Figure 2-11 Specifying the User-Defined Fields

Step 9

Enter any value for user-defined fields 0 to 3 or any other user-defined fields that you may have created. These field values are applied to all devices added in this procedure. In the example shown here, the device has value Switch1_CompanyA set for User Defined Field Asset_Tracking_Tag. When finished defining the user-defined fields, click Finish.
Add a Cluster Managed Device and Associate with the Cluster Manager
Each cluster member has its own host name, sysObjectID, and MDF type, and uses the same Telnet credentials as the Cluster.
The Cluster must be added before a cluster-managed device. For example, if a device X belongs to cluster Y, first add the Cluster Y, and then add the Cluster Managed device X. In order to add a cluster managed device, first add a Cluster Manager.
Add a cluster manager as you would add a normal device as described in the Add a Standard Device to the DCA section on page 2-11. When the Device Type window appears, choose Cisco Cluster Management Suite.
The Cluster Manager is part of the Cisco Cluster Manager Suite. The Cluster Manager displays the front panel and LEDs of all cluster switches. Within Cluster Manager, you can point-and-click to configure ports and switches. You can select several ports from the same cluster and configure them all to run with the same settings. All of the device-management features are available through the Cluster Manager menu bar.
To add a cluster managed device and associate it to the Cluster Manager, select the Cluster Managed management type. The Devices Information dialog displays the following cluster-specific fields (see Figure 2-12):
Figure 2-12 Cluster Managed Device Information
Enter the information related to this cluster device:

a. b. c. d. e.

Device Type: Click Select and specify the device type. Display Name: Enter the devices name as you wish it to be displayed. Device Identity: Specify the devices host name, domain name, and IP address. Cluster: Click Select and specify the appropriate cluster name. Member Number: Specify the member number of this device. The Member Number field is mandatory. The Member Number is the number of the Cluster member. This number represents the order in which the device is added into the cluster.
When finished, click Next.
Add an Auto Update Sever Managed Device to DCA
To add an Auto Update Server managed device and associate it with the AUS, select the Auto Update management type from the dialog shown in Figure 2-7. The Device Information dialog displays the following AUS-specific fields (see Figure 2-13):

Figure 2-13 Auto Update Server Device Information
Enter the information related to the Auto Update device:

a. b. c.

Device Type: Click Select and specify the device type. Display Name: Enter the devices name as you wish it to be displayed. Device Identity:
Auto Update Device ID Auto Update Server: Click Select and specify the Auto Update Server name. Host name Domain name: Click Select and specify the servers domain name. IP address
Add, Rename, or Delete User-Defined Fields to DCR
You can use user-defined fields to associate name value pairs with the devices maintained in DCR. These name value pairs can be then used to group devices based on criteria defined by the user. To customize User Defined Fields, follow these steps:
From the Common Services Panel, choose Device and Credentials > Admin > User Defined Fields.
Figure 2-14 Customizing User-Defined Fields

Step 2 Step 3

Select the field you want to modify from the list of user-defined fields. To rename the selected user-defined field, click Rename. For example, you could rename user_defined_field_0 to Asset_Tracking_Tag. This field will then have a value for every device. Device 1 will have a value for the user-defined field Asset_Tracking_Tag as Switch1_Lab1, and so on.

Step 4 Step 5

To add a user-defined field, click Add. To delete a user-defined field, select the field from the list, then click Delete.
Add an Auto Update Server
The Auto Update server (AUS) supports a pull model of configuration that can be used for the initial configuration, configuration updates, operating system updates and periodic configuration verification. The Auto Update server is ideal for remote PIX firewall network (including SOHO), remote sales agent, and educational networks. The Auto Update server also supports the management of remote firewalls that are dynamically addressed with DHCP or networks with intermittent connectivity. The Auto Update server increases the scalability of remote security networks, reduces the costs involved in maintaining a remote security network, and enables the management of dynamically addressed remote firewalls. The Auto Update server is a component of the CiscoWorks VPN/Security Management Solution (VMS). You can use this feature to add, edit, and delete devices managed using Auto Update Server. The CiscoWorks Auto Update Server is a web-based interface for upgrading device configuration files and software images on firewalls that use the auto update feature.

lsids {all|dn=displayName|ip=IPAddress}
Lists the DCR device IDs for devices stored on the DCR server. It will list all devices if you specify no additional parameters, or only the device ID for the device with the specified display name or IP address. If several devices share the same IP address, the command will list the device IDs for all of them. For example: lsids ip=168.192.1.20 mod
mod id=value {ip=ipaddress|hn=hostname|di=device_identity value} dn=displayName -a attribName=attribValue,.
Modifies the specified device. In addition to the id=dcr_device_id (an internal value maintained by DCR) and display name, you must specify at least an IP address, host name or device_identity value. For example:
mod id=256666989 ip=168.140.1.1 dn=MyDevice -a sysObjectID=99.242.780

setmaster

Sets the DCR server to Master mode. The command takes no parameters.

Command setslave

setslave master=DCRGroupID port=portNumber
Sets the DCR server to Slave mode. You must specify the DCR Group ID for the new Master with which this slave will communicate. You must also specify the Masters port number if it is anything except 443 (443 is the default Master port). For example: setslave master=DCRMaster221 port=1099 setstand

setstand

Sets the DCR server to Standalone mode. The command takes no parameters.
Invoke DCR CLI from the Command Line
You can invoke the DCR command-line interface from the command line. The format of the command is as follows:
dcrcli -u username cmd=commands fn=filename ft=(csv or xml)
In the command above, the parameter commands can be of any value provided in Step 3 in the previous section. The fn and ft options are used for import and export options in the command list. Here is an example of the command to import devices into DCR using the command line:
dcrcli -u admin cmd=impFile fn=d:/full_access/test ft=csv
impFile: Selects the import file option. fn: Specifies the filename from which the devices need to be imported. ft: Specifies if the input file is in CSV format.
Refer to the User Guide for Common Services 3.0 to get more details on the DCR command-line interface (see Appendix A, Accessing the CiscoWorks User Guides).

Enabling Single Sign-On

Single Sign On (SSO) helps the user to use a single session to navigate to multiple Cisco Works servers without having to authenticate to each of them. Communication between multiple Cisco Works servers is enabled by a trust model addressed by certificates and shared secrets. Using SSO can be summarized as follows:
When you first log in to the slave servers, youre redirected to the master server for logging in. Check the URL while you log in. The login page should be that of the master server. After the login is successful, youre redirected to the slave server home page. When you successfully log into the master server, you can access any slave server home page without having to log in again. The Master server is used for authentication purposes only.

The Single Sign On Domain and the Management Domain are completely different elements. A Single Sign On Master does not need be a DCR Master and vice versa.
Set Up the System Identity User
SSO uses the System Identity User password as the secret key to provide confidentiality and authenticity between Master and Slave. It is sufficient to have the same System Identity User passwords in the Master and Slave, without having the same username.
We recommend that you have the same user name and password across Master and Slave.

129771

SSO Slave CiscoWorks Server 1
SSO Slave CiscoWorks Server 2
SSO Slave CiscoWorks Server 3

Chapter 3

Enabling Single Sign-On Setting Up Single Sign On
To set up the System Identity User:
Choose Common Services > Server > Security > System Identity Setup. Enter the username and password. Click Apply.
Configure the Masters Self Signed Certificate in the Slave
To configure the Masters Self Signed Certificate in the Slave: Choose Common Services > Server > Security > Peer Server Certificate Setup > Add. The CN present in the certificate should match with the Master server name. Otherwise it is not considered a valid certificate.
Navigate Between Cisco Works Servers
To navigate seamlessly between CiscoWorks servers, use the Link Registration feature and create links to slave SSO servers in the Master server and vice versa. Now you can simply click on the links to navigate between the slave and master servers seamlessly.
The Groups feature in Common Services helps you to group devices managed by CiscoWorks applications. It helps to create, manage, and share groups of devices. The groups created are shared across applications. The groups created in applications can also be viewed from Common Services. The Groups feature is comprised of the following components:
Group Server: Manages groups of devices. It helps you to create, edit, delete, and refresh groups. The Group server evaluates group rules and retrieve devices of a particular group. Group Admin: Allows you to interact with the Group server to create and manipulate groups using Group Admin.

Top-Level Groups in Common Services
The following are the descriptions of the top level groups seen in the Group Selector pane in Figure 4-9.
CS@lms-win1: Contains both system defined and user defined groups created in Common Services in the lms-win1 server machine. The groups created in Common Services are based on criteria using DCR attributes. Campus@lms-win1: Contains system defined, user defined, and all devices groups created in Campus Manager in the lms-win1 server machine. The groups created in Campus Manager are based on criteria using attributes exposed by Campus Manager. DFM@lms-win1: Contains a user defined group created in Device Fault Manager in the lms-win1 server machine. The groups created in Device Fault Manager are based on criteria using attributes exposed by Device Fault Manager. RME@lms-win1: Contains all devices, normal devices, predeployed, previous selection, saved device list, and user defined groups created in Resource Manager Essentials in the lms-win1 server machine. The groups created in Resource Manager Essentials are based on criteria using attributes exposed by Resource Manager Essentials.
You can edit the user-defined groups of the top-level groups only by navigating to the corresponding application group administration screen. For example, you can edit User Defined Groups defined under CS@lms-win1 only by going to the group administration screen in Common Services.
DCR is the central location where device information (including credentials information, user defined attributes, and identity attributes) is stored. In LAN Management Solution (LMS), devices need to be imported into the individual applications like RME, Campus Manager and Device Fault Manager. If a device D1 is imported into Campus Manager but not imported into RME, then D1 will be shown as a member of a group (for example) G1 in Campus Manager Application screens and may not show up in RME application screens. To illustrate this, the Topology Services window of Campus Manager shows the device nmtg-remote-7200.cisco.com as a member of group /CS@lms-win1/System Defined Groups/Routers/Cisco 7200 Series Routers/Cisco 7204 Router (see Figure 4-10).
Figure 4-10 Topology Services Window in Campus Manager
But, the same device wont be shown as a member of the group /CS@lms-win1/System Defined Groups/Routers/Cisco 7200 Series Routers/Cisco 7204 Router in an RME Config Editor Application screen (see Figure 4-11).
Figure 4-11 Single Server: Resource Manager Essentials Config Editor

In the corresponding ACS TACACS+ port numbers fields, the default port is 49. Secondary and Tertiary IP address and hostname details are optional. The values true and false will not be accepted in the Primary, Secondary, and Tertiary IP Address/Hostname fields.
Enable the Register all installed applications with ACS option to register all the installed applications with the ACS server.
If an application is already registered with ACS, the current registration will overwrite the previous one. Click Apply. The following summary screen is displayed (see Figure 5-6).
Figure 5-6 Login Module Change Summary
When you click Apply, the following actions take place:
A list of tasks in the products is registered to the ACS server. A list of default user rolesSystem Administrator, Network Administrator, Network Operator, Approved, and Help Deskis registered to the ACS server. A mapping of the tasks that the above user roles can execute is registered with the ACS user.
In the case of the LMS bundle, many tasks can be executed in the following products: Campus Manager, Resource Manager Essentials, Internetwork Performance Monitor, Device Fault Manager, and Common Services. The mapping between user roles and these tasks are registered with the user. Note that this is a default mapping of user roles and tasks. You can access this default mapping in the LMS server by navigating to Common Services panel > Server > Reports > Permission Report. Then you can generate the report (see Figure 5-7).

Chapter 5 Secure Views

Figure 5-7

Permission Report

The default mapping between tasks and the roles can be changed in the ACS server, but note that the changed mapping wont be reflected in the permission report.
Restart the Daemon Manager.

On Windows:

Enter net Enter net
stop crmdmgtd start crmdmgtd

On Solaris:

Enter /etc/init.d/dmgtd Enter

/etc/init.d/dmgtd start

Secure Views
Secure Views allows access to perform a task on a device or a set of devices to be restricted. Secure Views is applicable only when CiscoWorks server is in ACS Login mode. Secure Views enable filtering of group membership based on the user and the application task context in which a request is made. Filtering is performed only when operating in ACS Login mode. While operating in non-ACS mode, no filtering is performed and evaluating a group results in all devices that group being returned. To explain secure views, let go through the following example:

Set up the Network Device Groups to contain the following devices:
Click Add Entry. Create two Network Device GroupsNDG2 and NDG3as shown inFigure 5-9.
Creating New Network Device Groups

Figure 5-9

Click the NDG2 link and in the Add AAA Client dialog box, add a device D1 with IP address: 192.168.137.65.
Figure 5-10 Creating New Network Device Groups
Similarly, click on NDG3 (see Figure 5-9 on page 5-8) and add a device D2 with IP address: 92.168.137.69. Assign User Groups a Network Administrators role on Network Device Groups.
Assign Group1 (Joes user group) a Network Administrators role on NDG2. Click Group Setup (see Figure 5-11).
Figure 5-11 Creating New Network Device Groups

c. Step 7

Select the group to which the user Joe belongs, then click Edit Settings.
Create an association for this group with the Network Device Groups that contain the LMS Server (NDG1) and device D1 (NDG2) respectively (see Figure 5-12).
Figure 5-12 Creating An Association Between the LMS Server and a Device

Step 8 Step 9

To update the settings, click Submit+Restart. In the same way, create the association for the group that contains the user Frank and Network Device Groups that contain the LMS Server (NDG1) and device D2 (NDG3) respectively.
In this example, a User Group is assigned a Network Administrator role for certain Network Device Groups in the RME application. This needs to be done for other applications as well. Secured Views is now operational for users Joe and Frank.

Step 10

Lets assume both Joe and Frank access the Config Editor screen:
Navigate to RME panel > Config Management > Config Editor. Click Config Files. Select the Device and Version option, then click Go (see Figure 5-13).
Figure 5-13 Open Config File by Device and Version
Assume group /CS@lms-sun1/System Defined Groups/ Routers/Cisco 7200 Series Routers/Cisco 7204 Router contains two devices:
192.168.137.65 192.168.137.69
When the two users Joe and Frank access the same group in the Config Editor screen, they see different devices in the group. The view for Joe when he accesses the group /CS@lms-sun1/System Defined Groups/ Routers/ Cisco 7200 Series Routers/Cisco 7204 Router will be as follows. He will see only the 192.168.137.65 device in it (as shown in Figure 5-14):
Figure 5-14 Joes View of the Group
The following will be the view for Frank when he accesses the group /CS@lms-sun1/System Defined Groups/ Routers/ Cisco 7200 Series Routers/ Cisco 7204 Router. He will see only the 192.168.137.69 device in it (as shown in Figure 5-15).
Figure 5-15 Franks View of the Group
Why Do We Need to Create a New Role in ACS?
In ACS, the administrator can assign only one role for a user on a Network Device Group. If a user requires privileges other than those associated with the current role, to operate on a Network Device Group, a custom role should be created. All necessary privileges to enable the user operate on the Network Device Group should be given to this role. For example, if a user needs to have Approver and Network Operator privileges to operate on NDG1, you can create a new role with Network Operator and Approver privileges, and assign the role to the user so that he can operate on NDG1.

Authentication, authorization, and accounting (AAA) is a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security. In the AAA framework, accounting measures the resources a user consumes during access. This can include the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities. Access Control Server. Cisco Secure Access Control Server for Windows is AAA server software from Cisco Systems that provides a centralized identity networking solution and simplified user management experience across all Cisco devices and security management applications. Auto Update Server. The Auto Update server supports a pull model of configuration that can be used for the initial configuration, configuration updates, operating system updates and periodic configuration verification. The Auto Update server is ideal for remote PIX firewall network (including SOHO), remote sales agent, and educational networks. The Auto Update server also supports the management of remote firewalls that are dynamically addressed with DHCP or networks with intermittent connectivity. Authentication provides a way of identifying a user, typically by having the user enter a valid user name and valid password before access is granted. The process of authentication is based on each user having a unique set of criteria for gaining access. The AAA server compares a users authentication credentials with other user credentials stored in a database. If the credentials match, the user is granted access to the network. If the credentials are at variance, authentication fails and network access is denied. Following authentication, a user must gain authorization for doing certain tasks. After logging into a system, for instance, the user may try to issue commands. The authorization process determines whether the user has the authority to issue such commands. Simply put, authorization is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorization occurs within the context of authentication. Once you have authenticated a user, they may be authorized for different types of access or activity.

accounting

authentication

authorization

Glossary
cluster managed device CDP
SOHO or commercial devices that support the formation of a cluster such as the Cisco Catalyst 2900XL series or Cisco Catalyst 3750 series switches. The Cisco Discovery Protocol (CDP) is a media-independent device discovery protocol that runs on all Cisco manufactured equipment, including routers, bridges, access servers, and switches. CDP Version-2 is the most recent release of the protocol and provides more intelligent device tracking features. This feature allows the creation of self-signed security certificates, which can be used to enable SSL connections between the client browser and management server. Common Services provides an operating foundation that allows CiscoWorks applications to share data and system resources. It also provides a common desktop for launching CiscoWorks applications and centralizes login, user role definitions, and access privileges. Periodic updates to CiscoWorks Common Services 3.0 are made available for download. CiscoWorks Home Page. A web page that a CiscoWorks user accesses after logging into a CiscoWorks server.

Certificate Setup

Common Services
Device and Credentials Repository (DCR) is part of Common Services and acts as a central secure repository for all the device and credential information. All applications within LMS request DCR for device credential information. Since there is a common device and credentials repository, devices populated in DCR can be automatically populated in different applications.

Groups user interface

Any user interface in CiscoWorks in which groups are shown in a device selector window.
Internetwork Operating System. It is an operating system that runs Cisco routers and switches. You use the command line interface to access Cisco IOS software. Because the CLI is divided into many different modes, the commands available to you at any given time depend on the mode that you are currently in. Entering a question mark (?) at the CLI prompt allows you to obtain a list of commands available for each command mode. Cisco IOS IP Service Level Agreement (SLA), a network performance measurement feature in Cisco IOS software, provides a scalable, cost-effective solution for service level monitoring. It eliminates the deployment of dedicated monitoring devices by including the operation capabilities in the routers.

IP SLA

LAN Management Solution (LMS)
CiscoWorks LAN Management Solution (LMS) provides the integrated management tools needed to simplify the configuration, administration, monitoring, and troubleshooting of Cisco networks. It provides IT organizations an integrated system for sharing device information across management applications, automation of device management tasks, visibility into the health and capability of the network, and identification and localization of network trouble.
Network Device Grouping (NDG)
In CiscoSecure Access Control Server, Network Device Grouping (NDG) is an advanced feature that allows you to view and administer a collection of network devices as a single logical group. To simplify administration, each group can be assigned a convenient name that can be used to refer to all devices within that group. This creates two levels of network devices within CiscoSecure ACSsingle discrete devices such as an individual router, NAS, or PIX firewall, and an NDG; that is, a collection of routers or AAA servers. Network Management Integration Module. Network Management System.

NMIM NMS

Peer Server Account This feature helps you create users who can programmatically log in to CiscoWorks servers and Setup perform certain tasks. These users should be set up to enable communication between multiple

CiscoWorks servers.

Peer Server Certificate Setup
You can add the certificate of another CiscoWorks server into its trusted store. This will allow one CiscoWorks Server to communicate to another. If a CiscoWorks server needs to communicate to another CiscoWorks server, it must possess the certificate of the other server. You can add certificates of any number of peer CiscoWorks servers to the trusted store.
Per-VLAN Spanning Per VLAN Spanning Tree Plus (PVST+) maintains a spanning tree instance for each VLAN configured Tree + (PVST+) in the network and allows a VLAN trunk to be forwarding for some VLANs while blocking for other
VLANs. Since PVST+ treats each VLAN as a separate network, it has the ability to load balance traffic (at Layer 2) by forwarding some VLANs on one trunk and other VLANs on another trunk without causing a Spanning Tree loop. It uses 802.1Q trunking technology rather than ISL. PVST+ is an enhancement to the 802.1Q specification and is not supported on non-Cisco devices.

pre-deployed device The predeployed device state indicates that the devices are not reachable from the management state servereither they are not in the network or sufficient credentials have not been provided.

RADIUS

Remote Authentication Dial-In User Service. A client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. RADIUS allows a company to maintain user profiles in a central database that all remote servers can share. CiscoWorks Routed WAN Management. This suite of solution applications provides increased visibility into network behavior and quickly identifies performance bottlenecks that can impact short and long-term performance trends. It also provides sophisticated configuration tools to optimize bandwidth and utilization across critical WAN links in the network.

Single Sign On (SSO)

Single Sign On (SSO) helps the user to use a single session to navigate to multiple Cisco Works servers without having to authenticate to each of them. Communication between multiple Cisco Works servers is enabled by a trust model addressed by certificates and shared secrets. Simple Network Management Protocol. CiscoWorks Small Network Management Solution. Secure Shell (SSH), sometimes known as Secure Socket Shell, is a Unix-based command interface and protocol for securely getting access to a remote computer. It is widely used by network administrators to control Web and other kinds of servers remotely. SSH is actually a suite of three utilitiesslogin, SSH, and SCPthat are secure versions of the earlier UNIX utilities, rlogin, RSH, and RCP. Communication between multiple CiscoWorks servers is enabled by a trust model addressed by Certificates and shared secrets. For communication to occur in multi-server scenarios, System Identity setup should be used to create a trust user on slave and standard servers.

SNMP SNMS SSH

System Identity Setup

TACACS+

Terminal Access Controller Access Control System Plus. TACACS+ allows a separate access server (the TACACS+ server) to provide the services of authentication, authorization, and accounting independently. Each service can be tied into its own database or can use the other services available on that server or on the network. The overall design goal of TACACS+ is to define a standard method for managing dissimilar Network Access Servers from a single set of management services such as a database. A NAS provides connections to a single user, to a network, or subnetwork, and interconnected networks.

CiscoWorks VPN/Security Management Solution. VMS contributes to organizational productivity by combining Web-based tools for configuring, monitoring, and troubleshooting VPNs, firewalls, network intrusion detection systems, and host intrusion prevention systems. CiscoWorks VMS also includes network device inventory, change audit, and software distribution features.

I N D EX

AAA mode setup ACS

5-1 5-3 5-3

CiscoWorks Home Page (continued) invoking

1-2 1-2 1-8

port numbers
registering bookmarks CiscoWorks server
LMS server, setting up login mode

5-6 5-13

cluster managed device, adding navigating between servers cluster managed device adding

2-14 2-13 3-3 2-2, 2-13

new role, creating users, defining ACS server

5-1 5-7

cluster manager, adding

5-2 5-2

integrating with
member number common groups container groups credentials adding

2-2 2-15 2-12

2-4 2-20
Network Device Groups table, enabling AUS. See auto update server auto update server adding

2-16 2-4

command-line interface (DCR)

4-2 4-2

credentials

devices managed by

export to file importing custom name system identity

managed device, adding

2-17 2-8

bookmarks, registering

for custom tools for third party

1-9 1-9

Campus Manager groups
Daemon Manager restarting DCA

3-1 3-1 2-1 2-3 2-11 5-6

CiscoWorks modes of authentication TrustStore configuring customizing CiscoWorks Home Page

1-9 1-3

Device ID

standard devices, adding

DCR. See Device and Credentials Repository Device and Credentials Administration
Device and Credentials Repository auto update server, adding command-line interface DCR modes, changing device-identity attributes internal device identifier master server slave server

2-5 2-7 2-6 2-16 2-20

groups (continued) system defined user defined

2-4 4-3 4-3

device credentials information summary

2-2 2-2 2-8

hide external resources
master and slave configuration setting mode to Master

2-6 2-7

importing devices

2-17 2-2

setting to Slave mode standalone server standard devices

2-6 2-2

internal device identifier
types of devices stored user-defined attributes device-identity attributes

2-2 2-2 2-3

management domain master DCR server

2-5 2-3

management IP address
export devices and credentials into a file Export Format file

2-18 2-18

setting mode to Master SSL port value MDF-Type

2-3 2-7

master-slave configuration prerequisites modes of authentication in CiscoWorks
groups admin common container creating dynamic provider server shared

4-1 4-2 4-2 4-5 4-2 4-5

Network Device Groups table, enabling
peer certificates exchanging

2-8 2-9 5-5 1-9

group name

4-3 4-1 4-2

if the import fails permission report

4-13 4-8

polling interval, urgent message for primary credentials provider groups

4-3 4-4 2-13

sharing across servers single-server scenario static

changing the name

registering an application rule expression components Rx boot mode credentials

1-4 4-6 2-13

user-defined fields customizing

2-16 4-3

user-defined groups
Secure Views configuring shared groups

self signed certificate

3-3 4-2 4-13
sharing groups across servers single-server scenario single sign on domain setting up

3-2 3-2 3-1 4-8

server setup
system identity user password slave DCR server SNMP credentials SSL port value

2-7 2-6 2-7 2-6 2-7

setting to Slave mode
standalone DCR server standard devices adding

2-11 2-3 2-2

setting Standalone mode

sysObjectID

system-defined groups system identity credentials
user on different servers user password
urgent message polling interval user-defined attribute

2-3 1-9

Click Download Updates on the Software Updates page. The Cisco.com and Proxy Server Credentials dialog box appears. Enter your Cisco.com username and password. Both are mandatory. If you have configured proxy settings under Common Services > Server > Security > Cisco.com Connection Management > Proxy Server Setup, enter the Proxy server username and password.

Step 2

Step 3
Click Next. The Destination Location page appears. The destination location should not be the location where CiscoWorks is installed. The default download directory is System Drive:\psu_download. Software Center does not support downloading software or device updates into the same directory where you have installed CiscoWorks Common Services, or any of its sub- directories. Also, you cannot download software or device updates under System directories.

Step 4

Enter the location, or browse to the location using the Browse tab. The destination location must have casuser write-permissions. Click Next. The Summary page appears with a summary of your inputs. Click Finish to confirm the download operation.

Step 5

Step 6
Using the Select Updates Option
To download Common Services 3.0.6 using the Select Updates option:
Click Select Updates in the Software Updates page. The Cisco.com and Proxy Server Credentials dialog box appears. Enter your Cisco.com username and password. Both are mandatory. If you have configured proxy settings under Common Services > Server > Security > Cisco.com Connection Management > Proxy Server Setup, enter the Proxy server username and password. The Available Images page appears. Select the cwcs3_0_6_win_k9.zip file. Click Next. The Destination Location page appears. The destination location should not be the location where CiscoWorks is installed. The default download directory is System Drive:\psu_download. Software Center does not support downloading software or device updates into the same directory where you have installed CiscoWorks Common Services, or any of its sub- directories. Also, you cannot download software or device updates under System directories.

Step 3 Step 4

Enter the location, or browse to the location using the Browse tab. The destination location must have casuser write-permissions.
Installing Common Services 3.0.6
Click Next. The Summary page appears with a summary of your inputs. Click Finish to confirm the download operation.

Step 7

This section provides information on installing Common Services 3.0.6 on a Windows platform. See Downloading Common Services 3.0.6 for information on downloading Common Services 3.0.6. Before you install Common Services 3.0.6, ensure that Common Services 3.0.5 is installed on the CiscoWorks Server. To install Common Services 3.0.6:

Step 1 Step 2

Navigate to the location on your system, where you have downloaded the cwcs3_0_6_win_k9.zip file. Unzip the cwcs3_0_6_win_k9.zip file. The contents of the zip file are extracted to the cwcs3_0_6_win_k9 folder and stored in the system location where you have downloaded the zip file.
Change the directory to cwcs3_0_6_win_k9 by entering:
Downloaded directory/cwcs3_0_6_win_k9
Double- click the cwcs3_0_6_win.exe file. A dialog box appears with the following message:
This will install Common Services 3.0.6. Do you want to proceed?
Click Yes to continue the installation. While installing from the network drive, the Installing from Network Drive window appears. Installation from network drive will be slower when compared to installing from the local drive. Click Yes to proceed or No to exit installation. If the WMI service is up and running, the following message appears when installation starts:
The setup program has detected Windows Management Instrumentation (WMI) services running. This will lock some cisco works processes and may abort installation abruptly. To avoid this, installation will stop and start the WMI services. Do you want to proceed?
Click Yes to proceed or No to exit installation. If Common Services is not installed on the system, this message appears and the installation terminates:
Cannot install Common Services 3.0.6. Common Services 3.0.5 is not installed on your system. You must install Common Services 3.0.5 before installing Common Services 3.0.6. Common Services 3.0.5 is available as a part of the LMS 2.6 at http://www.cisco.com/cgi-bin/tablebuild.pl/lms26.

The IIS detection window appears, if IIS is enabled on the server. IIS should be in disabled state. If not, to disable IIS in your machine, right-click the IIS Admin Service icon from Control Panel and click Stop. IIS is now disabled. You need to go back to your installation screen to resume installation.

Step 8

Click OK to continue. The Welcome window appears. Click Next to continue. The Software License Agreement dialog box appears. Click Accept to accept the license agreement and proceed with the installation. Click Next. If CiscoWorks is in ACS mode, the following message appears:
The application that you are installing requires new tasks to be registered with ACS. If you have already registered this application with ACS from another server, you do not need to register it again. However if you re-register the application, you will lose any custom roles that you had created earlier for this application in ACS.

Step 9

Step 10 Step 11

Step 12

Click:
Yes to register the application with ACS Server. No to continue the installation without registering the application.

Caution

If you click Yes, to register with ACS server, you will lose the custom roles which are defined in the previous version. If you click No, not to register with ACS server, all the custom roles which are defined in Common Services 3.0.5 will be carried forward. The installation program checks the system configuration and required space.

Step 13

Click Next. The Daemons Restart Option window appears with the following message:
Do you want to restart CiscoWorks Daemons at the end of this installation?

Step 14

Click Yes to restart the daemons at the end of the installation. The Summary dialog box appears. Click Next to continue with the installation The installation program installs CS 3.0.6 in the same directory where you have installed CS 3.0.5. Click Finish to complete the installation.

Step 15

Step 16
Uninstalling Common Services 3.0.6
Verifying the Installation
To verify whether Common Services is installed successfully:
Log into CiscoWorks Server. Go to Common Services > Software Center > Software Update. The Software Updates page appears. Check the version for Common Services in the Products Installed table. If Common Services 3.0.6 is installed successfully, it will be listed as 3.0.6.
Use the Uninstall option to remove Common Services files and settings. You must be logged in as administrator to remove Common Services. You cannot uninstall Common Services when other applications that are dependent on Common Services are installed. Before uninstalling Common Services, uninstall these application. To uninstall Common Services 3.0.6:

Go to the Windows desktop, select Start > Programs > CiscoWorks > Uninstall CiscoWorks. If the WMI service is up and running, the following message appears when uninstallation starts:
The setup program has detected Windows Management Instrumentation (WMI) services running. This will lock some cisco works processes and may abort uninstallation abruptly. To avoid this, uninstallation will stop and start the WMI services. Do you want to proceed? Click Yes to proceed with this uninstallation. Click No to exit uninstallation.
The Uninstallation dialog box appears with the installed components.
Select the components you want to remove and click Next. Or Click Select All to uninstall all the components and click Next. You must uninstall all applications dependent on Common Services before uninstalling Common Services. For example, if you select Common Services without selecting CiscoView, the following message appears:
Cannot uninstall CiscoWorks Common Services. It is required for CiscoView.
The Uninstallation dialog box lists the selected components.
Known Problems in Common Services 3.0.6

Click either:

Next to continue uninstallation. Back to return to the component selection box.
The uninstallation proceeds and the Uninstallation Complete dialog box appears after uninstallation completes.
Select Yes, I want to restart my computer now and click Finish.
If you select to uninstall Common Services, you must restart your system after the uninstallation is complete. The subsequent installation of other CiscoWorks products may fail if you do not restart your system.
Resolved Problems in Common Services 3.0.6
This section contains the following sections:
Customer Found Resolved Problems in Common Services 3.0.6 Internally Found Resolved Problems in Common Services 3.0.6
Customer Found Resolved Problems in Common Services 3.0.6
Table 1 lists the customer found resolved problems in Common Services 3.0.6 that are also available in CS 3.1 (with LMS 3.0).
Table 1 Customer Found Resolved Problems in Common Services 3.0.6

Problem CSCsh69046

Description Restoring a backup taken from a non-default location (location other than NMSROOT) of CiscoWorks took longer time to complete. This was because the data restore took time to extract the files into a temporary location.

Explanation This problem has been resolved. With the latest GNU tar files and modified file extraction mechanism, the time taken for restoring a a backup from non-default location is considerably reduced.

CSCdz05119

CiscoWorks Server integrated with Active Directory This problem has been resolved. Server did not support User Principal Name (UPN) CiscoWorks Server integrated with Active Directory based authentication to Active Directory Server. Server now supports UPN based authentication to present the credentials to Active Directory Server.

Table 1

Problem CSCsb97406
Description The CiscoWorks login screen did not launch after entering http://Server_Name:Port_Number in web browser. This happened when the CiscoWorks Server in ACS mode. This was because many threads were launched from CiscoWorks environment.
Explanation This problem has been resolved by closing all connections established between ACS Server and CiscoWorks Server.

CSCsg29627

Apache did not start because of.dll conflict when there were multiple versions of libeay32.dll and ssleay32.dll present in the CiscoWorks system. Apache executable shipped with Common Services contained many unused module files which might cause security risks.
This problem has been resolved. The conflict is resolved by renaming the OpenSSL dlls to cwlibeay32.dll and cwssleay32.dll. This problem has been resolved. Unused modules are now removed from the web server executables.

CSCsg52428

CSCsh87623
GUI screens did not launch when you ran many jobs. This problem has been resolved by replacing the WaitForMultipleObjects function with This was because of improper registration of some of WaitForSingleObject in the Daemon Manager API the jobs. This added the error messages in syslog. code. In a CiscoWorks Server integrated with ACS, devices did not appear in Device Selector although they were added to DCR. This happened when devices in ACS did not have IP Address configured. This problem has been resolved. The devices appear in Device Selector.

CSCsh89486

CSCsh93500
When you added or removed a device from Network This problem has been resolved by rebuilding the Device Group (NDG) in ACS, Core Admin Module device cache. cache corrupted and the devices did not display in CiscoWorks. Stopping Daemon Manager created a core dump in certain cases. Stopping Daemon Manager took a long time. This happened if you run the pdshow command and terminated it when the command did not display any results. This problem has been resolved. This problem has been resolved.

CSCsb71245 CSCsc12829

CSCsd37328
Performing a backup after restoring the data, resulted in a core dump in certain cases. This happened when you performed a backup after you restored the data in the same of version of CiscoWorks LMS software.
This problem has been resolved by generating standard temp files during backup.

CSCse09319

IP Addresses configured using /31 or /32 masks were This problem has been resolved. reported as invalid. The IP Addresses configured using /31 and /32 masks are now treated as valid addresses in CiscoWorks. When an SNMPWalk was performed with no starting oid or.1 specified on a device, it failed. This problem has been resolved.

CSCse96095

Problem CSCsf28207

Explanation

Group Selector selected more than one object during This problem has been resolved by removing the form submit using the Java Script functions. group assignment. This happened because the form was submitted twice. This problem occurred only on Internet Explorer.

CSCsf96866

Device Center did not resolve the hostname and domain name combination. Common Services Core Admin Module did not add any message to the log files when there was a protocol mismatch between ACS and Common Services. Authorization failed for few CiscoWorks applications during Common ServicesACS integration in CiscoWorks. This happened when you entered the hostname of CiscoWorks Server in ACS, instead of IP Address.
This problem has been resolved. Device Center now resolves the hostname and domain name combination of devices. This problem has been resolved. Common Services now adds an error message to the log files when there is a protocol mismatch between ACS and Common Services. This problem has been resolved. Device without IP Address is now added to cache and authorization succeeds for CiscoWorks even if you have configured hostname during Common ServicesACS integration.

CSCsf97090

CSCsg00563

CSCsg02991

SMTP Server Settings did not apply in the Common This problem has been resolved. Services System Preferences page even if you had configured a valid SMTP Server. This occurred when the SMTP HELLO reply spanned multiple lines.

CSCsg33950 CSCsg34042

Edit Identity task was not available in Device Center This problem has been resolved by adding a new link under the Tools section. When you launched the Edit Device Credentials page from Device Center, the wizard buttons were hidden. DCR could not import CSV files with values containing one or more embedded commas. This happened because the values with embedded commas were not parsed properly. This problem has been resolved. The Edit Device Credentials page launched from Device Center now has a vertical scroll bar which helps you to scroll down and see the wizard buttons. This problem has been resolved. The values with embedded commas in DCR CSV import file are now parsed properly.

CSCsg42058

CSCsg48359
This problem has been resolved. Common Services Home displayed the status of Authorization Mode in red although the CiscoWorks The authorization requests are now sent to ACS in the was integrated properly with ACS Server. proper format. This happened because the authorization request was not sent to ACS in the proper format. The Who is Logged On report showed incorrect privileges for users configured in ACS. This problem has been resolved. A warning message stating that the report is valid This was because the report displayed only the local only for the local mode of security is now displayed when you launch the report in ACS mode. privileges for the users.

CSCsg61898

Problem CSCsg86450
CiscoWorks applications such as Device Center and This problem has been resolved. Software Center were not working properly. This happened if you entered the proxy server credentials or if you performed Software Center operations without restarting daemons.

CSCsh27277

When application such as RME used Command Services, during device configuration extra lines were inserted in the commands that spanned over multiple lines. This happened only when applications used SSH Transport protocols provided by Command Services.
This problem has been resolved. Extra lines are not inserted in the commands that spanned over multiple lines.

CSCsh34009

When a device was probed for supported SSH versions, an additional probe was also sent to see if the device listening on Telnet port. The Telnet probe was sent even though Telnet is disabled on the device.

This problem has been resolved. A new API is introduced to probe only the SSH versions.

CSCsh75033

Device Selector appeared empty and did not display This problem has been resolved. the device groups. The device groups are now displayed properly in This problem occurred when certain device types are Device Selector. managed in CiscoWorks. In a DCR Master-Slave setup, packet capture from This problem has been resolved. Slave to Master was not constant and increased over a period of time. The CiscoWorks Online help system was affected by This problem has been resolved. a cross-site vulnerability through the help topics search. LogBackup perl scripts called a missing module which was not part of the software. This problem has been resolved.

CSCsi08393

CSCsi10674

CSCsi72043

Table 2 lists the customer found resolved problems in Common Services 3.0.6 that are also available in CS 3.1.1 (with LMS 3.0 December 2007 Update).
Table 2 Customer Found Resolved Problems in Common Services 3.0.6

Problem CSCsj52471

Description Incorrect Display Name was displayed when you registered the CiscoWorks applications from a remote server in the local server.
Explanation This problem has been resolved. The local server now displays the correct Display Name of the remote server.

CSCsg47200

Software Center did not download software updates This problem has been resolved. and device updates from Cisco.com. Software Center now uses the Base-64 encoder used by the security module which encodes any This occurred for few Cisco.com or Proxy combination of username and password properly. credentials (username and password). This was because wrong Base-64 encoding used in Software Center.

Table 2

Problem CSCsi01380
Description Support for Western Australia DST Time change was not provided. Software Center device and package maps were corrupted. This was because multiple Software Center jobs were started before the completion of the previous jobs.
Explanation This problem has been resolved. The support for Western Australia DST Time change is now available. This problem has been resolved.

CSCsj58812

CSCsj25221
Security vulnerability in processing GIF images in Java Runtime Environment was reported.
This problem has been resolved.
Internally Found Resolved Problems in Common Services 3.0.6
Table 3 lists the resolved problems in Common Services 3.0.6 that are also available in CS 3.1 (with LMS 3.0).

Documentation for Common Services 3.0.6
This table contains the documentation set for Common Services 3.0.6: Document Title Readme for CiscoWorks Common Services 3.0.6 on Solaris Readme for CiscoWorks Common Services 3.0.6 on Windows (this document) Context-sensitive Online help Available Formats PDF on Cisco.com Software Download site: http://www.cisco.com/cgi-bin/tablebuild.pl/cd-one-3des PDF on Cisco.com Software Download site: http://www.cisco.com/cgi-bin/tablebuild.pl/cd-one-3des Part of software image. See Accessing Online Help for more information.
Open Source License Acknowledgements
Documentation for Common Services 3.0.5
This table contains the documentation set for Common Services 3.0.5: Document Title Release Notes for CiscoWorks Common Services 3.0.5 on Solaris Release Notes for CiscoWorks Common Services 3.0.5 on Windows User Guide for CiscoWorks Common Services 3.0.5 Available Formats
PDF on the LMS 2.6 Documentation CD-ROM. On Cisco.com at: http://cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_notes_list.html PDF on the LMS 2.6 Documentation CD-ROM. On Cisco.com at: http://cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_notes_list.html PDF on the LMS 2.6 Documentation CD-ROM. On Cisco.com at: http://cisco.com/en/US/products/sw/cscowork/ps3996/products_user_guide_list.html PDF on the LMS 2.6 Documentation CD-ROM. On Cisco.com at: http://cisco.com/en/US/products/sw/cscowork/ps3996/prod_installation_guides_list. html
Installation and Setup Guide for CiscoWorks Common Services 3.0.5 (Includes CiscoView) on Solaris Installation and Setup Guide for CiscoWorks Common Services 3.0.5 (Includes CiscoView) on Windows
PDF on the LMS 2.6 Documentation CD-ROM. On Cisco.com at: http://cisco.com/en/US/products/sw/cscowork/ps3996/prod_installation_guides_list. html

Accessing Online Help

To access the Online help, go to CiscoWorks home page and click Help located at the extreme right corner of your browser window. The Online help launches in a separate browser window.

The following acknowledgements pertain to this software license.

OpenSSL/Open SSL Project

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).

License Issues

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.

OpenSSL License:

1998-1999 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. 2. 3.

Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution. All advertising materials mentioning features or use of this software must display the following acknowledgment: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project. Redistributions of any form whatsoever must retain the following acknowledgment: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).

Original SSLeay License:

1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Youngs, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). The word cryptographic can be left out if the routines from the library being used are not cryptography-related.

If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: This product includes software written by Tim Hudson (tjh@cryptsoft.com).
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].
This document is to be used in conjunction with the documents listed in the Common Services 3.0.6 Related Documentation section. CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R) Readme for CiscoWorks Common Services 3.0.6 on Windows Copyright 2007, Cisco Systems, Inc. All rights reserved