according to your needs: 
                server 0.rhel.pool.ntp.org iburst
server 1.rhel.pool.ntp.org iburst
server 2.rhel.pool.ntp.org iburst
server 3.rhel.pool.ntp.org iburst
server <your_ntp_server_ip> iburst
                The iburst directive at the end of each line speeds up the initial synchronization.
                Step 3   Once you have the list of servers complete, in the same file, set the proper permissions, giving the unrestricted access to localhost only. Make sure those lines are there in your configure file. 
                restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
                Step 4   Save all changes, exit the editor, and restart the NTP daemon: 
                # service ntpd restart
                Step 5   Make sure that ntpd is started at boot time: 
                # chkconfig ntpd on

                Reconfiguring DNS

                  Step 1   The /etc/resolv.conf file contains the configuration for the DNS client (resolver). It typically looks something like this: 
                  search domain.com
nameserver 8.8.4.4
                  Step 2   You may modify the IP address of the "nameserver" item or add new nameserver records. 
                  search domain.com
nameserver <your_first_dns_ip>
nameserver <your_second_dns_ip>
                  Step 3   Restart Network Service. 
                  service network restart

                  Reconfiguring Hosts

                  The /etc/hosts file allows you to add, edit, or remove hosts . This file contains IP addresses and their corresponding hostnames. If your network contains computers whose IP addresses are not listed in DNS, it is recommended that you add them to the /etc/hosts file.

                    Step 1   Add the IP addresses that are not listed in DNS to the /etc/hosts file.
                    Step 2   Restart your network for the changes to take effect. 
                    service network restart

                    Reconfiguring Timezone

                    For ESC VM, in /etc the file "localtime" is a link to or copy of a file containing information about your time zone. Access your zone information files from /usr/share/zoneinfo. To change the time zone, find your country, your city or a city in the same time zone from zone information files in /usr/share/zoneinfo and link it to the localtime in the /etc file. 

                    $ ln \-sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime

                    Was this Document Helpful?

                    FeedbackFeedback

                    Contact Cisco