The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
You can configure and define policies in Cisco UCS Central at the organization level. Manage them in the infrastructure.
Cisco UCS Central supports IPv6 addressing. Cisco UCS Central operates on a dual mode where it enables both IPv4 and IPv6. This feature helps Cisco UCS Central and Cisco UCS Manager communicate with each other through an IPv6 address, primarily to share pools and policy related information.
Cisco UCS Central supports the creation and deletion of IPv4 and IPv6 blocks in the IP pools, and supports IPv6 addressing for the following policies:
You can now register a Cisco UCS Manager domain using an IPv6 address or an IPv4 address.
You can configure an IPv6 address on the Cisco UCS Central through the GUI or CLI commands. This is also true for all the other areas where Cisco UCS Central uses IPv6 addresses.
You can now create a global service profile (GSP) and a local service profile (LSP) using an outband management IPv4 address and an inband IPv4 and/or IPv6 address.
UCSC #scope system UCSC /system #scope network-interface a UCSC /network-interface # scope ipv6-config UCSC /network-interface/ipv6-config # set net ipv6 ipv6 2001:db8:a::11 ipv6-gw 2001:db8:a::1 ipv6-prefix 64 UCSC /network-interface/ipv6-config # commit-buffer
UCSC #scope system UCSC /system #scope network-interface a UCSC /network-interface # scope ipv6-config UCSC /network-interface/ipv6-config # set net ipv6 2001:db8:a::11 ipv6-gw 2001:db8:a::1 ipv6-prefix 64 UCSC /network-interface/ipv6-config # commit-buffer UCSC /network-interface/ipv6-config # top
UCSC #scope system UCSC /system #scope network-interface b UCSC /network-interface # scope ipv6-config UCSC /network-interface/ipv6-config # set net ipv6 2001:db8:a::12 ipv6-gw 2001:db8:a::1 ipv6-prefix 64 UCSC /network-interface/ipv6-config # commit-buffer UCSC /network-interface/ipv6-config # top
UCSC # scope system UCSC /system # set virtual-ip ipv6 2001:db8:a::10 UCSC /system # commit-buffer UCSC /system # top
You can disable IPv6 on the Cisco UCS Central by setting the IPv6 address (in both the standalone and HA mode) to null.
Setting the IPv6 value to null moves all of the affected IPv6 devices to a state of lost visibility.
UCSC # scope system UCSC /system # scope network-interface a UCSC /network-interface# scope ipv6-config UCSC /network-interface/ipv6-config #set net ipv6 ipv6 :: ipv6-gw :: ipv6-prefix 64 UCSC /network-interface/ipv6-config #commit-buffer UCSC /network-interface/ipv6-config #top UCSC # scope system UCSC /system # set virtual-ip ipv6 :: UCSC /system # commit-buffer UCSC /system # top UCSC # scope system UCSC /network-interface # scope network-interface a UCSC /network-interface # scope ipv6-config UCSC /network-interface/ipv6-config # set net ipv6 ipv6 :: ipv6-gw :: ipv6-prefix 64 UCSC /network-interface/ipv6-config # commit-buffer UCSC /network-interface/ipv6-config # top UCSC # scope system UCSC /system # scope network-interface b UCSC /network-interface # scope ipv6-config UCSC /network-interface/ipv6-config # set net ipv6 ipv6 :: ipv6-gw :: ipv6-prefix 64 UCSC /network-interface/ipv6-config # commit-buffer UCSC /network-interface/ipv6-config # top
Scopes into an organization
Scopes the SNMP policy
Creates the SNMP trap with IP address 0.0.0.0
Sets the SNMP community host string to snmptrap01
Sets the SNMP notification type to traps
Sets the SNMP port to 1
Sets the v3privilege to priv
Sets the version to v1
Commits the transaction
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org# scope device-profile UCSC(policy-mgr) /org/device-profile # scope snmp UCSC(policy-mgr) /org/device-profile/snmp # create snmp-trap 0.0.0.0 UCSC(policy-mgr) /org/device-profile/snmp/snmp-trap* # set community snmptrap01 UCSC(policy-mgr) /org/device-profile/snmp/snmp-trap* # set notificationtype traps UCSC(policy-mgr) /org/device-profile/snmp/snmp-trap* # set port 1 UCSC(policy-mgr) /org/device-profile/snmp/snmp-trap* # set v3privilege priv UCSC(policy-mgr) /org/device-profile/snmp/snmp-trap* # set version v1 UCSC(policy-mgr) /org/device-profile/snmp/snmp-trap* # commit-buffer
Scopes into an organization
Scopes the SNMP policy
Scopes into the SNMP user named snmpuser01
Sets aes-128 mode to enabled
Sets authorization to sha mode
Sets password to userpassword01
Sets private password to userpassword02
Commits the transaction
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org# scope device-profile UCSC(policy-mgr) /org/device-profile # scope snmp UCSC(policy-mgr) /org/device-profile/snmp # scope snmp-user snmpuser01 UCSC(policy-mgr) /org/device-profile/snmp/snmp-user # set aes-128 yes UCSC(policy-mgr) /org/device-profile/snmp/snmp-user* # set auth sha UCSC(policy-mgr) /org/device-profile/snmp/snmp-user* # set password Enter a password: userpassword01 Confirm the password: userpassword01 UCSC(policy-mgr) /org/device-profile/snmp/snmp-user* # set priv-password Enter a password: userpassword02 Confirm the password: userpassword02 UCSC(policy-mgr) /org/device-profile/snmp/snmp-user* # commit-buffer
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org# scope device-profile UCSC(policy-mgr) /org/device-profile # scope timezone-ntp-config UCSC(policy-mgr) /org/device-profile/timezone-ntp-config # create ntp orgNTP01 UCSC(policy-mgr) /org/device-profile/timezone-ntp-config* # commit-buffer UCSC(policy-mgr) /org/device-profile/timezone-ntp-config #
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr)/org# scope device-profile UCSC(policy-mgr) /org/device-profile # scope dns-config UCSC(policy-mgr) /org/device-profile # create dns 0.0.0.0 UCSC(policy-mgr) /org/device-profile* # commit-buffer
Scopes into the organization
Creates a global fault debug policy
Enters the status settings
Commits the transaction
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org# scope device-profile UCSC(policy-mgr) /org/device-profile # scope fault policy UCSC(policy-mgr) /org/device-profile/policy* # set ackaction delete-on-clear UCSC(policy-mgr) /org/device-profile/policy* # set clearaction delete UCSC(policy-mgr) /org/device-profile/policy* # set clearinterval 15 30 60 90 UCSC(policy-mgr) /org/device-profile/policy* # set flapinterval 180 UCSC(policy-mgr) /org/device-profile/policy* # set retentioninterval 180 54 52 63 UCSC(policy-mgr) /org/device-profile/policy* # commit-buffer UCSC(policy-mgr) /org/device-profile/policy #
Scopes into the organization
Scopes the TFTP Core Export Policy
Configures the policy
Commits the transaction
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org# scope device-profile UCSC(policy-mgr) /org/device-profile # scope tftp-core-export-config UCSC(policy-mgr) /org/device-profile/tftp-core-export-config* # enable core-export-target UCSC(policy-mgr) /org/device-profile/tftp-core-export-config* # set core-export-target path /target UCSC(policy-mgr) /org/device-profile/tftp-core-export-config* # set core-export-target port 65535 UCSC(policy-mgr) /org/device-profile/tftp-core-export-config* # set core-export-target server-description "TFTP core export server 2" UCSC(policy-mgr) /org/device-profile/tftp-core-export-config* # set core-export-target server-name TFTPcoreserver01 UCSC(policy-mgr) /org/device-profile/tftp-core-export-config* # commit-buffer
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCSC#connect policy-mgr |
Enters policy manager mode. | ||
Step 2 | UCSC(policy-mgr)# scope org | Enters organization mode for the specified organization. | ||
Step 3 | UCSC(policy-mgr) /org # scope device-profile | Enters device profile mode for the specified organization. | ||
Step 4 | UCSC(policy-mgr) /org/device-profile # scope security | Enters security mode. | ||
Step 5 | UCSC(policy-mgr) /org/device-profile/security # create local-user local-user-name |
Creates a user account for the specified local user and enters security local user mode. | ||
Step 6 | UCSC(policy-mgr) org/device-profile/security/local-user* # set account-status {active | inactive} |
Specifies to enable or disable the local user account. The admin user account is always set to active. You cannot modify it.
| ||
Step 7 | UCSC(policy-mgr) /org/device-profile/security/local-user* # set password password |
Sets the password for the user account. | ||
Step 8 | UCSC(policy-mgr) /org/device-profile/security/local-user* # set firstname first-name | (Optional)
Specifies the first name of the user. | ||
Step 9 | UCSC(policy-mgr) /org/device-profile/security/local-user* # set lastname last-name | (Optional)
Specifies the last name of the user. | ||
Step 10 | UCSC(policy-mgr) /org/device-profile/security/local-user* # set expiration month day-of-month year | (Optional)
Specifies the date that the user account expires. The month argument is the first three letters of the month name. | ||
Step 11 | UCSC(policy-mgr) /org/device-profile/security/local-user* # set email email-addr | (Optional)
Specifies the user e-mail address. | ||
Step 12 | UCSC(policy-mgr) /org/device-profile/security/local-user* # set phone phone-num | (Optional)
Specifies the user phone number. | ||
Step 13 | UCSC(policy-mgr) /org/device-profile/security/local-user* # set sshkey ssh-key | (Optional)
Specifies the SSH key used for passwordless access. | ||
Step 14 | UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer |
Commits the transaction. |
Scopes into the organization
Creates the user account named eagle_eye
Enables the user account
Sets the password to eye5687
Commits the transaction
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # create local-user eagle_eye UCSC(policy-mgr) /org/device-profile/security/local-user* # set account-status active UCSC(policy-mgr) /org/device-profile/security/local-user* # set password Enter a password: eye5687 Confirm the password: eye5687 UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/local-user* #
Scopes into the organization
Creates the user account named lincey
Enables the user account
Sets an openSSH key for passwordless access
Commits the transaction
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # create local-user lincey UCSC(policy-mgr) /org/device-profile/security/local-user* # set account-status active UCSC(policy-mgr) /org/device-profile/security/local-user* # set sshkey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAuo9VQ2CmWBI9/S1f30klCWjnV3lgdXMzO0WUl5iPw85lkdQqap+NFuNmHcb4K iaQB8X/PDdmtlxQQcawcljk8f4VcOelBxlsGk5luq5ls1ob1VOIEwcKEL/h5lrdbNlI8y3SS9I/gGiBZ9ARlop9LDpD m8HPh2LOgyH7Ei1MI8=" UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/local-user* #
Scopes into the organization
Creates the user account named jforlenz
Enables the user account
Sets an secure SSH key for passwordless access
Commits the transaction
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # create local-user jforlenz UCSC(policy-mgr) /org/device-profile/security/local-user* # set account-status active UCSC(policy-mgr) /org/device-profile/security/local-user* # set sshkey Enter lines one at a time. Enter ENDOFBUF to finish. Press ^C to abort. User's SSH key: > ---- BEGIN SSH2 PUBLIC KEY ---- >AAAAB3NzaC1yc2EAAAABIwAAAIEAuo9VQ2CmWBI9/S1f30klCWjnV3lgdXMzO0WUl5iPw8 >5lkdQqap+NFuNmHcb4KiaQB8X/PDdmtlxQQcawclj+k8f4VcOelBxlsGk5luq5ls1ob1VO >IEwcKEL/h5lrdbNlI8y3SS9I/gGiBZ9ARlop9LDpDm8HPh2LOgyH7Ei1MI8= > ---- END SSH2 PUBLIC KEY ---- > ENDOFBUF UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/local-user* #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC#connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org#scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile#scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope auth-realm |
Enters authentication realm security mode. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/auth-realm # set remote-user default-role {assign-default-role | no-login} |
Specifies whether user access to Cisco UCS Central is restricted based on user roles. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/auth-realm* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope auth-realm UCSC(policy-mgr) /org/device-profile/security/auth-realm # set remote-user default-role assign-default-role UCSC(policy-mgr) /org/device-profile/security/auth-realm* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/auth-realm #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC#connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org#scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile#scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # create role name |
Creates the user role and enters security role mode. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/role* # commit-buffer |
Commits the transaction to the system configuration. |
Scopes into the organization
Creates the service-profile security-admin role
Adds the service profile security to the role
Adds service profile security policy privileges to the role
Commits the transaction
UCSC # connect policy-mgr UCSC(policy-mgr) /org# scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # create role security-admin UCSC(policy-mgr) /org/device-profile/security/role* # commit-buffer
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC#connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org#scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile#scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # create locale name |
Creates the user role and enters security role mode. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/locale * # create org-ref org-ref-name orgdn orgdn-name |
References (binds) an organization to the locale. The org-ref-name argument is the name used to identify the organization reference, and the orgdn-name argument is the distinguished name of the organization referenced. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/locale * # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org# scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # create locale western UCSC(policy-mgr) /org/device-profile/security/locale* # create org-ref finance-ref orgdn finance UCSC(policy-mgr) /org/device-profile/security/locale* # commit-buffer
Cisco UCS Central supports creating local and remote users to access the system. You can configure up to 128 user accounts in each Cisco UCS Central domain. Each user must have a unique username and password.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC#connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org#scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile#scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope auth-realm |
Enters authentication realm mode. |
Step 6 | UCSC(policy-mgr) / org/device-profile/security/auth-realm # create auth-domain domain-name |
Creates an authentication domain and enters authentication domain mode. The Radius related settings are applicable only for the Cisco UCS Central in the domain group root and sub-domain groups. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain* # create default-auth | (Optional)
Creates a default authentication for the specified authentication domain. |
Step 8 | UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain/default-auth* # set auth-server-group auth-serv-group-name | (Optional)
Specifies the provider group for the specified authentication domain. |
Step 9 | UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain/default-auth* # set realm {ldap | local | radius | tacacs} |
Specifies the realm for the specified authentication domain. |
Step 10 | UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain/default-auth* # commit-buffer |
Commits the transaction to the system configuration. |
Scopes into the organization
Creates an authentication domain called domain1
Sets the web refresh period to 3600 seconds (1 hour)
Sets the session timeout period to14400 seconds (4 hours)
Configures domain1 to use the providers in ldapgroup1
Sets the realm type to ldap
Commits the transaction
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org/# scope device-profile UCSC(policy-mgr) /org/device-profile/ # scope security UCSC(policy-mgr) /org/device-profile/security # scope auth-realm UCSC(policy-mgr) /org/device-profile/security/auth-realm # create auth-domain domain1 UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain* # create default-auth UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain/default-auth* # set auth-server-group ldapgroup1 UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain/default-auth* # set realm ldap UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain/default-auth* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain/default-auth #
Create and configure LDAP remote users, and assign roles and locales from Cisco UCS Central, in the same manner as Cisco UCS Manager. Always create the LDAP provider from the Cisco UCS Central domain group root.
If you are using Active Directory as your LDAP server, create a user account in the Active Directory server to bind with Cisco UCS. Give this account a non-expiring password.
In the LDAP server, perform one of the following configurations:
Configure LDAP groups. LDAP groups contain user role and locale information.
Configure users with the attribute that holds the user role and locale information for Cisco UCS Central. You can choose to extend the LDAP schema for this attribute. If you do not want to extend the schema, use an existing LDAP attribute to hold the Cisco UCS user roles and locales. If you prefer to extend the schema, create a custom attribute, such as the CiscoAVPair attribute.
The Cisco LDAP implementation requires a unicode type attribute.
If you choose to create the CiscoAVPair custom attribute, use the following attribute ID: 1.3.6.1.4.1.9.287247.1
For a cluster configuration, add the management port IP addresses for both fabric interconnects. This configuration ensures that remote users can continue to log in if the first fabric interconnect fails and the system fails over to the second fabric interconnect. All login requests are sourced from these IP addresses, not the virtual IP address used by Cisco UCS Central.
If you want to use secure communications, create a trusted point containing the certificate of the root certificate authority (CA) of the LDAP server in Cisco UCS Central.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCSC#connect policy-mgr |
Enters policy manager mode. | ||
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. | ||
Step 3 | UCSC(policy-mgr) /org#scope device-profile | Enters device profile mode for the specified organization. | ||
Step 4 | UCSC(policy-mgr) /org/device-profile#scope security | Enters security mode. | ||
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope ldap |
Enters LDAP security mode. | ||
Step 6 | UCSC(policy-mgr) /org/device-profile/security/ldap # create server server-name |
| ||
Step 7 | UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set attribute attribute | (Optional)
An LDAP attribute that stores the values for the user roles and locales. This property is always a name-value pair. The system queries the user record for the value that matches this attribute name. | ||
Step 8 | UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set basedn basedn-name |
The name in the LDAP hierarchy, where the server begins a search, when a remote user logs in. After log in, the system attempts to obtain the user's DN based on their username. You can set the length of the base DN to a maximum of 255 characters minus the length of CN=username. Where username identifies the remote user attempting to access Cisco UCS Central using LDAP authentication. | ||
Step 9 | UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set binddn binddn-name |
The distinguished name (DN) for an LDAP database account that has read and search permissions for all objects under the base DN. The maximum supported string length is 255 ASCII characters. | ||
Step 10 | UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set filter filter-value |
Restricts the LDAP search to those user names that match the defined filter. | ||
Step 11 | UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set password |
To set the password, press Enter after typing the set password command and enter the key value at the prompt. | ||
Step 12 | UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set order order-num |
The order in which Cisco UCS Central uses this provider to authenticate users. | ||
Step 13 | UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set port port-num |
The port through which Cisco UCS Central communicates with the LDAP database. The standard port number is 389. | ||
Step 14 | UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set ssl {yes | no} |
Enables or disables encryption when communicating with the LDAP server. The options are as follows: | ||
Step 15 | UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set timeout timeout-num | If the LDAP provider does not receive an LDAP response within the specified period, it aborts the read attempt. | ||
Step 16 | UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set vendor |
Specifies the vendor for the LDAP group. | ||
Step 17 | UCSC(policy-mgr) /org/device-profile/security/ldap/server* # commit-buffer |
Commits the transaction to the system configuration. |
Scopes into the organization
Creates an LDAP server instance named 10.193.169.246
Configures the binddn
Configures the password
Configures the order
Configures the port
Configures the SSL settings
Commits the transaction
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope ldap UCSC(policy-mgr) /org/device-profile/security/ldap # create server 10.193.169.246 UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set binddn "cn=Administrator,cn=Users,DC=cisco-ucsm-aaa3,DC=qalab,DC=com" UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set password Enter the password: Confirm the password: UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set order 2 UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set port 389 UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set ssl yes UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set timeout 30 UCSC(policy-mgr) /org/device-profile/security/ldap/server* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/ldap/server #
Create one or more LDAP providers.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC#connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org#scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile#scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope ldap |
Enters LDAP security mode. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/ldap # create auth-server-group auth-server-group-name |
Creates an LDAP provider group and enters authentication server group security LDAP mode. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group* # create server-ref ldap-provider-name | Adds the specified LDAP provider to the LDAP provider group. |
Step 8 | UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group* # set order order-num |
Specifies the order in which Cisco UCS Central uses this provider to authenticate users. Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority. |
Step 9 | UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group* # commit-buffer |
Commits the transaction to the system configuration. |
Creates an LDAP provider group called ldapgroup
Adds two previously configured providers called ldap1 and ldap2 to the provider group
Sets the order
Commits the transaction
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org# scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope ldap UCSC(policy-mgr) /org/device-profile/security/ldap # create auth-server-group ldapgroup UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group* # create server-ref ldap1 UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group/server-ref* # set order 1 UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group/server-ref* # up UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group* # create server-ref ldap2 UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group/server-ref* # set order 2 UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group/server-ref* # commit-buffer
Configure an authentication domain.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC#connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org#scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile#scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope ldap |
Enters LDAP security mode. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/ldap # create ldap-group group-dn |
Creates an LDAP group map for the specified DN. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group* # create locale locale-name |
Maps the LDAP group to the specified locale. |
Step 8 | UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group* # create role role-name |
Maps the LDAP group to the specified role. |
Step 9 | UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group* # commit-buffer |
Commits the transaction to the system configuration. |
Scopes into the organization
Maps the LDAP group mapped to a DN
Sets the locale to pacific
Sets the role to admin
Commits the transaction
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope ldap UCSC(policy-mgr) /org/device-profile/security/ldap # create ldap-group cn=security,cn=users,dc=lab,dc=com UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group* # create locale pacific UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group* # create role admin UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group #
Set the LDAP group rule.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC#connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org#scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile#scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope ldap |
Enters LDAP security mode. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/ldap # delete server serv-name |
Deletes the specified server. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope ldap UCSC(policy-mgr) /org/device-profile/security/ldap # delete server ldap1 UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/ldap #
Remove the provider group from an authentication configuration.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC#connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org#scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile#scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope ldap |
Enters LDAP security mode. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/ldap # delete auth-server-group auth-server-group-name |
Deletes the LDAP provider group. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope ldap UCSC(policy-mgr) /org/device-profile/security/ldap # delete auth-server-group ldapgroup UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/ldap #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC#connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org#scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile#scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope ldap |
Enters LDAP security mode. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/ldap # delete ldap-group group-dn |
Deletes the LDAP group map for the specified DN. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org# scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope ldap UCSC(policy-mgr) /org/device-profile/security/ldap # delete ldap-group cn=security,cn=users,dc=lab,dc=com UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC#connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org#scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile#scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security #create trustpointtrust point name | Creates a trusted point. Provide a certificate name. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/trustpoint* #set certchain[certificate chain] | Specifies
certificate information for this trusted point.
If you do not specify certificate information in the command, you are prompted to enter a certificate, or a list of trustpoints, defining a certification path to the root certificate authority (CA). On the next line following your input, type ENDOFBUF to finish. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # create trustpoint key01 UCSC(policy-mgr) /org/device-profile/security/trustpoint* # set certchain >-----BEGIN CERTIFICATE----- >MIIDgzCCAmugAwIBAgIQeXUhz+ZtnrpK4x65oJkQZzANBgkqhkiG9w0BAQUFADBU >MSIwIAYDVQQDExlibHJxYXVjc2MtV0lOMjAxMi1JUFY2LUNBMB4XDTE0MDIyNjEy >-----END CERTIFICATE----- >ENDOFBUF UCSC(policy-mgr) /org/device-profile/security/trustpoint* # commit-buffer
Ensure that a key ring is not using the trusted point.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC#connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org#scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile#scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security #delete trustpointtrustpoint- name | Deletes the trusted point. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security#commit-buffer | Commits the transaction. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org# scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # delete trustpoint tp1 UCSC(policy-mgr) /org/device-profile/security* #commit-buffer
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC#connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org#scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile#scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # create keyring keyring-name |
Creates and names the key ring. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/keyring # set modulus mod2048 |
Sets the SSL key length in bits. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/keyring* # set trustpoint trustpoint-name |
Sets a trust point within the key ring. |
Step 8 | UCSC(policy-mgr) /org/device-profile/security/keyring* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org# scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # create keyring kr126 UCSC(policy-mgr) /org/device-profile/security/keyring* # set modulus mod2048 UCSC(policy-mgr) /org/device-profile/security/keyring* # set trustpoint tp1 UCSC(policy-mgr) /org/device-profile/security/keyring* #commit-buffer
Ensure that the HTTPS service is not using the key ring.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC#connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org#scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile#scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security #delete keyringkeyring name | Deletes the key ring. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security#commit-buffer | Commits the transaction. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org# scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # delete keyring kr126 UCSC(policy-mgr) /org/device-profile/security/keyring* #commit-buffer
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC#connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org#scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile#scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope keyring keyring-name |
Enters the configuration mode for the key ring. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/keyring* # create certreq |
Sets the SSL key length in bits. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set country country name |
Specifies the country code of the company. |
Step 8 | UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set dns DNS name |
Specifies the Domain Name Server (DNS) address associated with the certificate request. |
Step 9 | UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set e-mail E-mail address |
Specifies the e-mail address associated with the certificate request. |
Step 10 | UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set ip { certificate request ipv4-address} |
Specifies the IP address of the fabric interconnect. |
Step 11 | UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set locality locality name |
Specifies the city or town in which the company requesting the certificate is headquartered. |
Step 12 | UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set org-name organization name |
Specifies the organization requesting the certificate. |
Step 13 | UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set org-unit-name organizational unit name |
Specifies the organizational unit. |
Step 14 | UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set password certificate request password |
Specifies an optional password for the certificate request. |
Step 15 | UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set state state, province or country |
Specifies the state or province in which the company requesting the certificate is headquartered. |
Step 16 | UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set subject-name certificate request name |
Specifies the fully qualified domain name of the Fabric Interconnect. |
Step 17 | UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # commit-buffer |
Commits the transaction. |
Creates a certificate request with an IPv4 address for a key ring
Sets advanced options
Commits the transaction
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org# scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope keyring UCSC(policy-mgr) /org/device-profile/security # create certreq UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set ip 192.168.200.123 UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set country US UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set dns bgl-samc-15A UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set e-mail test@gmail.com UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set locality san_francisco UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set org-name "xyz" UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set org-unit-name Testing UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set state california UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set subject-name abc01 UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* #commit-buffer
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC#connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org#scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile#scope https | Enters the HTTPS service mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/https # set keyring keyring-name |
Creates and names the key ring. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/https* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org# scope device-profile UCSC(policy-mgr) /org/device-profile # scope https UCSC(policy-mgr) /org/device-profile/https # set keyring kr126 UCSC(policy-mgr) /org/device-profile/https* # commit-buffer
You must manually regenerate the default key ring certificate if the cluster name changes or the certificate expires.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC#connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org#scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile#scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope keyring default |
Enters key ring security mode for the default key ring. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/keyring # set regenerate yes |
Regenerates the default key ring. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/keyring* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org# scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope keyring default UCSC(policy-mgr) /org/device-profile/security/keyring* # set generate yes UCSC(policy-mgr) /org/device-profile/security/keyring* #commit-buffer