SEPTEMBER 2003 LS1016A LS1032A BLACK BOX® Advanced Console Server Version 2.1.4 Revision 1a - User Guide CUSTOMER SUPPORT INFORMATION Black Box Corporation - 1000 Park Drive - Lawrence, PA 15055-1018 Tech Support and Ordering: 724-746-5500 (1-877-877-BBOX) - Fax: 724-746-0746 To contact us about Black Box products or services: info@blackbox.
BLACK BOX® Advanced Console Server User Guide Version 2.1.4 Revision 1a September, 2003 Copyright © Black Box Corporation, 2003 We believe the information in this manual is accurate and reliable. However, we assume no responsibility, financial or otherwise, for any consequences of the use of this product or manual.
Table of Contents Preface Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audience and User Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . New Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Power Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How to use this Guide . . . . . . . . . . . . . . .
Table of Contents Task 1: Connect the BLACK BOX ® Advanced Console Server to the Network and other Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Task 2: Configure the COM Port Connection and Log In . . . . . . . . . . . . 52 Task 3: Modify the System Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Task 4: Edit the pslave.conf file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Task 5: Activate the changes . . . . . . . . . . . . . . . . . . .
Table of Contents Configuration for CAS, TS, and Dial-in Access . . . . . . . . . . . . . . . . . . . . Data Buffering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Linear vs. Circular Buffering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Parameters Involved and Passed Values . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Establishing a Callback with your ISDN PC Card. . . . . . . . . . . . . . . . . . . 208 Establishing a Callback with your ISDN PC Card (2nd way) . . . . . . . . . . 210 Ports Configured as Terminal Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 TS Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Serial Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Appendix B - Cabling, Hardware, and Electrical Specifications General Hardware Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rear Panel LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ethernet Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Console Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Appendix E - Software Upgrades and Troubleshooting Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 The Upgrade Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Flash Memory Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents IPsec Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The IPsec Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding and Removing a Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Starting and Stopping a Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Generating the RSA key pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Appendix H- Web User Management Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 Default Configuration for Web User Management . . . . . . . . . . . . . . . . . . . . . . . 405 How Web User Management works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Task 1: Check the URL in the Access Limit List. . . . . . . . . . . . . . . . . . . . 407 Task 2: Read the Username and the Password . . . . .
Table of Contents Appendix K - Wiz Application Parameters Basic Parameters (wiz) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Access Method Parameters (wiz --ac ) . . . . . . . . . . . . . . . . . . . . . . . . . . Alarm Parameter (wiz --al) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication Parameters (wiz --auth) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data Buffering Parameters (wiz --db) .
Table of Contents This page has been left intentionally blank.
Preface Purpose Preface The purpose of this guide is to provide instruction for users to independently install, configure, and maintain the BLACK BOX ® Advanced Console Server. This manual should be read in the order written, with exceptions given in the text. Whether or not you are a UNIX user, we strongly recommend that you follow the steps given in this manual.
Preface Each configuration task will be separated into a section (a clickable link on the PDF file) for each user type. Users then can skip to the appropriate level that matches their expertise and comfort level. How to use this Guide This guide is organized into the following sections: • Chapter 1 - Introduction and Overview contains an explanation of the product and its default CAS setup. It also includes safety guidelines to be followed.
Preface • Appendix H- Web User Management covers default and optional configuration, and the addition/deletion of users, groups, and access limits. • Appendix I - Connect to Serial Ports from Web enables this process, based on how the serial port is configured. • Appendix J - Examples for Configuration Testing provides examples for testing the Advanced Secure Console Port Server after configuration. • Appendix K - Wiz Application Parameters contains all basic and custom wizard parameters.
Preface Glossary Entries Terms that can be found in the glossary are underlined and slightly larger than the rest of the text. These terms have a hypertext link to the glossary. Quick Steps Step-by-step instructions for installing and configuring the BLACK BOX ® Advanced Console Server are numbered with a summarized description of the step for quick reference. Underneath the quick step is a more detailed description. Steps are numbered 1, 2, 3, etc.
Preface Example: ls [OPTION]... [FILE]... Pipes The pipe (|) indicates that one of the words separated by this character should be used in the command. Example: netstat {--statistics|-s} [--tcp|-t] [--udp|-u] [--raw|-w] When a configuration parameter is defined, the Linux command syntax conventions will be also used, with a difference. Greater-than and Less-than signs When the text is encapsulated with the “<>” characters, the meaning of the text will be considered, not the literal text.
Preface Note Box Icons Note boxes contain instructional or cautionary information that the reader especially needs to bear in mind. There are five levels of note box icons: Tip. An informational tip or tool that explains and/or expedites the use of the BLACK BOX ® Advanced Console Server. Important! An important tip that should be read. Review all of these notes for critical information. Warning! A very important type of tip or warning. Do not ignore this information.
Introduction and Overview Chapter 1 - Introduction and Overview The BLACK BOX® Advanced Console Server The BLACK BOX ® Advanced Console Server is line of Console Access Servers that allow both local and dial-in access for in-band and out-of-band network management. run an embedded version of the Linux operating system. Configuration of the is done by editing a few plain-text files, and then updating the versions of the files on the BLACK BOX ® Advanced Console Server.
Introduction and Overview What’s in the box There are several models of the BLACK BOX ® Advanced Console Server. Black Box will ship either Cable Package #1 or #2 with the product according to current availability.
Introduction and Overview Note: Although some BLACK BOX ® Advanced Console Server units in the figures are shown with a dual power supply (A/C or -48VDC), some models may have single power supply. The single power units will have just one power cable. Back View of the 32-Port Modem Cable Manual SEPTEMBER 2003 LS1016A LS1032A BLACK BOX® Advanced Console Server Version 2.1.
Introduction and Overview Back View of the 16-Port Modem Cable SEPTEMBER 2003 LS1016A LS1032A BLACK BOX® Advanced Console Server Version 2.1.4 Revision 1a - User Guide Loop-back Connector CUSTOMER SUPPORT INFORMATION OR Black Box Corporation - 1000 Park Drive - Lawrence, PA 15055-1018 Tech Support and Ordering: 724-746-5500 (1-877-877-BBOX) - Fax: 724-746-0746 To contact us about Black Box products or services: info@blackbox.
Introduction and Overview Safety Instructions Read all the following safety guidelines to protect yourself and your BLACK BOX ® Advanced Console Server. DANGER! In order to avoid shorting out your BLACK BOX ® Advanced Console Server when disconnecting the network cable, first unplug the cable from the and then from the network jack. When reconnecting a network cable to the, first plug the cable into the network jack, and then into the.
Introduction and Overview Important! Keep your BLACK BOX ® Advanced Console Server away from heat sources and do not block cooling vents. Important! The BLACK BOX ® Advanced Console Server product (DC version) is only intended to be installed in restricted access areas (Dedicated Equipment Rooms, Equipment Closets or the like) in accordance with Articles 110-18, 110-26 and 110-27 of the National Electrical Code, ANSI/NFPA 701, 1999 Edition. Use 18 AWG or 0.
Introduction and Overview Battery WARNING: There is the danger of explosion if the battery is replaced incorrectly. Replace the battery only with the same or equivalent type recommended by the manufacturer. Dispose of used batteries according to the manufacturer's instructions. WARNUNG: Bei Einsetzen einer falschen Batterie besteht Explosionsgefahr. Ersetzen Sie die Batterie nur durch den gleichen oder vom Hersteller empfohlenen Batterietyp.
Introduction and Overview FCC Warning Statement The BLACK BOX ® Advanced Console Server has been tested and found to comply with the limits for Class A digital devices, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
Introduction and Overview ¡Peligro! Asegurarse que el equipo este conectado a tierra, para prevenir un shock eléctrico. El cable eléctrico del equipo viene con tres clavijas para conectar asegurar conexión a tierra. No use adaptadores o quite la clavija de tierra. Si se tiene que utilizar una extensión, utilice una que tenga tres cables con clavija para conexión a tierra.
Introduction and Overview ¡Importante! Mantenga el BLACK BOX ® Advanced Console Server fuera del alcancé de calentadores, y asegurarse de no tapar la ventilación del equipo. ¡Importante! El BLACK BOX ® Advanced Console Server con alimentación de corriente directa (CD) solo debe ser instalado en áreas con restricción y de acuerdo a los artículos 110-18, 110-26, y 110-27 del National Electrical Code, ANSI/NFPA 701, Edición 1999. Para conectar la corriente directa (CD) al sistema, utilice cable de 0.
Introduction and Overview Batería ¡Peligro! Una batería nueva puede explotar, si no esta instalada correctamente. Remplace la batería cuando sea necesario solo con el mismo tipo recomendado por el fabricante de la batería. Deshacerse de la batería de acuerdo a las instrucciones del fabricante de la batería. .
Introduction and Overview This page has been left intentionally blank.
Chapter 2 - Installation, Configuration, Usage Introduction Chapter 2 - Installation, Configuration, and Usage This chapter will allow you to install and configure the BLACK BOX ® Advanced Console Server as the default CAS configuration. Please read the entire chapter before beginning. A basic installation and configuration should take a half hour at the most, either done manually or with the Wizard. The BLACK BOX ® Advanced Console Server operating system is embedded Linux.
Chapter 2 - Installation, Configuration, Usage The following table shows the different hardware required for various configuration methods: Table 1: Hardware vs. Configuration Methods Hardware Configuration Method Console, Console Cable (constructed from RJ-45 straight-through cable + adapter) vi, Wizard, or CLI Workstation, Hub, Ethernet Cables vi, Wizard, CLI, or browser If you will be using vi, the files that need to be changed are discussed in Configuration using Telnet in this chapter.
Chapter 2 - Installation, Configuration, Usage Pre-Install Checklist There are several things you will need to confirm prior to installing and configuring the BLACK BOX ® Advanced Console Server: Root Access You will need Root Access on your local UNIX machine in order to use the serial port. HyperTerminal, Kermit, or Minicom If you are using a PC, you will need to ensure that HyperTerminal is set up on your Windows operating system.
Chapter 2 - Installation, Configuration, Usage Task List There are eight key tasks that you will need to perform to install and configure the BLACK BOX ® Advanced Console Server: Task 1: Connect the BLACK BOX ® Advanced Console Server to the Network and other Devices. Task 2: Configure the COM Port Connection and Log In. Task 3: Modify the System Files. Task 4: Edit the pslave.conf file. Task 5: Activate the changes. Task 6: Test the configuration. Task 7: Save the changes.
Chapter 2 - Installation, Configuration, Usage • Domain Basic Wizard access is covered in the Quick Start in this chapter and also in Configuration Wizard - Basic Wizard in Chapter 3 - Additional Features. Custom Wizard Further configuration of the BLACK BOX ® Advanced Console Server can be done through one of several customized wizards. These procedures are explained under their respective topic heading in Chapter 3 - Additional Features.
Chapter 2 - Installation, Configuration, Usage Quick Start This Quick Start gives you all the necessary information to quickly configure and start using the BLACK BOX ® Advanced Console Server as a Console Access Server (CAS). The complete version of this process is listed later in this chapter under The Installation and Configuration Process. New Users may wish to follow the latter instruction set, as this Quick Start does not contain a lot of assumed knowledge.
Chapter 2 - Installation, Configuration, Usage Step 2: Power on the BLACK BOX ® Advanced Console Server. After the BLACK BOX ® Advanced Console Server finishes booting, you will see a login prompt on the console screen. Step 3: Enter root as login name and tslinux as password. Step 4: Type wiz and press Enter. A configuration wizard screen will appear in your Hyperterminal session, asking you a series of questions.
Chapter 2 - Installation, Configuration, Usage • Gateway IP • Network Mask (if DHCP is disabled) After you input the requested parameters you will receive a confirmation screen: Current configuration: Hostname : CAS DHCP : enabled Domain name : mycompany.com Primary DNS Server : 197.168.160.200 Gateway IP : 192.168.160.1 If the parameters are correct, “y” should be typed; otherwise, type “n” and then “c” when asked to change the parameters or quit the program.
Chapter 2 - Installation, Configuration, Usage Configuration using a Web browser The BLACK BOX ® Advanced Console Server comes with DHCP client enabled. If you have a DHCP Server installed on your LAN, you can skip Step 2 below. If not, the DHCP request will fail and an IP address pre-configured on the Console server’s Ethernet interface (192.168.160.10) will be used instead. To access the using your browser: Step 1: Connect Hub to workstation and BLACK BOX ® Advanced Console Server.
Chapter 2 - Installation, Configuration, Usage Need new screen shot with new product # in Red (LS1032A) Figure 5: Login page of the Web Configuration Manager Step 4: Enter root as login name and tslinux as password. Step 5: Click the Submit button.
Chapter 2 - Installation, Configuration, Usage This page gives a brief description of all menu options. A menu of links is provided along the left side of the page. A summary of what each link leads to is shown on Table 3: Configuration Section through Table 6: Information Section. Security Issue. Change the password of the Web root user as soon as possible. The user database for the Web Configuration Manager is different than the system user database, so the root password can be different.
Chapter 2 - Installation, Configuration, Usage Click on the Administration > Run Configuration link, check the Serial Ports/ Ethernet/Static Routes box and click on the Activate Configuration button. If you disabled DHCP and changed your Ethernet IP, you will lose your connection. You will need to use your browser to connect to the new IP. Step 10: Click on the Save Configuration to Flash button. The configuration was saved in flash. The new configuration will be valid and running.
Chapter 2 - Installation, Configuration, Usage Table 3: Configuration Section Link Name Configuration General Description of Page Contents This section contains the configuration tools Unit Description, Ethernet, DNS, Name Service Access, Data Buffering Syslog Configuration for the syslog-ng SNMP Configuration for the SNMP server Serial Ports Configuration of Portslave package Serial Port Groups Configuration of User Groups for Serial Ports Host Table Table of hosts in /etc/hosts Static Routes I
Chapter 2 - Installation, Configuration, Usage Table 4: Administration Section Link Name Reboot Description of Page Contents Resets the equipment Download/ Upload Image Uses an FTP server to load/save a kernel image Load/Save Configuration Uses flash memory or an FTP server to load or save the BLACK BOX ® Advanced Console Server’s configuration Run Configuration Makes the configuration changes effective Set Date/Time Set the BLACK BOX ® Advanced Console Server ’s date and time Active Sessions CAS
Chapter 2 - Installation, Configuration, Usage Table 6: Information Section Link Name Interface Statistics DHCP client Serial Ports Routing Table Description of Page Contents Shows statistics for all active interfaces Shows host information from DHCP Shows the status of all serial ports Shows the routing table and allows the administrator to add or delete routes ARP Cache Shows the ARP cache IP Statistics Shows IP protocol statistics ICMP Statistics Shows ICMP protocol statistics TCP Statistics Sho
Chapter 2 - Installation, Configuration, Usage Configuration using Telnet The BLACK BOX ® Advanced Console Server comes with DHCP client enabled. If you have a DHCP Server installed on your LAN, you can skip Step 2 below. If not, the DHCP request will fail and an IP address pre-configured on the Console server’s Ethernet interface (192.168.160.10) will be used instead. To access the using telnet: Step 1: Connect Hub to workstation and BLACK BOX ® Advanced Console Server.
Chapter 2 - Installation, Configuration, Usage Step 4: Enter root as login name and tslinux as password. Step 5: Type wiz and press Enter. A Configuration Wizard screen will appear on your telnet screen, asking you a series of questions.
Chapter 2 - Installation, Configuration, Usage Gateway : eth0 Network Mask : 255.255.255.0 If the parameters are correct, “y” should be typed; otherwise, type “n” and then “c” when asked to change the parameters or quit the program. After the parameters are confirmed, the next question will be whether to save the configuration to flash. Select “y” to make the new configuration permanent in non-volatile memory.
Chapter 2 - Installation, Configuration, Usage The Installation and Configuration Process Task 1: Connect the BLACK BOX ® Advanced Console Server to the Network and other Devices Power Users Connect a PC or terminal to the BLACK BOX ® Advanced Console Server using the console cable. If you are using a PC, HyperTerminal can be used in the Windows operating system and Kermit or Minicom in the UNIX operating system. When the BLACK BOX ® Advanced Console Server boots properly, a login banner will appear.
Chapter 2 - Installation, Configuration, Usage Tip. We strongly recommend to use 9600 bps console speed. In case you need to use another speed please check Appendix E - Software Upgrades and Troubleshooting. Important! Always complete ALL the steps for your chosen configuration before testing or switching to another configuration.
Chapter 2 - Installation, Configuration, Usage Step 1: Plug the power cable into the BLACK BOX ® Advanced Console Server. Insert the female end of the black power cable into the power socket on the BLACK BOX ® Advanced Console Server and the three-prong end into a wall outlet. DANGER! To help prevent electric shock, plug the BLACK BOX ® Advanced Console Server into a properly grounded power source. The cable is equipped with a 3-prong plug to help ensure proper grounding.
Chapter 2 - Installation, Configuration, Usage Task 2: Configure the COM Port Connection and Log In Step 1: Select available COM port. In HyperTerminal (Start > Program > Accessories), select File > Properties, and click the Connect To tab. Select the available COM port number from the Connection dropdown. Figure 8: Choose a free COM port Step 2: Configure COM port. Click the Configure button (hidden by the dropdown menu in the above figure).
Chapter 2 - Installation, Configuration, Usage 9600 Figure 9: Port Settings Step 3: Power on the BLACK BOX ® Advanced Console Server. Step 4: Click OK on the Properties window. You will see the BLACK BOX ® Advanced Console Server booting on your screen. After it finishes booting, you will see a login prompt.
Chapter 2 - Installation, Configuration, Usage Task 3: Modify the System Files When the BLACK BOX ® Advanced Console Server finishes booting, a prompt will appear (a flashing underline cursor) in your HyperTerminal window. You will modify the following Linux files to let the BLACK BOX ® Advanced Console Server know about its local environment: /etc/hostname /etc/hosts /etc/resolv.
Chapter 2 - Installation, Configuration, Usage LES2800A-16 Figure 10: The /etc/hostname file with hostname typed in Step 4: Modify /etc/hosts. This file should contain the IP address for the Ethernet interface and the same hostname that you entered in the /etc/hostname file. It may also contain IP addresses and host names for other hosts in the network. Modify the file using the vi as you did in Step 1. Obtain IP address from your System Administrator 127.0.0.1 localhost 192.168.160.10 LS1016A 129.6.15.
Chapter 2 - Installation, Configuration, Usage Step 6: Modify /etc/network/st_routes. The fourth file defines static routes. In the console server example in the router is a gateway router and thus its IP address is configured in this file to be the default gateway. Other static routes are also configured in this file. If you will be managing servers through a LAN, you don’t need to alter this file.
Chapter 2 - Installation, Configuration, Usage Tip. Using the vi editor, put the cursor in the first byte after “root:”, then type “ct:x” plus . Step E: Remove the temporary user boo. # deluser boo Step F: Change the password for all users and add the new ones needed. # passwd or # adduser Step G: Edit /etc/config_files and add a line with “/etc/shadow.” Task 4: Edit the pslave.conf file This is the main configuration file (/etc/portslave/pslave.
Chapter 2 - Installation, Configuration, Usage There are three basic types of parameters in this file: • conf.* parameters are global or apply to the Ethernet interface. • all.* parameters are used to set default parameters for all ports. • s#.* parameters change the default port parameters for individual ports. An all.* parameter can be overridden by a s#.* parameter appearing later in the pslave.conf file (or vice-versa).
Chapter 2 - Installation, Configuration, Usage all.authtype This parameter controls the authentication required by the BLACK BOX ® Advanced Console Server. The authentication required by the device to which the user is connecting is controlled separately. There are several authentication type options: • none (no authentication) • local (authentication is performed using the /etc/passwd file) • remote (This is for a terminal profile only.
Chapter 2 - Installation, Configuration, Usage all.protocol For the console server configuration, the possible protocols are: • socket_server (when telnet is used) • socket_ssh (when ssh version one or two is used) • raw_data (to exchange data in transparent mode – similar to socket_server mode, but without telnet negotiation, breaks to serial ports, etc.) An example value would be: socket_server The Authentication feature See Authentication in Chapter 3 - Additional Features.
Chapter 2 - Installation, Configuration, Usage While still in the DOS window, type the following and then press Enter: telnet 7001 An example would be: telnet 192.168.160.10 7001 If everything is configured correctly, a telnet session should open on the server connected to port 1. If not, check the configuration, follow the above steps again, and check Appendix E - Software Upgrades and Troubleshooting.
Chapter 2 - Installation, Configuration, Usage Accessing the Serial Ports There are four ways to access the serial ports, depending on the protocol you configured for that serial port (all.protocol being socket_server for telnet access, socket_ssh for ssh access, etc). One can access the serial port by statically addressing it (using TCP port number, alias name or IP address) or just access the next free serial port available from an existent pool (by using the pool's TCP port number, alias or IP address).
Chapter 2 - Installation, Configuration, Usage CAS database or in a Radius/Tacacs/LDAP/Kerberos, etc database. can be just the TCP port number assigned for that serial port (7001, 7002, etc), pool of ports (3000, etc), the alias for the server connected to that serial port or the alias of a pool of ports. is the hostname configured in the workstation where the ssh client will run (through /etc/hosts or DNS table).
Chapter 2 - Installation, Configuration, Usage z b t e suspend telnet send break toggle binary exit telnet Step 2: Press “e” to exit from the session and return to the original menu. Select the exit option and you will return to the shell prompt.
Chapter 3 - Additional Features Introduction Chapter 3 - Additional Features After the Configuration Wizard section in this chapter, each of the following sections is listed alphabetically and shows how to configure the option using vi, the custom Wizard (when available), browser, where appropriate, and the Command Line Interface (CLI), when available.
Configuration Wizard - Basic Wizard Configuration Wizard - Basic Wizard The configuration wizard application is a quicker and easier way to configure the BLACK BOX ® Advanced Console Server. It is recommended that you use this application if you are not familiar with the vi editor or if you just want to do a quick installation of the BLACK BOX ® Advanced Console Server. The command wiz gets you started with some basic configuration.
Chapter 3 - Additional Features 3) Press ESC if you want to exit. NOTE: For some parameters, if there is nothing within the brackets, it will continue to ask for a value. In that case, you must enter a valid value or # if you do not wish to configure the value. Press ENTER to continue... Step 2: Press Enter to continue with the wizard. You will see the current configurations and have the choice of setting them to default values, or not.
Configuration Wizard - Basic Wizard Tip. On most of the following configuration screens, the default or current value of the parameter is displayed inside brackets. Just press the ENTER key if you are satisfied with the value in the brackets. If not, enter the appropriate parameter and press ENTER. If at any time after choosing whether to set your configurations to default or not, you want to exit the wizard or skip the rest of the configurations, press ESC.
Chapter 3 - Additional Features Step 6: If DHCP client is disabled, enter IP Address of your BLACK BOX ® Advanced Console Server and then press the Enter key. If the DHCP client is enabled, skip this step. This question will only appear if DHCP client is disabled. This is the IP address of the BLACK BOX ® Advanced Console Server within your network. See your network administrator to obtain a valid IP address for the BLACK BOX ® Advanced Console Server . IP of your system[]: 192.168.160.
Configuration Wizard - Basic Wizard *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Current configuration: Hostname: CAS DHCP: enabled Domain name: mycompany.com Primary DNS Server: 197.168.160.200 Gateway IP: 192.168.160.1 Are all these parameters correct (Y)es or (N)o [N]: If you entered n in Step 5: Current configuration: Hostname: CAS DHCP: disabled System IP: 192.168.160.
Chapter 3 - Additional Features *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** You can now use the browser to finish your system configurations, but before that, please read below. (Note: If you are NOT connected to this unit through a console, and you have just reconfigured the IP of this unit, activating the new configurations may cause you to lose connection.
Configuration Wizard - Basic Wizard Using the Wizard through your Browser The Web interface supports wizards for serial ports configuration. The wizard is a useful tool that simplifies configuration of serial ports. The Web interface will access the following wizard files: • /etc/portslave/pslave.wiz.cas (CAS) • /etc/portslave/pslave.wiz.ts (TS) • /etc/portslave/pslave.wiz.
Chapter 3 - Additional Features For TS: • Port Speed • First RADIUS/TacacsPlus Authentication Server • First Accounting Server • RADIUS/TacacsPlus secret • Protocol (if the protocol is Login, Rlogin, SSH, or Socket Client) • Socket Port (write the TCP port for the protocol selected; keep the “incremented” option off) For Dial-in access: • First RADIUS/TacacsPlus Authentication Server • First Accounting Server • RADIUS/TacacsPlus secret • Remote IP Address (keep the “Incremented” option on
Access Method all.ipno This is the default IP address of the BLACK BOX ® Advanced Console Server's serial ports. Any host can access a port using its IP address as long as a path to the address exists in the host's routing table. An example value would be 192.168.1.101+. The “+” indicates that the first port should be addressed as 192.168.1.101 and the following ports should have consecutive values. all.
Chapter 3 - Additional Features all.poll_interval Valid only for protocols socket_server and raw_data. When not set to zero, this parameter sets the wait for a TCP connection keep-alive timer. If no traffic passes through the BLACK BOX ® Advanced Console Server for this period of time, the BLACK BOX ® Advanced Console Server will send a line status message to the remote device to see if the connection is still up. If not configured, 1000 ms is assumed (the unit for this parameter is ms).
Access Method Step 2: Log in as root and type the Web root password configured by the Web server. This will take you to the Configuration and Administration page. Serial Ports links Link Panel Figure 12: Configuration and Administration page Step 3: Select the Serial Ports link. Click on the Serial Ports link on the Link Panel to the left of the page or in the Configuration section of the page. This will take you to the Port Selection page. Figure 13: Port Selection page Step 4: Select port(s).
Chapter 3 - Additional Features Step 5: Click the CAS profile button. Click the CAS profile button in the wizards section. The default CAS profile parameters are now loaded. Step 6: Scroll down to the Profile section. You can change the settings for all.ipno, all.socket_port, and all.protocol in this section. Figure 14: Profile Section of Serial Port Configuration page Step 7: Scroll to the Authentication Section. You can configure the parameter all.users here under Access Restriction on Users.
Access Method Step 11: Click on the Serial Port Groups link on the Link Panel. Click the Add Group button that appears. A Serial Ports - Users Group Table Entry page appears. Figure 15: Serial Ports - Users Group Table Entry page Step 12: Configure conf.group. Fill in the Group Name and Users fields to configure the group. Step 13: Click the Submit button. At this point, the configuration file is written in the RAMdisk. Step 14: Make the changes effective.
Chapter 3 - Additional Features This will bring up Screen 1: Screen 1: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** INSTRUCTIONS for using the Wizard: You can: 1) Enter the appropriate information for your system and press ENTER.
Access Method all.poll_interval : # all.tx_interval : # all.idletimeout : # conf.group : # Set to defaults? (y/n) [n] : Screen 3: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** ALL.IPNO - This is the default IP address of the system's serial ports. If configured as 192.168.1.101+, the '+' indicates that the first port should be addressed as 192.168.1.
Chapter 3 - Additional Features Screen 4: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** ALL.PROTOCOL - The possible protocols are telnet, ssh1/ssh2, or raw data. (e.g. socket_server -telnet protocol, socket_ssh -ssh1/ssh2 protocol, raw_data -used to exchange data in transparent mode; similar to socket_server mode but without telnet negotiation breaks to serial ports.) all.
Access Method the connection is still up. If not configured, default is 1000ms. If set to 0, line status messages will not be sent to the socket client. all.poll_interval[#] : ALL.TX_INTERVAL - Valid for protocols socket_server and raw_data. This parameter defines the delay (in milliseconds) before transmission to the Ethernet of data received through a serial port. If not configured, 100ms is assumed. If set to 0 or a value above 1000, no buffering will take place. all.
Chapter 3 - Additional Features Screen 7: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* ************************************************************ Current configuration: (The ones with the '#' means it's not activated.) all.ipno : # all.socket_port : 7001+ all.protocol : socket_server all.users : # all.poll_interval : # all.tx_interval : # all.idletimeout : # conf.
Access Method Screen 8: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** You have 8 available ports on this system. Type 'q' to quit, a valid port number[1-8], or anything else to refresh : Note: The number of available ports depends on the system you are on. Typing in a valid port number repeats this program except this time it's configuring for the port number you have chosen.
Chapter 3 - Additional Features Screen 10: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Flash refers to a type of memory that can be erased and reprogrammed in units of memory known as blocks rather than one byte at a time; thus, making updating to memory easier.
Access Method CLI Method To configure certain parameters for a specific serial port: Step 1: At the command prompt, type in the appropriate command to configure desired parameters. To activate the serial port. should be ttyS : config configure line tty To configure the ipno: config configure line ipno To configure the socket_port: config configure line socket To configure the protocol.
Chapter 3 - Additional Features To configure idletimeout: config configure line idletimeout To configure conf.group: config configure conf group Tip. You can configure all the parameters for a serial port in one line. config configure line tty ipno socket protocol modbus users pollinterval txinterval idletimeout Step 2: Activate and Save.
Access Method Configuration for TS Parameters and Passed Values For TS configuration, you will need to configure the following parameters: all.host The IP address of the host to which the terminals will connect. all.protocol For the terminal server configuration, the possible protocols are login (which requests username and password), rlogin (receives username from the BLACK BOX ® Advanced Console Server and requests a password), telnet, ssh, ssh2, or socket_client.
Chapter 3 - Additional Features Browser Method Step 1: Follow the steps 1 to 4 in the section titled Configuration for CAS, “Browser Method” on page 75. Step 2: Click the TS Profile button in the Wizard section. Configure the following parameters: Profile section: Protocol (telnet, ssh, rlogin or socket client) Socket port (23 for telnet, 22 for ssh, 513 for rlogin) Terminal Server section: Host (the name or the IP address of the host) Automatic User Step 3: Click the Submit button.
Access Method Screen 1: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** INSTRUCTIONS for using the Wizard: You can: 1) Enter the appropriate information for your system and press ENTER.
Chapter 3 - Additional Features Screen 3: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** ALL.PROTOCOL - Users can access the servers through the serial port using ssh, ssh2, telnet, login, rlogin, or socket_client. (e.g. login -requests username and password, rlogin receives username from the system and requests a password, etc.) all.protocol[rlogin] : ALL.
Access Method ALL.USERAUTO - Username used when connected to a Unix server from the user's serial terminal. all.userauto[#] : Note: all.host is configured under the wiz - - tso. Screen 5: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Current configuration: (The ones with the '#' means it's not activated.) all.protocol : rlogin all.socket_port : 23 all.
Chapter 3 - Additional Features Note: Answering yes to this question will discard only the parameter(s) which you are currently configuring if they were configured for a specific port in a previous session. For instance, if you are currently configuring parameter, all.x, and there was a specific port, s2.x, configured; then, answering yes to this question will discard s2.x.
Access Method Screen 7: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** (Note: If you are NOT connected to this unit through a console, and you have just reconfigured the IP of this unit, activating the new configurations may cause you to lose connection.
Chapter 3 - Additional Features CLI Method To configure certain parameters for a specific serial port: Step 1: At the command prompt, type in the appropriate command to configure desired parameters. To activate the serial port.
Access Method Configuration for Dial-in Access Parameters and Passed Values The parameters that need to be configured are shown in the following list. Note: The character “\” at the end of a line means that the string continues on the next line. conf.pppd Location of the ppp daemon with Radius. Default value: /usr/local/sbin/pppd. all.ipno This is the default IP address of the BLACK BOX ® Advanced Console Server's serial ports.
Chapter 3 - Additional Features Example value: %j novj \ proxyarp modem asyncmap 000A0000 \ noipx noccp login auth require-pap refusechap\ mtu %t mru %t \ cb-script /etc/portslave/cb_script \ plugin /usr/lib/libpsr.so all.pppopt PPP options when user has already been authenticated. Example value: %i:%j novj \ proxyarp modem asyncmap 000A0000 \ noipx noccp mtu %t mru %t netmask%m \ idle %I maxconnect %T \ plugin /usr/lib/libpsr.so all.
Access Method Step 3: Scroll down to the Profile section. You can change the settings for all.ipno and all.protocol in this section. Step 4: Scroll to the modem Section. You can configure the parameter all.initchat here. Step 5: Scroll to the PPP Section. You can configure the parameter all.autoppp and all.pppopt here. Step 6: Click the Submit button. At this point, the configuration file is written in the RAMdisk. Step 7: Make the changes effective.
Chapter 3 - Additional Features CLI Method To configure certain parameters for a specific serial port: Step 1: At the command prompt, type in the appropriate command to configure desired parameters. To activate the serial port. should be ttyS : config configure line tty To configure the protocol.
Authentication Authentication Authentication is the process of identifying an individual, usually based on a username and password. In security systems, authentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.
Chapter 3 - Additional Features all.authtype (cont.) • kerberos (authentication is performed using a kerberos server. The IP address and other details of the kerberos server are defined in the file /etc/krb5.
Authentication all.radretries Defines the number of times each Radius/ TacacsPlus server is tried before another is contacted. The first server (authhost1) is tried “radretries” times, and then the second (authhost2), if configured, is contacted “radretries” times. If the second also fails to respond, Radius/ TacacsPlus authentication fails. all.secret This is the shared secret (password) necessary for communication between the BLACK BOX ® Advanced Console Server and the Radius/ TacacsPlus servers.
Chapter 3 - Additional Features Step 3: Click the Submit button. At this point, the configuration file is written in the RAMdisk. Step 4: Make changes effective. Click on the Administration > Run Configuration link, check the Serial Ports/ Ethernet/Static Routes box and click on the Activate Configuration button. Step 5: Save it in the flash. Go to the link Administration > Load/Save Configuration and click the Save to Flash button.
Authentication Wizard Method Step 1: Bring up the wizard. At the command prompt, type the following to bring up the Authentication custom wizard: wiz --auth Screen 1 will appear. Screen 1: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** INSTRUCTIONS for using the Wizard: You can: 1) Enter the appropriate information for your system and press ENTER.
Chapter 3 - Additional Features Screen 2: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Current configuration: (The ones with the '#' means it's not activated.) all.authtype : none all.authhost1 : 192.168.160.3 all.accthost1 : 192.168.160.3 all.authhost2 : 192.168.160.4 all.accthost2 : 192.168.160.4 all.radtimeout : 3 all.radretries : 5 all.
Authentication Note: If authtype is configured as none, local, ldap, or kerberos the application will skip immediately to the summary screen because the rest of the parameters pertain only if the system is configured to use a Radius or TacacsPlus server. Configurations for ldap and kerberos are done in /etc/ldap.conf and /etc/krb5.conf, respectively. ALL.AUTHHOST1 - This IP address indicates where the Radius or TacacsPlus authentication server is located. all.authhost1[200.200.200.
Chapter 3 - Additional Features Screen 5: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** ALL.ACCTHOST2 - This IP address indicates where the SECOND Radius or TacacsPlus accounting server is located. all.accthost2[200.200.200.3] : ALL.RADTIMEOUT- This is the timeout (in seconds) for a Radius or TacacsPlus authentication query to be answered. all.
Authentication Screen 7: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Current configuration: (The ones with the '#' means it's not activated.) all.authtype : none all.authhost1 : 200.200.200.2 all.accthost1 : 200.200.200.3 all.authhost2 : 200.200.200.2 all.accthost2 : 200.200.200.3 all.radtimeout : 3 all.radretries : 5 all.
Chapter 3 - Additional Features Typing 'c' leads to Screen 8, typing 'q' leads to Screen 9. Screen 8: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** You have 8 available ports on this system. Type 'q' to quit, a valid port number[1-8], or anything else to refresh : Note: The number of available ports depends on the system you are on.
Authentication Screen 10: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Flash refers to a type of memory that can be erased and reprogrammed in units of memory known as blocks rather than one byte at a time; thus, making updating to memory easier. If you choose to save to flash, your configurations thus far will still be in the memory of the system even after you reboot it.
Chapter 3 - Additional Features To configure authhost2: config configure line authhost2 To configure accthost2: config configure line accthost2 To configure radtimeout: config configure line timeout To configure radretries: config configure line retries To configure secret: config configure line secret Tip.
Authentication NIS Client NIS (Network Information System) provides simple and generic client-server database access facilities that can be used to distribute information. This makes the network appear as a single system, with the same accounts on all hosts. The objective of this feature is to allow the administrator to manage BLACK BOX ® Advanced Console Server accounts on a NIS server. The NIS client feature needs these following files/commands: /etc/yp.
Chapter 3 - Additional Features You will need to configure the NIS server. Command : Example : vi /etc/yp.conf NIS server has IP address 192.168.160.110, to add the following line in the file ypserver 192.168.160.110 Step 3: Edit the /etc/nsswitch.conf file. Change the /etc/nsswitch.conf file ("System Databases and Name service Switch "configuration file) to include the NIS in the lookup order of the databases. Step 4: Configure the parameter ".authype" as "local.
Authentication nsswitch.conf file format The /etc/nsswitch.
Chapter 3 - Additional Features shadow: nis [UNAVAIL=continue TRYAGAIN=continue] files group: nis [UNAVAIL=continue TRYAGAIN=continue] files CAS Port Pool This feature is available for the BLACK BOX ® Advanced Console Server 2.1.3 onward. CAS Port Pooling allows you to access a free serial port from a pool in addition to the original feature where you could access a specific serial port. When you access a serial port through the pool the features sniff session and multiple sessions are not available.
CAS Port Pool serial port from the pool and that port will be assigned to connection. If there is no serial port free in the pool the connection is just dropped. How to Configure it Following is an example of serial port pool configuration: # # Serial port pool: pool-1 # s1.tty ttyS1 s1.protocol socket_server s1.socket_port 7001 // TCP port # for specific allocation s1.pool_socket_port 3000 // TCP port # for the pool s1.ipno 10.0.0.1 // IP address for specific allocation s1.pool_ipno 10.1.0.
Chapter 3 - Additional Features s4.tty ttyS4 s4.protocol socket_ssh s4.socket_port 7004 // TCP port # for specific allocation s4.pool_socket_port 4000 // TCP port # for the pool s4.ipno 10.0.0.4 // IP address for specific allocation s4.pool_ipno 10.2.0.1 // IP address for the pool s4.serverfarm serial-4 // alias for specific allocation s4.pool_serverfarm pool-2 // alias for the pool In the example above, there are two pools: • pool-1 (identified by Protocol socket_server, TCP port #3000, IP 10.1.0.
Clustering Clustering Clustering is available for the BLACK BOX ® Advanced Console Server 2.1.0 and up allows the stringing of Terminal Servers so that one Master BLACK BOX ® Advanced Console Server can be used to access all BLACK BOX ® Advanced Console Servers on a LAN.
Chapter 3 - Additional Features Parameters Involved and Passed Values The Master BLACK BOX ® Advanced Console Server must contain references to the Slave ports. The configuration described earlier for Console Access Servers should be followed with the following exceptions for the Master and Slaves: Table 7: Master Black Box Configuration (where it differs from the CAS standard) Parameter Description Value for this example conf.eth_ip Ethernet Interface IP address. conf.
Clustering Table 7: Master Black Box Configuration (where it differs from the CAS standard) Parameter Value for this example Description s33.ipno This parameter must be created in the Master BLACK BOX ® Advanced Console Server file for every Slave port, unless configured using all.ipno. 0.0.0.0 s34.tty See s33.tty. 20.20.20.2:7034 s34.serverfarm An alias for this port. Server_on_slave1_ serial_s2 s34.ipno See s33.ipno. 0.0.0.0 s35.tty See s33.tty. 20.20.20.2:7035 s35.
Chapter 3 - Additional Features Table 7: Master Black Box Configuration (where it differs from the CAS standard) Parameter Value for this example Description S67.serverfarm An alias for this port. Server_on_slave2_ serial_s3 S67.ipno See s33.ipno. 0.0.0.0 etc. for s68-s96 The Slave BLACK BOX ® Advanced Console Servers do not need to know they are being accessed through the Master BLACK BOX ® Advanced Console Server. (You are creating virtual terminals: virtual serial ports.
Clustering Table 9: BLACK BOX ® Advanced Console Server configuration for Slave 2 (where it differs from the CAS standard) Parameter Value for this example all.authtype none conf.eth_ip 20.20.20.3 all.authtype none all.socket_port 7301+ To access ports from the remote management workstation, use telnet with the secondary IP address: telnet 209.81.55.110 7001 to access the first port of the Master BLACK BOX ® Advanced Console Server. telnet 209.81.55.110 7033 to access the first port of Slave 1.
Chapter 3 - Additional Features one central server. This file, in our example shown in Figure 17: Example of Centralized Management, is /etc/portslave/TScommon.conf. It must be downloaded to each BLACK BOX ® Advanced Console Server. LES LES LES Figure 17: Example of Centralized Management The abbreviated pslave.conf and /etc/hostname files in each unit, for the example are: For the /etc/hostname file in unit 1: unit1 For the plsave.conf file in unit 1: conf.eth_ip 10.0.0.1 conf.eth_mask 255.0.0.0 conf.
Clustering conf.include /etc/portslave/TScommon.conf For the /etc/hostname file in unit 3: unit3 For the plsave.conf file in unit 3: conf.eth_ip 10.0.0.3 conf.eth_mask 255.0.0.0 conf.include /etc/portslave/TScommon.conf The common include file for the example is: conf.host_config unit1 conf.host_config unit2 conf.host_config unit3
Chapter 3 - Additional Features Step 3: Create, save, and download the common configuration. Create and save the common configuration file on the server, then download it (probably using scp) to each unit. Make sure to put it in the directory set in the pslave.conf file (/etc/portslave in the example). Step 4: Execute the command signal_ras hup on each unit again. Step 5: Test each unit. If everything works, add the line /etc/portslave/TScommon.conf to the /etc/config_files file.
Clustering New Parameters and Commands A new parameter, conf.nat_clustering_ip allows you to enable or disable the clustering via the NAT table. This parameter should be configured with the IP address used to access the serial ports. The NAT clustering will work regardless of the interface where this IP address is assigned to. Additionally, there are two chains (post_nat_cluster and pre_nat_cluster) that holds all rules to perform NAT for clustering.
Chapter 3 - Additional Features iptables -t nat -F post_nat_cluster iptables -t nat -F pre_nat_cluster iptables -t nat -X pre_nat_cluster iptables -t nat -X post_nat_cluster iptables -t nat -N pre_nat_cluster iptables -t nat -N post_nat_cluster iptables -A PREROUTING -t nat -p tcp -j pre_nat_cluster iptables -A POSTROUTING -t nat -p tcp -j post_nat_cluster iptables -A pre_nat_cluster -t nat -p tcp -d --dport -j DNAT --to : .....
Clustering How it works The Master box (BLACK BOX ® Advanced Console Server) will perform two translation for each packet. The destination IP address is translated in the PREROUTING stage. The source IP address is translated in the POSTROUTING stage. The command to start a telnet client session has not changed.
Chapter 3 - Additional Features ssh -l ssh -l Note: In the old clustering implementation and must be valid in the Master box. In the new clustering they must be valid in the Slave. In the Master box there is no meaning anymore for remote port's serverfarm and authtype parameters. If you wish to access all clustering ports with the ssh command option -p port, you must assign an IP address to the serial port.
Clustering # conf.eth_ip 64.186.161.108 conf.eth_mask 255.255.255.0 conf.eth_mtu 1500 # # Secondary ethernet IP address # conf.eth_ip_alias 192.168.170.1 conf.eth_mask_alias 255.255.255.0 # # Local CAS serial ports (32 socket_ssh ports) # all.protocol socket_ssh all.authtype local all.socket_port 7001+ s[1-32].tty ttyS[1-32] # # Remote CAS serial ports, slave-1 (32 socket_ssh ports). This kind of configuration can be used for ssh only; just one entry is necessary. # s33.tty 192.168.170.2 s33.
Chapter 3 - Additional Features # Remote CAS serial ports, slave-2 (32 socket_server ports) # s65.tty 192.168.170.3:7101 s66.tty 192.168.170.3:7102 .... s96.tty 192.168.170.3:7132 s65.socket_port 8001 s66.socket_port 8002 ... s96.socket_port 8032 # # Remote CAS serial ports, slave-3 (32 socket_ssh ports) # s[97-128].tty 192.168.170.[101-132] Slave-1 box Configuration # # Primary ethernet IP address # conf.eth_ip 192.168.170.2 conf.eth_mask 255.255.255.0 conf.
Clustering Slave-2 box Configuration # # Primary ethernet IP address # conf.eth_ip 192.168.170.3 conf.eth_mask 255.255.255.0 conf.eth_mtu 1500 # # Local CAS serial ports (32 socket_server ports) # all.protocol socket_server all.authtype local all.socket_port 7101+ s[1-32].tty ttyS[1-32] Slave-3 box Configuration # # Primary ethernet IP address # conf.eth_ip 192.168.170.4 conf.eth_mask 255.255.255.0 conf.eth_mtu 1500 # # Local CAS serial ports (32 socket_ssh ports) # all.protocol socket_ssh all.
Chapter 3 - Additional Features Example of starting CAS session commands The serverfarm, socket_port, or tty must be provided to select which serial port is to be connected to in the Slave box 1. ssh -l :
CronD CronD CronD is a service provided by the BLACK BOX ® Advanced Console Server system that allows automatic, periodically-run custom-made scripts. It replaces the need for the same commands to be run manually. Parameters Involved and Passed Values The following parameters are created in the /etc/crontab_files file: status Active or inactive. If this item is not active, the script will not be executed. user The process will be run with the privileges of this user, who must be a valid local user.
Chapter 3 - Additional Features Configuration for CAS, TS, and Dial-in Access Important! After creating the shell script and crontab file and modifying the crontab_files file, make sure the file named /etc/config_files contains the names of all files that should be saved to flash. Run the command saveconf after this confirmation. vi Method The files Crontab and shell script are created and the file /etc/crontab_files is modified as indicated.
CronD Step 2: Log in as root and type the Web root password configured by the Web server. This will take you to the Configuration and Administration page. Step 3: Click on the Edit Text File link. Click on this link on the Link Panel. You can then pull up the appropriate file and edit it.
Chapter 3 - Additional Features Data Buffering Introduction Data buffering can be done in local files or in remote files through NFS. When using remote files, the limitation is imposed by the remote Server (disk/partition space) and the data is kept in linear (sequential) files in the remote Server. When using local files, the limitation is imposed by the size of the available ramdisk. You may wish to have data buffering done in file, syslog or both. For syslog, all.syslog_buffering and conf.
Data Buffering Linear vs. Circular Buffering For local data buffering, this parameter allow users to buffer data in either a circular or linear fashion. Circular format (cir) is a revolving buffer file that is overwritten whenever the limit of the buffer size (set by all.data_buffering) is reached. In linear format (lin), data transmission between the remote device and the serial port ceases once the 4k bytes Rx buffer in the kernel is reached.
Chapter 3 - Additional Features conf.nfs_data_buffering This is the Remote Network File System where data captured from the serial port will be written instead of being written to the local directory /var/run/ DB. The directory tree to which the file will be written must be NFSmounted, so the remote host must have NFS installed and the administrator must create, export and allow reading/ writing to this directory. The size of this file is not limited by the value of the parameter all.
Data Buffering all.syslog_sess This parameter determines whether syslog is generated when a user is connected to the port or not. Originally, syslog is always generated whether the user is connected to the port or not. Now, users have the option to NOT have syslog generate messages when they connect to a port. This feature does not affect the local data_buffering file. When set to 0 (default), syslog is always generated.
Chapter 3 - Additional Features Browser Method To configure Data Buffering with your browser: Step 1: Point your browser to the Console Server. In the address or location field of your browser type the Console Access Server’s IP address. For example: http://10.0.0.0 Step 2: Log in as root and type the Web root password configured by the Web server. This will take you to the Configuration and Administration page. Step 3: Select the Serial Ports link.
Data Buffering Step 6: Click the Submit button. Step 7: Select the General link. Click on the General link on the Link Panel to the left of the page. Step 8: Scroll down to the Data Buffering section. Choose whether NFS will be used or not, and choose the Data Buffering Facility level here. Figure 20: Data Buffering section of the General page Step 9: Click the Submit button. Step 10: Make the changes effective.
Chapter 3 - Additional Features Screen 1: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** INSTRUCTIONS for using the Wizard: You can: 1) Enter the appropriate information for your system and press ENTER.
Data Buffering Screen 3: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** CONF.NFS_DATA_BUFFERING - This parameter applies only if users choose to remotely buffer data. This is the remote directory name where data buffering will be written to instead of the default directory '/var/run'. If deactivavated, data buffering will be done locally. conf.nfs_data_buffering[#] : ALL.
Chapter 3 - Additional Features ALL.DONT_SHOW_DBMENU - When 0, a menu with data buffering options is shown when a non-empty data buffering file is found. When 1, the data buffering menu is not shown. When 2, the data buffering menu is not shown but the data buffering file is shown if not empty. When 3, the data buffering menu is shown, but without the 'erase and show' and 'erase' options. all.
Data Buffering Syslog Buffering Feature' section under Generating Alarms in Chapter 3 of the system's manual for the syslog-ng configuration file.) all.syslog_buffering[0] : Screen 6: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** ALL.SYSLOG_SESS - In order for this parameter to function, make sure syslog buffering is activate.
Chapter 3 - Additional Features If you type 'n' Type 'c' to go back and CORRECT these parameters or 'q' to QUIT : Typing 'c' repeats the application, typing 'q' exits the entire wiz application If you type 'y' Discard previous port-specific parameters? (y/n) [n] : Note: Answering yes to this question will discard only the parameter(s) which you are currently configuring if they were configured for a specific port in a previous session. For instance, if you are currently configuring parameter, all.
Data Buffering Note: The number of available ports depends on the system you are on. Typing in a valid port number repeats this program except this time it's configuring for the port number you have chosen. Typing 'q' leads to Screen 9.
Chapter 3 - Additional Features Do you want to save your configurations to flash? (y/n) [n] : CLI Method To configure certain parameters for a specific serial port. Step 1: At the command prompt, type in the appropriate command to configure desired parameters. To activate the serial port.
DHCP Tip. You can configure all the parameters for a serial port in one line: config configure line tty conf nfsdb db dbmode dbmenu dbtimestamp syslogdb Step 2: Activate and Save. To activate your new configurations and save them to flash, type: config write (This is essentially typing signal_ras hup and saveconf from the normal terminal prompt.
Chapter 3 - Additional Features • Comment all other parameters related to the Ethernet Interface (conf.eth_ip, etc.). • Add the necessary options to the file /etc/network/dhcpcd_cmd (some options are described below). 2. The BLACK BOX ® Advanced Console Server restores the last IP address previously provided in another boot and assigns this IP address to the Ethernet Interface. For the very first time the unit is powered ON, the IP address restored is 192.168.160.10 in case of failure in the DHCP.
DHCP /etc/network/dhcpcd_cmd Contains a command that activates the DHCP client (used by the cy_ras program). Its factory contents are: /bin/dhcpcd -c /bin/handle_dhcp The options available that can be used on this command line are: -D This option forces dhcpcd to set the domain name of the host to the domain name parameter sent by the DHCP Server. The default option is to NOT set the domain name of the host to the domain name parameter sent by the DHCP Server.
Chapter 3 - Additional Features Step 2: Log in as root and type the Web root password configured by the Web server. This will take you to the Configuration and Administration page. Step 3: Click the General link on the Link Panel. This takes you to the General page. Step 4: Scroll down to the Ethernet port section. You can choose the DHCP Client option in this section. Select the radio button and click the Submit button at the bottom of the page.
Dual Power Management Dual Power Management The BLACK BOX ® Advanced Console Server comes with two power supplies which it can self-monitor. If either of them fails, two actions are performed: sounding a buzzer and generating a syslog message. This automanagement can be disabled (no actions are taken) or enabled (default), any time by issuing the commands: signal_ras buzzer off signal_ras buzzer on To disable the buzzer in boot time, edit the shell script /bin/ex_wdt_led.sh and remove the keyword “buzzer.
Chapter 3 - Additional Features Configuration for TS vi Method Same as for CAS. Configuration for Dial-in Access vi Method Same as for CAS.
Filters and Network Address Translation Filters and Network Address Translation The Filter feature is available for firmware version 2.1.0 and above; the Network Address Translation (NAT) feature is available for firmware version 2.1.1 and above. Description IP filtering consists of blocking or not the passage of IP packets, based on rules which describe the characteristics of the packet, such as the contents of the IP header, the input/ output interface, or the protocol.
Chapter 3 - Additional Features called when a rule which is matched by the packet points to the chain. Each table has a particular set of built-in chains: for the filter table: for the nat table: Rule Each chain has a sequence of rules. These rules contain: When a chain is analyzed, the rules of this chain are reviewed one-by-one until the packet matches one rule. If no rule is found, the default action for that chain will be taken. Syntax An iptables tutorial is beyond the scope of this manual.
Filters and Network Address Translation Command table Can be filter or nat. If the option -t is not specified, the filter table will be assumed. chain Is one of the following: • for filter table: INPUT, OUTPUT, FORWARD or a user-created chain. • for nat table: PREROUTING, OUTPUT, POSTROUTING or a user-created chain. Only one command can be specified on the command line unless otherwise specified below.
Chapter 3 - Additional Features -Z - - zero Zero the packet and byte counters in all chains. It is legal to specify the -L, --list (list) option as well, to see the counters immediately before they are cleared. (See above.) -N - - new-chain New chain. Create a new user-defined chain by the given name. There must be no target of that name already. -X - - delete-chain Delete the specified user-defined chain. There must be no references to the chain.
Filters and Network Address Translation Rule Specification Options -p - -protocol[!]protocol The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all.
Chapter 3 - Additional Features Match Extensions -i - -in-interface[!][name] Optional name of an interface via which a packet is received (for packets entering the INPUT and FORWARD chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+" then any interface which begins with this name will match. If this option is omitted, the string "+" is assumed, which will match with any interface name.
Filters and Network Address Translation -x - -exact Expand numbers. Display the exact value of the packet and byte counters, instead of only the rounded number in K's (multiples of 1000) M's (multiples of 1000K) or G's (multiples of 1000M). This option is only relevant for the -L command. - -linenumbers When listing rules, add line numbers to the beginning of each rule, corresponding to that rule's position in the chain. Iptables can use extended packet matching modules.
Chapter 3 - Additional Features [!] - -syn Only match TCP packets with the SYN bit set and the ACK and FIN bits cleared. Such packets are used to request TCP connection initiation; for example, blocking such packets coming in an interface will prevent incoming TCP connections, but outgoing TCP connections will be unaffected. It is equivalent to - -tcp-flags SYN,RST,ACK SYN. If the "!" flag precedes the "- -syn," the sense of the option is inverted. - -tcp-option [!] number Match if TCP option set.
Filters and Network Address Translation Target Extensions - -source-port [port[,port]] Match if the source port is one of the given ports. - -destination-port [port[,port]] Match if the destination port is one of the given ports. - -port [port[,port]] Match if the both the source and destination port are equal to each other and to one of the given ports. Iptables can use extended target modules. The following are included in the standard distribution. LOG Turn on kernel logging of matching packets.
Chapter 3 - Additional Features DNAT (nat table only) - -to-source [-][:port-port] This can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies -p tcp or -p udp). If no port range is specified, then source ports below 1024 will be mapped to other ports below 1024: those between 1024 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above.
Filters and Network Address Translation send the packet to the machine itself (locally-generated packets are mapped to the 127.0.0.1 address). It takes one option: Parameters Involved and Passed Values The file with the iptables rules is /etc/network/firewall. The fwset script saves the iptables rules in the file /etc/network/firewall (command iptales-save > /etc/network/firewall) and then save the file in the flash memory.
Chapter 3 - Additional Features Step 3: Select the IPTables link. On the Configuration section of this page, select the IPTables link. The following page will appear. Figure 22: First IP Tables page The options in this page are: List Chains List all the chains of the table selected. Save in File Save the all the IP tables rules, chains and tables to the file /etc/network/firewall. Restore from File Reads the file /etc/network/firewall and make the IP Tables configuration from that file effective.
Filters and Network Address Translation Step 5: Edit the chain list If the user needs to define new chains, write in the Chain Name text input and click the Insert Chain button. If the default policy for a chain needs to be changed, select the chain and click the Edit Chain button. Select the new policy and click Submit. Step 6: Choose one of the chains and click the List Rules button.
Chapter 3 - Additional Features Figure 25: IP Tables Append Rule (table: filter, chain: INPUT) Note: For many parameters, there is a checkbox called inverted. Checking this box will invert the sense of the parameter. Target Indicates the action to be performed when the IP packet matches the rule. The kernel can ACCEPT the packet, DROP it, LOG it, REJECT it by sending a message, translating the source or the destination IP address/port (in the nat table) or send the packet to another user-defined chain.
Filters and Network Address Translation Protocol Indicates the transport protocol to check. If the numeric value is available, select numeric and type the value in the text input; otherwise, select one of the other options. Fragments Indicates if the fragments will be checked. The IP Tables can either check for head fragments and unfragmented packets or for the subsequent fragments. TCP options This section will appear only when TCP protocol is selected.
Chapter 3 - Additional Features Step 11: Click on the link [IP Tables] if the nat table must be edited. Select the nat table and click on the List Chains button. Repeat steps 5 to 8 to edit the chains and rules in the nat table. The tables presented on the Web page are the same as in the filter table, with the difference that there are more options in the Append/Insert/Replace Rule page: DNAT/SNAT options This section will appear only when the target selected is DNAT and SNAT, respectively.
Generating Alarms Generating Alarms This feature helps the administrator to manage the servers. It filters the messages received by the serial port (the server’s console) based on the contents of the messages. It then performs an action, such as sending an email or pager message. To configure this feature, you need to configure filters and actions in the syslog-ng.conf file. (You can read more about syslog-ng in the Syslog section.) Port Slave Parameters Involved with Generating Alarms conf.
Chapter 3 - Additional Features Step 3: Select the General link. Click on the General link on the Link Panel to the left of the page in the Configuration section. This will take you to the General page. Step 4: Scroll down to the Data Buffering section. You can change the Data Buffering Facility value (conf.DB_facility). Click the Submit button. Step 5: Select the Serial Ports link. Click on the Serial Ports link on the Link Panel to the left of the page in the Configuration section.
Generating Alarms Wizard Method The Alarm Generation custom wizard configures the ALL.ALARM parameter. Step 1: Bring up the wizard. At the command prompt, type the following to bring up the Alarm Generation custom wizard: wiz --al Screen 1 (below) will appear. Screen 1: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** ALL.
Chapter 3 - Additional Features Screen 2: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Current configuration: (The ones with the '#' means it's not activated.) all.
Generating Alarms Screen 4: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Current configuration: (The ones with the '#' means it's not activated.) all.
Chapter 3 - Additional Features Screen 5: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** You have 8 available ports on this system. Type 'q' to quit, a valid port number[1-8], or anything else to refresh : Note: The number of available ports depends on the system you are on.
Generating Alarms Screen 7: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Flash refers to a type of memory that can be erased and reprogrammed in units of memory known as blocks rather than one byte at a time; thus, making updating to memory easier. If you choose to save to flash, your configurations thus far will still be in the memory of the system even after you reboot it.
Chapter 3 - Additional Features Step 2: Activate and Save. To activate your new configurations and save them to flash, type: config write (This is essentially typing signal_ras hup and saveconf from the normal terminal prompt.) Syslog-ng Configuration to use with Alarm Feature This configuration example is used for the alarm feature. Step 1: Configure the pslave.conf file parameter. In the pslave.conf file the parameters of the alarm feature are configured as: all.alarm 1 conf.
Generating Alarms # of this unit and the message that was received from the source. destination d_mail1 { pipe("/dev/cyc_alarm" template("sendmail -t z@none.com -f a@none.com -s \"ALARM\" -m \"$FULLDATE $HOST $MSG\" -h 10.0.0.2")); }; # Example to send a pager to phone number 123 (Pager server at 10.0.0.
Chapter 3 - Additional Features log { source(sysl); filter(f_kpanic); destination(d_mail1); destination(d_trap); }; # To send e-mail and pager if message received from local syslog client has the string # "root login": log { source(sysl); filter(f_root); destination(d_mail1); destination(d_pager); }; Alarm, Sendmail, Sendsms and Snmptrap Alarm This feature is available only for the Console Server Application.
Generating Alarms log (source(sysl); filter(f_kpanic); destination(d_pager); }; To send e-mail: destination d_mail { pipe("/dev/cyc_alarm" template("sendmail "));}; To send a pager message: destination d_pager {pipe("/dev/cyc_alarm" template("sendsms "));}; To send snmptrap: destination d_trap {pipe("/dev/cyc_alarm" template("snmptrap ")); }; Step 4: Connect filters and actions in the syslog-ng configuration file.
Chapter 3 - Additional Features Synopsis: sendmail -t [,] [-c [,]] [-b [,]] [-r ] -f -s -m -h [-p ] where: -t [,] “To: ” Required. Multi-part allowed (multiple names are separated by commas). Names are expanded as explained below. [-c [,]] “Cc: ” Optional. Multi-part allowed (multiple names are separated by commas). [-b [,]] “Bcc: ” Optional.
Generating Alarms Sendsms The sendsms is the Linux command line client for the SMSLink project. It accepts command line parameters that define the message to be sent, and transmits them to the SMS server process running on the designated server. The sendsms was developed specifically for easy calling from shell scripts or similar situations. Synopsis: sendsms [-r] [-g] [-v] -d dest (-m message or -f msgfile) [-u user] [-p port] server where: -r Reporting.
Chapter 3 - Additional Features -d dest (cont.) If there are any doubts, please contact the SMS server administrator for your network. Please always include the area code (even when sending to a destination in the same “area”, i.e., on the same network). The number without the area code, though syntactically correct and accepted by the network, may never get delivered. -m message Required (Use one and only one of “-m” or “-f”). The text of the message to be sent.
Generating Alarms server Required. The host name or IP address of the computer where the SMS gateway server process is running. By default, this server will be listening on TCP port 6701. Upon success (when the server module reports that the message was successfully sent), sendsms returns 0. When a problem occurs, a non zero value is returned. Different return values indicate different problems. A return value of 1 indicates a general failure of the client program.
Chapter 3 - Additional Features where: -Ci Optional. It sends INFORM-PDU. common arguments Required. They are: "-c " enterprise-oid Required, but it can be empty (''). agent Required, but it can be empty (''). The agent name. generic-trap The generic trap number: 2 (link down), 3 (link up), 4 (authentication failure), ... specific-trap Required. The specific trap number. uptime Required. [objectID type value] Optional. objectID is the object oid.
Help Help Help Wizard Information Synopsis: wiz [--OPTIONS] [--port ] Note: To directly configure a feature for a specific serial port, use the ”- -port ” option after “wiz - -[option].” Note: Make sure there are two hyphens before any of the options listed on the following table.
Chapter 3 - Additional Features Table 10: General Options for the Help Wizard Option Description sl Configuration of syslog parameters snf Configuration of sniffing parameters sset Configuration of serial setting parameters tl Configuration of terminal login display parameters tso Configuration of other parameters specific to the TS profile Step 1: Bring up the wizard.
Help Table 11: Help CLI Options - Synopsis 1 Option Actual Parameter Modified accthost1 accthost1 accthost2 accthost2 adminusers admin_users alarm alarm authhost1 authhost1 authhost2 authhost2 authtype authtype auto_input auto_answer_input auto_output auto_answer_output break break_sequence datasize datasize databuffering data_buffering dbmenu dont_show_DBmenu dbm
Chapter 3 - Additional Features Table 11: Help CLI Options - Synopsis 1 Option Actual Parameter Modified ipno ipno issue issue lf lf_suppress modbus modbus_smode multiplesess multiple_sessions parity parity pmkey pmkey pmnumofoutlets pmNumOfOutlets pmoutlet pmoutlet pmtype pmtype pmusers pmusers pollinterval poll_interval prompt prompt protocol protocol
Help Table 11: Help CLI Options - Synopsis 1 Option Actual Parameter Modified syslog_sess syslogsess telnetclientmode ber> term timeout timeout tty tty txinterval tx_interval userauto userauto users users (Refer to Appendix C for more info on the parameters.
Chapter 3 - Additional Features (Refer to Appendix C for more info on the parameters.) Synopsis 3 - Configuration of other Conf. Parameters config configure conf [options] or in CLI mode: configure conf [options] Table 13: Help CLI Options - Synopsis 3 Option Actual Parameter Modified dbfacility conf.DB_facility facility conf.facility group conf.group locallogins conf.locallogins nfsdb conf.
Help Note: To include spaces within the string you are configuring, encapsulate the string within single or double quotes. For instance, to configure s2.sttyCmd igncr -onlcr, type (do not put a space after a comma): config configure line 2 sttycmd "-igncr -onlcr" Tip. You can specify the range or list of serial ports if you wish to configure the same parameters for several ports. For instance, to configure parameters for ports 2 through 4, you can type this command: config configure line 2-4 [options].
Chapter 3 - Additional Features NTP The ntpclient is a Network Time Protocol (RFC-1305) client for UNIX- and Linux-based computers. In order for the BLACK BOX ® Advanced Console Server to work as a NTP client, the IP address of the NTP server must be set in the file /etc/ntpclient.conf. The script shell /bin/ntpclient.sh reads the configuration file (/etc/ntpclient.conf) and build the line command to call /bin/ntpclient program. Parameters Involved and Passed Values The file /etc/ntpclient.
NTP Configuration for CAS, TS, and Dial-in Access vi Method Files to be changed: /etc/ntpclient.conf Browser Method To configure NTP with your browser: Step 1: Point your browser to the Console Server. In the address or location field of your browser type the Console Access Server’s IP address. For example: http://10.0.0.0 Step 2: Log in as root and type the Web root password configured by the Web server. This will take you to the Configuration and Administration page.
Chapter 3 - Additional Features PCMCIA Warning! Although there are two PCMCIA slots in the BLACK BOX ® Advanced Console Server, only one is currently supported: the bottom slot. Future software versions will allow for use of the second slot. Note: This section applies only to the model of the BLACK BOX ® Advanced Console Server that has a dual power supply. Supported Cards The BLACK BOX ® Advanced Console Server supports the 16-bit PC Cards. The 32-bit CardBus PC Cards are not supported.
PCMCIA cardclt eject 1 for the upper slot PCMCIA Network Configuration Note: Due to a known problem in the current release, the I/O ports used by the card cannot be re-used after card re-insertion. In each card insertion, the card gets a different I/O port. This limits the number of times the card can be ejected and inserted. When all the I/O ports known by the card are used, the RequestIO: No more items message is displayed, and the only way to reset the I/O port usage is to reboot the system.
Chapter 3 - Additional Features Remove the # in the beginning of the line, and change the IPs to suit your network configuration. For instance, you may want the following configuration: auto eth1 iface eth1 inet static address 192.168.162.10 network 192.168.162.0 netmask 255.255.255.0 broadcast 192.168.162.255 gateway 192.168.162.1 Don't forget to run saveconf to save this configuration in the flash, so that it can be restored in the next boot.
PCMCIA There is a generic sample in the end of the wireless.opts file that explains all possible settings. Note: The "s:" prefix in the KEY line indicates that the key is an ASCII string, as opposed to hex digits. Five characters or ten digits could be entered for WEP 40-bit and 13 characters or 26 digits could be entered for WEP 128-bit. For more details in wireless configuration, search for manpage iwconfig on the Internet. The parameters in wireless.opts are used by the iwconfig utility.
Chapter 3 - Additional Features When a modem card is detected, cardmgr starts a script which loads mgetty for the modem device automatically. mgetty provides the login screen to the remote user. mgetty may also be configured to start PPP (pppd) and let PPP login the caller. The steps to allow PPP connections are: Step 1: Enable login and PAP authentication in /etc/mgetty/login.config. Enable the desired authentication in /etc/mgetty/login.config.
PCMCIA Step 6: Save /etc/ppp/options.ttyS33 in flash. Step 7: Create an entry in /etc/config_files. It should have the name of the file you created, so that the new file can be saved to the flash. For instance, you will have to add a line with /etc/ppp/options.ttyS33 in /etc/config_files. Step 8: Run saveconf to save the files listed in /etc/config_files to the flash. Step 9: Insert the pcmcia modem if not inserted yet. Step 10: Run ps to see that mgetty is running.
Chapter 3 - Additional Features Server Side BLACK BOX ® Advanced Console Server Setup Step 1: Enable authentication. Enable the desired authentication in /etc/mgetty/login.config. For instance, you may want the following authentication in /etc/mgetty/login.config to enable PAP and system password database authentication: /AutoPPP/ - a_ppp /usr/local/sbin/pppd auth -chap +pap login nobsdcomp nodeflate Step 2: Configure a pseudo callback user. Add the following line to /etc/mgetty/login.
PCMCIA Step B: If you want to limit myUserName to getting ONLY PPP access and NOT shell access to the server, edit the entry for myUserName in /etc/passwd.. Do this by replacing /bin/sh with a pathname to a script that you will be creating later. In the following example, the script is: /usr/ppp/ppplogin myUserName:$1$/3Qc1pGe$./h3hzkaJQJ/:503:503:Embedix User,,,:/home/myUserName:/usr/ppp/ppplogin Step 6: If you executed Step 5b, create the ppp login script.
Chapter 3 - Additional Features Client Side Setup Step 1: Activate Show Terminal Window option. (From Win2000) Go to your Connection window (the window to dial the BLACK BOX ® Advanced Console Server) -> Properties -> Security -> look for Interactive Logon and Scripting -> click on Show Terminal Window. Step 2: Disable/enable encryption protocols. If you are going to be using PPP connection with PAP authentication, make sure you disable all other encryption protocols.
PCMCIA • Log in through character mode: Log in with username and password. You will get the BLACK BOX ® Advanced Console Server shell prompt. • Log in through ppp: Click on Done on the Terminal Window. ISDN PC Cards You can establish synchronous PPP connections with ISDN cards. The ipppd is the daemon that handles the synchronous PPP connections. How to configure dial in Step 1: Create a user.
Chapter 3 - Additional Features /etc/pcmcia/isdn stop ippp0 /etc/pcmcia/isdn start ippp0 Step 6: You can dial from the remote system to the BLACK BOX ® Advanced Console Server, and get a PPP connection. Step 7: To hang up the connection from the BLACK BOX ® Advanced Console Server side, just issue: isdnctrl hangup ippp0 How to configure dial out Step 1: Create a user. Create a user in /etc/ppp/pap-secrets or in /etc/ppp/chap-secrets,depending if you want PAP or CHAP authentication. Step 2: Change options.
PCMCIA Step 7: To hangup the connection from the BLACK BOX ® Advanced Console Server side, just issue: isdnctrl hangup ippp0 Establishing a Callback with your ISDN PC Card For the same cost saving reasons explained in Establishing a Callback with your Modem PC Card, the ISDN card in the BLACK BOX ® Advanced Console Server can be configured to callback client machines after receiving dial in calls. The steps to allow callback are divided into two parts.
Chapter 3 - Additional Features Step 4: Make sure the CALLBACK is set to “in” in /etc/pcmcia/isdn.opts. CALLBACK="in" # "in" will enable callback for incoming calls. Step 5: Uncomment line with user "mary" in /etc/ppp/pap-secrets. Step 6: Save changes to flash. saveconf Step 7: Activate the changes by stopping and starting the isdn script: /etc/pcmcia/isdn stop ippp0 /etc/pcmcia/isdn start ippp0 The BLACK BOX ® Advanced Console Serverside is done.
PCMCIA “mary” Properties, select the Callback tab and make sure the option “Do not allow callback” is selected. After any change in the Incoming Connection Properties, it is recommended that the Windows is rebooted to apply the changes. The Windows side is done. Now you can dial from Windows to the BLACK BOX ® Advanced Console Server. Go to Start> Settings-> “Network and Dial-up Connections” and select the dial-up that you created.
Chapter 3 - Additional Features Step 1.2: Configure the DIALIN_REMOTENUMBER. If your ISDN line supports caller id, it is recommended that you also configure the DIALIN_REMOTENUMBER and enable secure calls. Otherwise skip to Step 1.3. DIALIN_REMOTENUMBER="8358662" # Remote phone from which you will # receive calls SECURE="on" # "on" = incoming calls accepted only if remote # phone matches DIALIN_REMOTENUMBER; "off" = # accepts calls from any phone. "on" will work # only if your line has the caller id info.
PCMCIA saveconf Step 6: Activate the changes by stopping and starting the isdn script: /etc/pcmcia/isdn stop ippp0 /etc/pcmcia/isdn start ippp0 Linux (Callback Client) Step 1: Configure the ipppd to have user mary and pap authentication. Step 2: Dial to the BLACK BOX ® Advanced Console Server: isdnctrl dial ippp0 Step 3: As soon the BLACK BOX ® Advanced Console Server authenticates the user mary, the BLACK BOX ® Advanced Console Server will disconnect and callback.
Chapter 3 - Additional Features Ports Configured as Terminal Servers There are TS-specific parameters that are required to be configured when using the serial ports with the TS profile. The configuration of these TS-specific parameters are described in this section. Additional configuration for TS is described in Access Method and Serial Settings in Chapter 3, and in Appendix C – The pslave Configuration File. TS Setup Wizard The Wizard can be used to configure TS-specific parameters.
Ports Configured as Terminal Servers Press ENTER to continue... Screen 2: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Current configuration: (The ones with the '#' means it's not activated.) all.host : 192.168.160.8 all.term : vt100 conf.
Chapter 3 - Additional Features placing a '!' before users' login name, then using their normal password. This is useful if the Radius authentication server is down. conf.locallogins[0] : Screen 5: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Current configuration: (The ones with the '#' means it's not activated.) all.host : 192.168.160.8 all.term : vt100 conf.
Ports Configured as Terminal Servers Screen 6: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** You have 8 available ports on this system. Type 'q' to quit, a valid port number[1-8], or anything else to refresh : Tip. The number of available ports depends on the system you are on.
Chapter 3 - Additional Features Screen 8: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Flash refers to a type of memory that can be erased and reprogrammed in units of memory known as blocks rather than one byte at a time; thus, making updating to memory easier.
Ports Configured as Terminal Servers CLI Method To configure certain parameters for a specific serial port: Step 1: At the command prompt, type in the appropriate command to configure desired parameters. To activate the serial port. should be ttyS : config configure line tty To configure host: config configure line host To configure term: config configure line term To configure conf.
Chapter 3 - Additional Features Serial Settings This feature controls the speed, data size, parity, and stop bits of all ports. It also sets the flow control to hardware, software, or none; the DCD signal; and tty settings after a socket connection to that serial port is established. Parameters Involved and Passed Values Terminal Settings involve the following parameters (the first four are physical parameters): all.speed The speed for all ports. Default value: 9600. all.
Serial Settings all.sttyCmd (for CAS only) The TTY is programmed to work as configured and this userspecific configuration is applied over that serial port. Parameters must be separated by a space. The following example sets : -igncr This tells the terminal not to ignore the carriage-return on input, -onlcr Do not map newline character to a carriage return or newline character sequence on output, opost Post-process output, -icrnl Do not map carriage-return to a newline character on input. all.
Chapter 3 - Additional Features Step 3: Select the Serial Ports link. Click on the Serial Ports link on the Link Panel to the left of the page or in the Configuration section of the page. This will take you to the Port Selection page. Step 4: Select port(s). On the Port Selection page, choose all ports or an individual port to configure, from the dropdown menu. Click the Submit button. This will take you to the Serial Port Configuration page. Step 5: Click the “CAS Profile” button.
Serial Settings Screen 1: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** INSTRUCTIONS for using the Wizard: You can: 1) Enter the appropriate information for your system and press ENTER.
Chapter 3 - Additional Features all.sttyCmd : # Set to defaults? (y/n) [n] : Screen 3: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** ALL.SPEED - The data speed in bits per second (bps) of all ports. all.speed[9600] : ALL.DATASIZE - The data size in bits per character of all ports. all.
Serial Settings Screen 5: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** ALL.FLOW - This sets the flow control to hardware, software, or none. (e.g. hard, soft, none) all.flow[none] : ALL.DCD - DCD signal (sets the tty parameter CLOCAL). Valid values are 0 or 1. In a socket session, if all.
Chapter 3 - Additional Features ALL.STTYCMD - Tty settings after a socket connection to that serial port is established. The tty is programmed to work as a CAS profile and this user specific configuration is applied over that serial port. Parameters must be separated by space.(e.g. all.
Serial Settings Note: Answering yes to this question will discard only the parameter(s) which you are currently configuring if they were configured for a specific port in a previous session. For instance, if you are currently configuring parameter, all.x, and there was a specific port, s2.x, configured; then, answering yes to this question will discard s2.x. Type 'c' to CONTINUE to set these parameters for specific ports or 'q' to QUIT : Typing 'c' leads to Screen 8, typing 'q' leads to Screen 9.
Chapter 3 - Additional Features Screen 9: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** (Note: If you are NOT connected to this unit through a console, and you have just reconfigured the IP of this unit, activating the new configurations may cause you to lose connection.
Serial Settings CLI Method To configure line parameters for a specific serial port. Step 1: At the command prompt, type in the appropriate command to configure desired parameters. To activate the serial port.
Chapter 3 - Additional Features Tip. You can configure all the parameters for a serial port in one line: config configure line tty speed datasize stopbits parity flow dcd dtr_reset sttycmd Step 2: Activate and Save. To activate your new configurations and save them to flash, type: config write (This is essentially typing signal_ras hup and saveconf from the normal terminal prompt.
Serial Settings Screen 6: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Current configuration: (The ones with the '#' means it's not activated.) all.speed : 9600 all.datasize : 8 all.stopbits : 1 all.parity : none all.flow : none all.
Chapter 3 - Additional Features Screen 7: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** You have 8 available ports on this system. Type 'q' to quit, a valid port number[1-8], or anything else to refresh : Note: The number of available ports depends on the system you are on.
Serial Settings Screen 9: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Flash refers to a type of memory that can be erased and reprogrammed in units of memory known as blocks rather than one byte at a time; thus, making updating to memory easier. If you choose to save to flash, your configurations thus far will still be in the memory of the system even after you reboot it.
Chapter 3 - Additional Features To configure parity: configure line parity To configure flow: config configure line flow To configure dcd: config configure line dcd Tip. You can configure all the parameters for a serial port in one line: config configure line tty speed datasize stopbits parity flow dcd Step 2: Activate and Save.
Serial Settings CLI Method To configure line parameters for a specific serial port: Step 1: At the command prompt, type in the appropriate command to configure desired parameters. To activate the serial port.
Chapter 3 - Additional Features Session Sniffing Versions 2.1.0 and later You can open more than one common and sniff session at the same port. For this purpose, the following configuration items are available in the file pslave.conf: • all.multiple_sessions: If it is configured as no, only two users can connect to the same port simultaneously. If it is configured as yes, more than two simultaneous users can connect to the same serial port.
Session Sniffing * * * * ttySN is being used by () !!! * 1 - Initiate a regular session 2 - Initiate a sniff session 3 - Send messages to another user 4 - Kill session(s) 5 - Quit Enter your option: —————————————————————————————————— If the user selects 1 - Initiate a regular session, s/he will share that serial port with the users that were previously connected. S/he will read everything that is received by the serial port, and will also be able to write to it.
Chapter 3 - Additional Features Only for the administrator users: Typing all.escape_char or sN.escape_char from the sniff session or “send message mode” will make the BLACK BOX ® Advanced Console Server show the previous menu. The first regular sessions will not be allowed to return to the menu. If you kill all regular sessions using the option 4, your session initiates as a regular session automatically. Parameters Involved and Passed Values Sniffing involves the following parameters: all.
Session Sniffing all.multiple_sessions If it is configured as no, only two users can connect to the same port simultaneously. If it is configured as yes, more than two simultaneous users can connect to the same serial port. A “Sniffer menu” will be presented to the user and they can choose either to open a sniff session; to open a read and/or write session; to cancel a connection; or to send a message to other users connected to the same serial port.
Chapter 3 - Additional Features Step 5: Scroll down to the Sniff Session section. You can configure the appropriate values here. Figure 26: Sniff Session section of the Serial Port Configuration page Step 6: Click on the Submit button. Step 7: Make the changes effective. Click on the Administration > Run Configuration link, check the Serial Ports/ Ethernet/Static Routes box and click on the Activate Configuration button. Step 8: Click on the link Administration > Load/Save Configuration.
Session Sniffing Screen 1: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** INSTRUCTIONS for using the Wizard: You can: 1) Enter the appropriate information for your system and press ENTER.
Chapter 3 - Additional Features Screen 3: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** ALL.ADMIN_USERS - This parameter determines which users can open a sniff session, which is where other users connected to the very same port can see everything that the first user is doing.
Session Sniffing Screen 4: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** ALL.ESCAPE_CHAR - This parameter determines which character must be typed to make the session enter into "menu mode." The possible values are to , and this is only valid when the port protocol is socket_server or socket_ssh. Represent the CRTL character with '^'. Default value is ^z. all.
Chapter 3 - Additional Features If you type 'N' Type 'c' to go back and CORRECT these parameters or 'q' to QUIT : Typing 'c' repeats the application, typing 'q' exits the entire wiz application If you type 'Y' Discard previous port-specific parameters? (y/n) [n] : Note: Answering yes to this question will discard only the parameter(s) which you are currently configuring if they were configured for a specific port in a previous session. For instance, if you are currently configuring parameter, all.
Session Sniffing Screen 7: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** (Note: If you are NOT connected to this unit through a console, and you have just reconfigured the IP of this unit, activating the new configurations may cause you to lose connection.
Chapter 3 - Additional Features CLI Method To configure certain parameters for a specific serial port: Step 1: At the command prompt, type in the appropriate command to configure desired parameters. To activate the serial port.
SNMP SNMP Short for Simple Network Management Protocol: a set of protocols for managing complex networks. The first versions of SNMP were developed in the early 80s. SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters. The BLACK BOX ® Advanced Console Server uses the net-snmp package (http://www.netsnmp.org).
Chapter 3 - Additional Features You can configure the /etc/snmp/snmpd.conf file as indicated later in this section. 1. Snmp version 1 • RFC1155 - SMI for the official MIB tree • RFC1213 - MIB-II 2. Snmp version 2 • RFC2578 - Structure of Management Information Version 2 (SMIv2) • RFC2579 - Textual Conventions for SMIv2 • RFC2580 - Conformance Statements for SMIv2 3.
SNMP • Black Box LS1032A-xx Remote Management Object Tree (blackbox.4). This MIB permits you to get informations about the product, to read/write some configuration items and to do some administration commands. (For more details see the blackbox.mib file.) Configuration for CAS, TS, and Dial-in Access vi Method Files to be changed: /etc/snmp/snmpd.conf This file has information about configuring for SNMP. Browser Method To configure SNMP with your browser: Step 1: Point your browser to the Console Server.
Chapter 3 - Additional Features Syslog The syslog-ng daemon provides a modern treatment to system messages. Its basic function is to read and log messages to the system console, log files, other machines (remote syslog servers) and/or users as specified by its configuration file. In addition, syslog-ng is able to filter messages based on their content and to perform an action (e.g. to send an e-mail or pager message). In order to access these functions, the syslog-ng.
Syslog Port Slave Parameters Involved with syslog-ng conf.facility This value (0-7) is the Local facility sent to the syslog-ng from PortSlave. conf.DB_facility This value (0-7) is the Local facility sent to the syslog-ng with data when syslog_buffering and/or alarm is active. When nonzero, the contents of the data buffer are sent to the syslogng every time a quantity of data equal to this parameter is collected.
Chapter 3 - Additional Features Step 3: Click Syslog on the Configuration section. Select the Syslog link. The following page will appear, giving information for configuring syslog: Figure 27: Syslog page 1 Step 4: Edit the configuration file and click on the Submit button Step 5: Make changes effective. Click on the Administration > Run Configuration link. Check the Syslog-ng box and click on the Activate Configuration button.
Syslog Screen 1 will appear. Screen 1: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** INSTRUCTIONS for using the Wizard: You can: 1) Enter the appropriate information for your system and press ENTER.
Chapter 3 - Additional Features Screen 3: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** CONF.FACILITY - This value (0-7) is the Local facility sent to the syslog. The file /etc/syslog-ng/syslog-ng.conf contains a mapping between the facility number and the action.
Syslog Screen 4: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Current configuration: (The ones with the '#' means it's not activated.) conf.facility : 7 conf.
Chapter 3 - Additional Features Screen 6: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Flash refers to a type of memory that can be erased and reprogrammed in units of memory known as blocks rather than one byte at a time; thus, making updating to memory easier.
Syslog Tip. You can configure all the conf parameters in one line. config configure conf facility dbfacility Step 2: Activate and Save. To activate your new configurations and save them to flash, type: config write (This is essentially typing signal_ras hup and saveconf from the normal terminal prompt.) The Syslog Functions This section shows the characteristics of the syslog-ng that is implemented for all members of the BLACK BOX ® Advanced Console Server.
Chapter 3 - Additional Features time_reopen(n) The time to wait before a dead connection is reestablished. time_reap(n) The time to wait before an idle destination file is closed. sync_freq(n) The number of lines buffered before written to file. (The file is synced when this number of messages has been written to it.) mark_freq(n) The number of seconds between two MARKS lines. log_fifo_size(n) The number of lines fitting to the output queue.
Syslog Task 2: Define sources. To define sources use this statement: source { source-driver([params]); source driver([params]); ...}; where: identifier Has to uniquely identify this given source. source-driver Is a method of getting a given message. params Each source-driver may take parameters. Some of them are required, some of them are optional. The following source-drivers are available: a) internal() Messages are generated internally in syslog-ng.
Chapter 3 - Additional Features c) tcp([options]) and udp([options]) These drivers let you receive messages from the network, and as the name of the drivers show, you can use both TCP and UDP. None of tcp() and udp() drivers require positional parameters. By default they bind to 0.0.0.0:514, which means that syslog-ng will listen on all available interfaces. Options: ip() - The IP address to bind to. Default: 0.0.0.0. port() - UDP/TCP port used to listen messages. Default: 514.
Syslog Example to listen to messages from one client (IP address=10.0.0.1) on UDP port 999: source s_udp_10 { udp(ip(10.0.0.1) port(999)); }; Task 3: Define filters. To define filters use this statement: filter { expression; }; where: identifier Has to uniquely identify this given filter. expression Boolean expression using internal functions, which has to evaluate to true for the message to pass.
Chapter 3 - Additional Features Examples: filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_debug { not facility(auth, authpriv, news, mail); }; 2) To filter by level: filter f_level { level();}; Examples: filter f_messages { level(info ..
Syslog 5) To eliminate sshd debug messages: filter f_sshd_debug { not program('sshd') or not level(debug); }; 6) To filter the syslog_buffering: filter f_syslog_buf { facility(local[0+]) and level(notice); }; Task 4: Define Actions. To define actions use this statement (note that the statement should be one line): destination { destination-driver([params]); destination-driver([param]); ..}; where: identifier Has to uniquely identify this given destination.
Chapter 3 - Additional Features Available macros in filename expansion: HOST - The name of the source host where the message originated from. FACILITY - The name of the facility the message is tagged as coming from. PRIORITY or LEVEL - The priority of the message. PROGRAM - The name of the program the message was sent by. YEAR, MONTH, DAY, HOUR, MIN, SEC - The year, month, day, hour, min, sec of the message was sent. TAG - Equals FACILITY/LEVEL.
Syslog f) program() This driver fork()'s executes the given program with the arguments and sends messages down to the stdin of the child. Some Examples of Defining Actions 1) To send e-mail: destination { pipe(‘/dev/cyc_alarm’ template(‘sendmail ’));}; where ident: uniquely identifies this destination.
Chapter 3 - Additional Features $HOST The name of the source host. $FULLHOST The name of the source host and the source driver. Format: @ $MSG or $MESSAGE The message received. Example to send e-mail to z@none.com (SMTP's IP address 10.0.0.2) from the e-mail address a@none.com with subject “BLACK BOX ® Advanced Console Server-ALARM”. The message will carry the current date, the host-name of this BLACK BOX ® Advanced Console Server and the message that was received from the source.
Syslog destination d_pager { pipe(‘/dev/cyc_alarm’ template(‘sendsms -d 123 -m \’$FULLDATE $HOST $MSG\’ 10.0.0.1’)); }; 3) To send snmptrap: destination {pipe(‘/dev/cyc_alarm’ template(‘snmptrap ’)); }; where ident : uniquely identify this destination pars : -v 1 public : community \"\" : enterprise-oid \"\" : agent/hostname : 2-Link Down, 3-Link Up, 4-Authentication Failure 0 : specific trap \"\" : host-uptime .1.3.6.1.2.1.2.2.1.2.1 :interfaces.iftable.
Chapter 3 - Additional Features template("snmptrap -v 1 -c public 10.0.0.1 \"\" \"\" 2 0 \"\" \ .1.3.6.1.2.1.2.2.1.2.
Syslog destination(D1); destination(D2);... }; where : Sx Identifier of the sources defined before. Fx Identifier of the filters defined before. Dx Identifier of the actions/destinations defined before.
Chapter 3 - Additional Features log { source(sysl); source(s_udp); filter(f_kern); destination(dudp1); }; Syslog-ng Configuration to use with Syslog Buffering Feature This configuration example uses the syslog buffering feature, and sends messages to the remote syslogd (10.0.0.1). Step 1: Configure pslave.conf parameters. In the pslave.conf file the parameters of the syslog buffering feature are configured as: conf.DB_facility 1 all.syslog_buffering 100 Step 2: Add lines to syslog-ng.conf.
Syslog source src { unix-stream("/dev/log"); }; # remote server 1 - IP address 10.0.0.1 port default destination d_udp1 { udp("10.0.0.1"); }; # remote server 2 - IP address 10.0.0.2 port 1999 destination d_udp2 { udp("10.0.0.2" port(1999););}; # filter messages from facility local1 and level info to warning filter f_local1 { facility(local1) and level(info..warn);}; # filter messages from facility local 1 and level err to alert filter f_critic { facility(local1) and level(err ..
Chapter 3 - Additional Features Terminal Appearance You can change the format of the login prompt and banner that is issued when a connection is made to the system. Prompt and banner appearance can be port-specific as well. Parameters Involved and Passed Values Terminal Appearance involves the following parameters: all.prompt This text defines the format of the login prompt. Expansion characters can be used here. Example value: %h login: all.
Terminal Appearance all.auto_answer _output This parameter is used in conjunction with the previous parameter, auto_answer_input. If configured, and if there is no session established to the port, this parameter is sent back to the server when there is a match between the incoming data and auto_answer_input. To represent the ESC character as part of this string, use the control character, ^[. Configuration for CAS, TS, and Dial-in Access Browser Method Step 1: Point your browser to the Console Server.
Chapter 3 - Additional Features Step 8: Click on the link Administration > Load/Save Configuration. Step 9: Click the Save Configuration to Flash button. The configuration was saved in flash. Wizard Method Step 1: Bring up the wizard. At the command prompt, type the following to bring up the Terminal Appearance custom wizard: wiz --tl Screen 1 will appear.
Terminal Appearance Press ENTER to continue... Screen 2: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Current configuration: (The ones with the '#' means it's not activated.) all.issue : \r\n\Welcome to terminal server %h port S%p \n\ \r\n\ all.prompt : %h login: all.lf_suppress : 0 all.auto_answer_input : # all.
Chapter 3 - Additional Features Screen 4: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** ALL.LF_SUPPRESS - This activates line feed suppression. When configured as 0, line feed suppression will not be performed. When 1, extra line feed will be suppressed. all.lf_suppress[0] : ALL.
Terminal Appearance all.auto_answer_output[#] : Screen 6: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Current configuration: (The ones with the '#' means it's not activated.) all.issue : \r\n\Welcome to terminal server %h port S%p \n\ \r\n\ all.prompt : %h login: all.lf_suppress : 0 all.auto_answer_input : # all.
Chapter 3 - Additional Features Screen 7: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** You have 8 available ports on this system.
Terminal Appearance far will still be in the memory of the system even after you reboot it. If you don't save to flash and if you were to reboot the system, all your new configurations will be lost and you will have to reconfigure the system. Do you want to save your configurations to flash? (y/n) [n] : CLI Method To configure certain parameters for a specific serial port: Step 1: At the command prompt, type in the appropriate command to configure desired parameters. To activate the serial port.
Chapter 3 - Additional Features Tip. You can configure all the parameters for a serial port in one line. config configure line tty issue prompt lf auto_input auto_output Step 2: Activate and Save. To activate your new configurations and save them to flash, type: config write (This is essentially typing signal_ras hup and saveconf from the normal terminal prompt.
Time Zone Time Zone The content of the file /etc/TIMEZONE can be in one of two formats. The first format is used when there is no daylight savings time in the local time zone: std offset The std string specifies the name of the time zone and must be three or more alphabetic characters. The offset string immediately follows std and specifies the time value to be added to the local time to get Coordinated Universal Time (UTC).
Chapter 3 - Additional Features In the example below: GST+7DST+6M4.1.0/14:30.M10.5.6/10 Daylight Savings Time starts on the first Sunday of April at 2:30 p.m. and it ends on the last Saturday of October at 10:00 a.m. How to set Date and Time The date command prints or sets the system date and time.
Time Zone This page has been left intentionally blank.
Appendix A - New User Background Information Users and Passwords Appendix A - New User Background Information A username and password are necessary to log in to the BLACK BOX ® Advanced Console Server. The user root is predefined, with a password tslinux. A password should be configured as soon as possible to avoid unauthorized access. Type the command: passwd to create a password for the root user.
Appendix A - New User Background Information Linux File Structure The Linux file system is organized hierarchically, with the base (or root) directory represented by the symbol “/”. All folders and files are nested within each other below this base directory. The directories located just below the base directory are: /home Contains the work directories of system users. /bin Contains applications and utilities used during system initialization. /dev Contains files for devices and ports.
Appendix A - New User Background Information Basic File Manipulation Commands The basic file manipulation commands allow the user to copy, delete, and move files and create and delete directories. cp file_name destination a) cp text.txt /tmp b) cp /chap/robo.php ./excess.php Copies the file indicated by file_name to the path indicated by destination. a) Copies the file text.txt in the current directory to the tmp directory. b) Copies the file robo.
Appendix A - New User Background Information Shortcuts: . (one dot) Represents the current directory. .. (two dots) Represents one directory above the current directory (i.e. one directory closer to the base directory). The vi Editor To edit a file using the vi editor, type: vi file_name Vi is a three-state line editor: it has a command mode, a line mode and an editing mode. If in doubt as to which mode you are in, press the key which will bring you to the command mode.
Appendix A - New User Background Information Table 15: vi navigation commands h Moves the cursor to the left (left arrow). j Moves the cursor to the next line (down arrow). k Moves the cursor to the previous line (up arrow). l Moves the cursor to the right (right arrow).
Appendix A - New User Background Information The Routing Table The BLACK BOX ® Advanced Console Server has a static routing table that can be seen using the commands: route or netstat -rn The file /etc/network/st_routes is the BLACK BOX ® Advanced Console Server’s method for configuring static routes.
Appendix A - New User Background Information Secure Shell Session Ssh is a command interface and protocol often used by network administrators to connect securely to a remote computer. Ssh replaces its non-secure counterpart rsh and rlogin. There are two versions of the protocol, ssh and ssh2. The BLACK BOX ® Advanced Console Server offers both.
Appendix A - New User Background Information ssh -t -l mycompany:10.0.0.116-port ssh -t -l mycompany:7001 16-port For openssh clients, version 3.1p1 or later ssh2 is the default. In that case, the -1 flag is used for ssh1. ssh -t mycompany:7001@16-port (openssh earlier than 3.1p1 - Advanced Secure Console Port Server ssh -t -2 mycompany:7001@16-port (openssh earlier than 3.1p1 - BLACK BOX ® Advanced Console Serverssh -t mycompany:7001@16-port (openssh 3.
Appendix A - New User Background Information UsePrivilegedPort yes • One of these: hostname or ipaddress in /etc/hosts.equiv or /etc/ssh/shosts.equiv hostname or ipaddress and username in ~/.rhosts or ~/.shosts and IgnoreRhosts no in sshd_config • Client start-up command: ssh -t (if the ssh client is running under a session belonging to a username present both in the workstation’s database and the BLACK BOX ® Advanced Console Server’s database).
Appendix A - New User Background Information cat /tmp/known_hosts >> /etc/ssh/ssh_known_hosts or ~/.ssh/ known_hosts • client start-up command: ssh -t Note: “client_hostname” should be the DNS name. To access the serial port, the BLACK BOX ® Advanced Console Server must be configured for local authentication. No root user should be used as username. Step 3: Only RSAAuthentication yes in sshd_config.
Appendix A - New User Background Information Note: All files “~/*” or “~/.ssh/*” must be owned by the user and readable only by others. All files created or updated must have their full path and file name inside the file config_files and the command saveconf must be executed before rebooting the BLACK BOX ® Advanced Console Server. The Process Table The process table shows which processes are running. Type ps -a to see a table similar to that below.
Appendix A - New User Background Information TS Menu Script The ts_menu script can be used to avoid typing long telnet or ssh commands. It presents a short menu with the names of the servers connected to the serial ports of the BLACK BOX ® Advanced Console Server. The server is selected by its corresponding number. ts_menu must be executed from a local session: via console, telnet, ssh, dumb terminal connected to a serial port, etc.
Appendix A - New User Background Information accessed. This is used when there is clustering (one BLACK BOX ® Advanced Console Server master box and one or more BLACK BOX ® Advanced Console Server slave boxes).
Appendix A - New User Background Information 1 192.168.1.101 2 192.168.1.102 3 192.168.1.103 4 192.168.1.104 5 192.168.1.105 6 192.168.1.106 Type 'q' to quit, a valid option [1-6], or anything else to refresh : -u : Username to be used in the ssh/telnet command. The default username is that used to log onto the BLACK BOX ® Advanced Console Server. -h : Lists script options.
Appendix B - Cabling, Hardware, & Electrical General Hardware Specifications Appendix B - Cabling, Hardware, and Electrical Specifications The power requirements, environmental conditions and physical specifications of the BLACK BOX ® Advanced Console Server are listed below.
Appendix B - Cabling, Hardware, & Electrical Table 22: BLACK BOX ® Advanced Console Server physical conditions Physical Information External Dimensions Weight LS1016A LS1032A 17 in. x 8.5 in. x 1.75 in. 17 in. x 8.5 in. x 1.75 in. 6 lb. 6.2 lb.
Appendix B - Cabling, Hardware, & Electrical Rear Panel LEDs The Advanced Secure Console Port Server rear panel has connectors (serial, console and Ethernet) with some LEDs that have the following functionalities: Ethernet Connector Col (collision) Shows collision on the LAN every time the unit tries to transmit an Ethernet packet. DT/LK (data transaction /link state DT flashes when there's data transmitted to or received from the LAN. It's hardware-controlled. LK keeps steady if the LAN is active.
Appendix B - Cabling, Hardware, & Electrical The RS-232 Standard RS-232C, EIA RS-232, or simply RS-232 refer to a standard defined by the Electronic Industries Association in 1969 for serial communication. More than 30 years later, more applications have been found for this standard than its creators could have imagined. Almost all electronic devices nowadays have serial communication ports.
Appendix B - Cabling, Hardware, & Electrical transmission speeds range between 9,600 bps and 19,200bps (used in most automation and console applications) to 115,200 bps (used by the fastest modems). Cable Length The original RS-232 specifications were defined to work at a maximum speed of 19,200 bps over distances up to 15 meters (or about 50 feet). That was 30 years ago. Today, RS-232 interfaces can drive signals faster and through longer cables.
Appendix B - Cabling, Hardware, & Electrical Connectors The connector traditionally used with RS-232 is the 25-pin D-shaped connector (DB-25). Most analog modems and most older computers and serial equipment use this connector. The RS232 interface on DB-25 connector always uses the same standard pin assignment. The 9-pin D-shaped connector (DB-9) saves some space and is also used for RS-232. Most new PC COM ports and serial equipment (specially when compact size is important) uses this connector.
Appendix B - Cabling, Hardware, & Electrical Straight-Through vs. Crossover Cables The RS-232 interface was originally intended to connect a DTE (computer, printer and other serial devices) to a DCE (modem) using a straight-through cable (all signals on one side connecting to the corresponding signals on the other side one-to-one). By using some “cabling tricks,” we can use RS-232 to connect two DTEs as is the case in most modern applications. A crossover (a.k.a.
Appendix B - Cabling, Hardware, & Electrical Table 25: Which cable to use To Connect To DTE RJ-45 Black Box (custom) • All Black Box Console Ports Use Cable Cable 2: RJ-45 to RJ-45 crossover (custom). A sample is included with the product (“straight-through”) This custom cable can be ordered from Black Box or other cable vendors using the provided wiring diagram. Cable Diagrams Before using the following cable diagrams refer to the tables above to select the correct cable for your application.
Appendix B - Cabling, Hardware, & Electrical Cable #1: Black Box RJ-45 to DB-25 Male, straight-through Application: This cable connects Black Box products (serial ports) to modems and other DCE RS-232 devices. It is included in both Cable Package #1 and #2. Figure 28: Cable 1 - Black Box RJ-45 to DB-25 Male, straight-through Cable #2: Black Box RJ-45 to DB-25 Female/Male, crossover This cable connects Black Box products (serial ports) to console ports, terminals, printers and other DTE RS-232 devices.
Appendix B - Cabling, Hardware, & Electrical Cable #3: Black Box RJ-45 to DB-9 Female, crossover This cable connects Black Box products (serial ports) to console ports, terminals, printers and other DTE RS-232 devices. If you are using Cable Package #1, after connecting the appropriate adapter to the RJ-45 straight-through cable, you will essentially have the cable shown in this picture. If you are using Cable Package #2, no assembly is required. You will have the cable shown below.
Appendix B - Cabling, Hardware, & Electrical Cable #5: Black Box/Sun Netra Cable This Adapter attaches to a Cat 3 or Cat 5 network cable. It is usually used in console management applications to connect Black Box products to a Sun Netra server or to a Cisco product. This cable is included in Cable Package #2. Figure 32: Cable 5 - Black Box/Sun Netra Cable Adapters The following four adapters are included in the product box.
Appendix B - Cabling, Hardware, & Electrical Black Box\Sun Netra Adapter This Adapter attaches to a Cat 3 or Cat 5 network cable. It is usually used in console management applications to connect Black Box products to a Sun Netra server or to a Cisco product. At one end of the adapter is the black CAT.5e Inline Coupler box with a female RJ-45 terminus, from which a 3-inch-long black Sun Netra-labeled cord extends, terminating in an RJ-45 male connector. This adapter is included in Cable Package #2.
Appendix B - Cabling, Hardware, & Electrical RJ-45 Female to DB-25 Female Adapter The following adapter may be necessary. It is included in Cable Package #1. RJ-45 DB-25F Figure 36: RJ-45 Female to DB-25 Female Adapter RJ-45 Female to DB-9 Female Adapter The following adapter may be necessary. This is included in Cable Package #1.
Appendix B - Cabling, Hardware, & Electrical This page has been left intentionally blank.
Appendix C - The pslave Configuration File Introduction Appendix C - The pslave Configuration File This chapter begins with a table containing parameters common to all profiles, followed by tables with parameters specific to a certain profile. You can find samples of the pslave configuration files (pslave.conf, .cas, .ts, and .ras) in the /etc/portslave directory in the BLACK BOX ® Advanced Console Server box.
Appendix C - The pslave Configuration File Table 26: Parameters Common to CAS, TS, & Dial-in Access Parameter Description Value for this Example conf.facility The local facility sent to syslog-ng from PortSlave. 1-7 conf.group Used to group users to simplify the configuration of the parameter all.users later on. This parameter can be used to define more than one group. group_name: user1, user2 conf.eth_ip Configured in Task 4: Edit the pslave.
Appendix C - The pslave Configuration File Table 26: Parameters Common to CAS, TS, & Dial-in Access Parameter Description Value for this Example all.dcd DCD signal (sets the tty parameter CLOCAL). Valid values are 0 or 1. If all.dcd=0, a connection request will be accepted regardless of the DCD signal and the connection will not be closed if the DCD signal is set to DOWN. If all.
Appendix C - The pslave Configuration File Table 26: Parameters Common to CAS, TS, & Dial-in Access Parameter all.issue Description This text determines the format of the login banner that is issued when a connection is made to the BLACK BOX ® Advanced Console Server. \n represents a new line and \r represents a carriage return. Expansion characters can be used here. Value for this Example: Value for this Example See Description column \r\n\ Welcome to terminal server %h port S%p \r\n\ all.
Appendix C - The pslave Configuration File Table 26: Parameters Common to CAS, TS, & Dial-in Access Parameter Description Value for this Example all.syswtmp It defines whether portslave must write login records. yes/no all.sttyCmd The TTY is programmed to work as configured and this user-specific configuration is applied over that serial port. Parameters must be separated by a space.
Appendix C - The pslave Configuration File Table 26: Parameters Common to CAS, TS, & Dial-in Access Parameter all.utmpfrom Description It allow the administrator to customize the field "FROM" in the login records (utmp file). It is displayed in the "w" command. Value for this Example See Description Column Ex: "%g:%P.%3.%4" %g %P %3 %J : process id : Protocol : Third nibble of remote IP : Remote IP Note: In the pslave.conf file there is a list of all expansion variables available. all.
Appendix C - The pslave Configuration File Table 26: Parameters Common to CAS, TS, & Dial-in Access Parameter all.accthost1 User Guide Description This address indicates the location of the Radius/TacacsPlus accounting server, which can be used to track how long users are connected after being authorized by the authentication server. Its use is optional. If this parameter is not used, accounting will not be performed.
Appendix C - The pslave Configuration File Table 26: Parameters Common to CAS, TS, & Dial-in Access Parameter all.authtype 318 Description Configured in Task 4: Edit the pslave.conf file in Chapter 2 - Installation, Configuration, and Usage. Type of authentication used. There are several authentication type options: • none (no authentication) • local (authentication is performed using the /etc/passwd file) • remote (This is for a terminal profile only.
Appendix C - The pslave Configuration File Table 26: Parameters Common to CAS, TS, & Dial-in Access Parameter Description • local/radius (authentication is performed locally first, switching to Radius if unsuccessful) • radius/local (the opposite of the previous option) • local/TacacsPlus (authentication is performed locally first, switching to TacacsPlus if unsuccessful) • TacacsPlus/local (the opposite of the previous option) • RadiusDownLocal (local authentication is tried only when the Radius
Appendix C - The pslave Configuration File Table 26: Parameters Common to CAS, TS, & Dial-in Access Parameter Description Value for this Example all.radretries Defines the number of times each Radius/ TacacsPlus server is tried before another is contacted. The default, if not configured, is 5. 5 all.secret This is the shared secret necessary for communication between the BLACK BOX ® Advanced Console Server and the Radius/ TacacsPlus servers. secret all.
Appendix C - The pslave Configuration File CAS Parameters You can configure additional CAS features with the parameters given on the following tables. (The is used as an example in some parameters. In addition to the above parameters which are common to all local and remote access scenarios, you can also configure the following parameters for additional options. Many of the parameters are unique to CAS, but some also apply to TS and Dial-in port profiles. This is indicated in these instances.
Appendix C - The pslave Configuration File Table 27: Mostly CAS-specific Parameters Value for this Example Parameter Description conf.nat_clustering_ip IP address of any BLACK BOX ® Advanced Console Server interface (master box). It is a public IP address (e.g. Ethernet's interface IP address) and it is the one that must be used to connect the slave's serial ports. You can use the same value assigned to the Ethernet's IP address as that of the master box in the chain. 64.186.161.10 8 all.
Appendix C - The pslave Configuration File Table 27: Mostly CAS-specific Parameters Parameter Description Value for this Example all.lf_suppress This can be useful because telneting (from DOS) from some OS such as Windows 98 causes produces an extra line feed so two prompts appear whenever you press Enter. When set to 1, line feed suppression is active which will eliminate the extra prompt. When set to 0 (default), line feed suppression is not active. 0 all.
Appendix C - The pslave Configuration File Table 27: Mostly CAS-specific Parameters Parameter Description Value for this Example all.auto_ answer_output This parameter works in conjunction with all.auto_answer_input. It allows you to configure a string that is sent back to the remote server whenever the incoming data remote server matches with all.auto_answer_input. This parameter works only when there is no session to the port.
Appendix C - The pslave Configuration File Table 27: Mostly CAS-specific Parameters Parameter all.socket_port Description In the CAS profile, this defines an alternative labeling system for the BLACK BOX ® Advanced Console Server ports. The “+” after the numerical value causes the serial interfaces to be numbered consecutively. In this example, serial interface 1 is assigned the port value 7001,serial interface 2 is assigned the port value 7002, etc.
Appendix C - The pslave Configuration File Table 27: Mostly CAS-specific Parameters Parameter all.data_ buffering 326 Description A non zero value activates data buffering (local or remote, according to what was configured in the parameter conf.nfs_data_buffering see Data Buffering in Chapter 3). If local data buffering, a file is created on the BLACK BOX ® Advanced Console Server; if remote, a file is created through NFS in a remote server. All data received from the port is captured in this file.
Appendix C - The pslave Configuration File Table 27: Mostly CAS-specific Parameters Parameter Description Value for this Example all.DB_mode When configured as cir for circular format, the buffer works like a revolving file at all times. The file is overwritten whenever the limit of the buffer size (as configured in all.data_buffering or s.data_buffering) is reached.
Appendix C - The pslave Configuration File Table 27: Mostly CAS-specific Parameters Parameter Description Value for this Example all.syslog_ buffering When non zero, the contents of the data buffer are sent to the syslogng every time a quantity of data equal to this parameter is collected. The syslog level for data buffering is hard coded to level 5 (notice) and facility local[0+conf.DB_facility]. The file /etc/syslog-ng/syslog-ng.conf should be set accordingly for the syslog-ng to take some action.
Appendix C - The pslave Configuration File Table 27: Mostly CAS-specific Parameters Parameter Description Value for this Example all.alarm When non zero, all data received from the port are captured and sent to syslog-ng with level INFO and local[0+conf.DB_facility]facility. The syslogng.conf file should be set accordingly, for the syslog-ng to take some action (please see Generating Alarms in Chapter 3 Additional Features for the syslog-ng configuration file). 0 all.
Appendix C - The pslave Configuration File Table 27: Mostly CAS-specific Parameters Parameter Description Value for this Example all.multiple_ sessions Allows users to open more than one common and sniff session on the same port. The options are “yes,” “no,” “RW_session,” or “sniff_session.” Default is set to “no.” Please see Session Sniffing in Chapter 3 for details. no all.escape_char This parameter determines which character must be typed to make the session enter “menu mode”.
Appendix C - The pslave Configuration File Table 27: Mostly CAS-specific Parameters Parameter Description Value for this Example s1.pool_socket_port In the CAS profile, this defines an alternative labeling system for the BLACK BOX ® Advanced Console Server pool of ports. In this example, serial interface 1 is assigned to the pool identified by port value 3001. Using s.pool_socket_port one can assign each serial interface to a different pool of ports.
Appendix C - The pslave Configuration File Table 28: TS Parameters Parameter Description Value for this Example conf.ssh Location of the ssh utility. /bin/ssh conf.locallogins This parameter is only necessary when authentication is being performed for a port. When set to one, it is possible to log in to the BLACK BOX ® Advanced Console Server directly by placing a “!” before your login name, then using your normal password. This is useful if the Radius authentication server is down. 0 all.
Appendix C - The pslave Configuration File Table 28: TS Parameters Value for this Example Parameter Description all.telnet_client_ mode When the protocol is TELNET, this parameter configured as BINARY (1) causes an attempt to negotiate the TELNET BINARY option on both input and output with the Telnet server. So it puts the telnet client in binary mode. The acceptable values are "0" or "1", where "0" is text mode (default) and "1" is a binary mode. s16.
Appendix C - The pslave Configuration File Table 29: Dial-in configuration Parameters Parameter Description Value for this Example all.initchat Modem initialization string. TIMEOUT 10 "" \d\l\dATZ \ OK\r\n-ATZ-OK\r\n “” \ “” ATMO OK\R\N “” \ TIMEOUT 3600 RING “” \ STATUS Incoming %p:I.HANDSHAKE “” ATA\ TIMEOUT 60 CONNECT@ “” \ STATUS Connected %p:I.HANDSHAKE all.autoppp all.autoppp PPP options to auto-detect a ppp session.
Appendix C - The pslave Configuration File Table 29: Dial-in configuration Parameters Parameter Description Value for this Example all.pppopt all.pppopt PPP options when user has already been authenticated. %i:%j novj \ proxyarp modem asyncmap 000A0000 \ noipx noccp mtu %t mru %t netmask%m \ idle %I maxconnect %T \ plugin /usr/lib/libpsr.so all.protocol For the Dial-in configuration, the available protocols are PPP, SLIP and CSLIP. ppp s32.tty See the s1.tty entry in the CAS section.
Appendix C - The pslave Configuration File This page has been left intentionally blank.
Appendix D - Linux-PAM Introduction Appendix D - Linux-PAM Linux-PAM (Pluggable Authentication Modules for Linux) is a suite of shared libraries that enable the local system administrator to choose how applications authenticate users. In other words, without (rewriting and) recompiling a PAM-aware application, it is possible to switch between the authentication mechanism(s) it uses. Indeed, one may entirely upgrade the local authentication system without touching the applications themselves.
Appendix D - Linux-PAM Figure 38: Data flow diagram of Linux-PAM The left of the figure represents the application: Application X. Such an application interfaces with the Linux-PAM library and knows none of the specifics of its configured authentication method. The Linux-PAM library (in the center) consults the contents of the PAM configuration file and loads the modules that are appropriate for Application X.
Appendix D - Linux-PAM The Linux-PAM Configuration File Linux-PAM is designed to provide the system administrator with a great deal of flexibility in configuring the privilege-granting applications of their system. The local configuration of those aspects of system security controlled by Linux-PAM is contained in one of two places: either the single system file /etc/pam.conf or the /etc/pam.d/ directory.
Appendix D - Linux-PAM Service-name The name of the service associated with this entry. Frequently the service name is the conventional name of the given application. For example, ‘ftpd’, ‘rlogind’, ‘su’, etc. There is a special service-name, reserved for defining a default authentication mechanism. It has the name ‘OTHER’ and may be specified in either lower or upper case characters. Note, when there is a module specified for a named service, the ‘OTHER’ entries are ignored.
Appendix D - Linux-PAM Control-flag The control-flag is used to indicate how the PAM library will react to the success or failure of the module it is associated with. Since modules can be stacked (modules of the same type execute in series, one after another), the control-flags determine the relative importance of each module. The application is not made aware of the individual success or failure of modules listed in the ‘/etc/pam.conf’ file.
Appendix D - Linux-PAM Optional As its name suggests, this control-flag marks the module as not being critical to the success or failure of the user’s application for service. In general, Linux-PAM ignores such a module when determining if the module stack will succeed or fail. However, in the absence of any definite successes or failures of previous or subsequent stacked modules this module will determine the nature of the response to the application.
Appendix D - Linux-PAM Bad This action indicates that the return code should be thought of as indicative of the module failing. If this module is the first in the stack to fail, its status value will be used for that of the whole stack. Die Equivalent to bad with the side effect of terminating the module stack and PAM immediately returning to the application. OK This tells PAM that the administrator thinks this return code should contribute directly to the return code of the full stack of modules.
Appendix D - Linux-PAM pam_env This module allows the (un)setting of environment variables. The use of previously set environment variables as well as PAM_ITEMs such as PAM_RHOST is supported. pam_filter This module was written to offer a plug-in alternative to programs like ttysnoop (XXX - need a reference). Since a filter that performs this function has not been written, it is currently only a toy.
Appendix D - Linux-PAM pam_rootok This module is for use in situations where the superuser wishes to gain access to a service without having to enter a password. pam_securetty Provides standard UNIX securetty checking. pam_time Running a well-regulated system occasionally involves restricting access to certain services in a selective manner. This module offers some time control for access to services offered by a system. Its actions are determined with a configuration file.
Appendix D - Linux-PAM pam_ldap Pam_ldap looks for the ldap client configuration file “ldap.conf” in /etc/. Here's an example of the ldap.conf file (partial): # file name: ldap.conf # This is the configuration file for the LDAP nameservice # switch library and the LDAP PAM module. # # Your LDAP server. Must be resolvable without using LDAP. host 127.0.0.1 # The distinguished name of the search base.
Appendix D - Linux-PAM try_first_pass The module should attempt authentication with the previously typed password (from the preceding auth module). If that doesn’t work, then the user is prompted for a password. (This option is intended for auth modules only). use_mapped_ pass This argument is not currently supported by any of the modules in the Linux-PAM distribution because of possible consequences associated with U.S. encryption exporting restrictions.
Appendix D - Linux-PAM The only difference between the two is that the service-name is not present. The servicename is of course the name of the given configuration file. For example, /etc/pam.d/login contains the configuration for the login service. Default Policy If a system is to be considered secure, it had better have a reasonably secure ‘OTHER’ entry. The following is a “severe” setting (which is not a bad place to start!): # # default; deny access # OTHER auth required pam_deny.
Appendix D - Linux-PAM OTHER auth required pam_warn.so OTHER password required pam_warn.so Having two “OTHER auth” lines is an example of stacking. On a system that uses the /etc/pam.d/ configuration, the corresponding default setup would be achieved with the following file: # # default configuration: /etc/pam.d/other # auth required pam_warn.so auth required pam_deny.so account required pam_deny.so password required pam_warn.so password required pam_deny.so session required pam_deny.
Appendix D - Linux-PAM In addition to the normal applications: login, su, sshd, passwd, and pppd. Black Box also has made portslave a PAM-aware application. The portslave requires four services configured in pam.conf. They are local, remote, radius, and tacplus. The portslave PAM interface takes any parameter needed to perform the authentication in the serial ports from the file pslave.conf. The pslave.conf parameter all.authtype determines which service(s) should be used.
Appendix D - Linux-PAM # If Kerberos server is down, uses the local service # kerberosdownlocal auth requisite pam_securetty.so kerberosdownlocal auth optionalpam_auth_srv.so kerberosdownlocal auth\ [ success=done new_authtok_reqd=done authinfo_unavail=ignore default=die ] \ pam_krb5.so no_ccache kerberosdownlocal auth requiredpam_unix2.so kerberosdownlocal account \ [ success=done new_authtok_reqd=done authinfo_unavail=ignore default=die ] \ pam_krb5.
Appendix D - Linux-PAM ldapdownlocal auth requiredpam_unix2.so ldapdownlocal account \ [ success=done new_authtok_reqd=done authinfo_unavail=ignore default=die ] \ pam_ldap.so ldapdownlocal account requiredpam_unix2.so ldapdownlocal session \ [ success=done new_authtok_reqd=done authinfo_unavail=ignore default=die ] \ pam_ldap.so ldapdownlocal session requiredpam_unix2.so # # The PAM configuration file for the `tacplus' service # tacplus auth requisite pam_securetty.
Appendix D - Linux-PAM radius account required pam_radius_auth.so radius session required pam_radius_auth.so s_radius auth requisite pam_securetty.so s_radius auth required pam_radius_auth.so use_first_pass s_radius account required pam_radius_auth.so s_radius session required pam_radius_auth.so # # The PAM configuration file for the `local' service # local auth requisite pam_securetty.so local auth required pam_unix2.so local account required pam_unix2.
Appendix D - Linux-PAM # # The PAM configuration file for the `login' service # loginauth requisite pam_securetty.so loginauth required pam_unix2.so loginauth optional pam_group.so loginaccount requisite pam_time.so loginaccount required pam_unix2.so loginpassword required pam_unix2.so md5 use_authtok loginsession required pam_unix2.so login session required pam_limits.so # # The PAM configuration file for the `xsh' service # sshdauth required pam_unix2.
Appendix D - Linux-PAM # sambaauth required pam_unix2.so sambaaccount required pam_unix2.so # # The PAM configuration file for the `su' service # suauth required pam_wheel.so suauth sufficient pam_rootok.so suauth required pam_unix2.so suaccount required pam_unix2.so susession required pam_unix2.so # # Information for the PPPD process with the 'login' option. # ppp auth required pam_nologin.so ppp auth required pam_unix2.so ppp account required pam_unix2.
Appendix D - Linux-PAM #ippp auth optional pam_auth_srv.so #ippp account required pam_radius_auth.so conf=/etc/raddb/server #ippp session required pam_radius_auth.so conf=/etc/raddb/server # # The PAM configuration file for the `other' service # otherauth required pam_warn.so otherauth required pam_deny.so otheraccount required pam_deny.so otherpassword required pam_warn.so otherpassword required pam_deny.so othersession required pam_deny.
Appendix E - Upgrades and Troubleshooting Upgrades Appendix E - Software Upgrades and Troubleshooting Users should upgrade the BLACK BOX ® Advanced Console Server whenever there is a bug fix or new features that they would like to have. Below are the six files added by Black Box to the standard Linux files in the /proc/flash directory when an upgrade is needed.
Appendix E - Upgrades and Troubleshooting ftp > open server > user admin > Password: adminpw > cd /tftpboot > bin > get zImage.134 zImage > quit Note: Due to space limitations, the new zImage file may not be downloaded with a different name, then renamed. The BLACK BOX ® Advanced Console Server searches for a file named zImage when booting and there is no room in flash for two zImage files. Step 4: Run zImage.
Appendix E - Upgrades and Troubleshooting Troubleshooting Flash Memory Loss If the contents of flash memory are lost after an upgrade, please follow the instructions below to restore your system: Step 1: Turn the BLACK BOX ® Advanced Console Server OFF, then back ON. Step 2: Using the console, wait for the self test messages. If you haven't got any, make sure you have the right settings. If you really get no boot message, press right after powering ON and skip ALTERNATE boot code.
Appendix E - Upgrades and Troubleshooting Note: Possible causes for the loss of flash memory may include: downloaded wrong zImage file, downloaded as ASCII instead of binary; problems with flash memory. If the BLACK BOX ® Advanced Console Server booted properly, the interfaces can be verified using ifconfig and ping. If ping does not work, check the routing table using the command route. Of course, all this should be tried after checking that the cables are connected correctly.
Appendix E - Upgrades and Troubleshooting Table 30: Files to be included in /etc/config_file and the program to use File Program /etc/ssh/ssh_host_key.pub sshd /etc/ssh/sshd_config sshd /etc/ssh/ssh_config ssh client /etc/ssh/ssh_host_key sshd (ssh1) /etc/ssh/ssh_host_key.pub sshd (ssh1) /etc/ssh/ssh_host_dsa_key sshd (ssh2) /etc/ssh/ssh_host_dsa_key.pub sshd (ssh2) /etc/snmp/snmpd.conf snmpd /etc/portslave/pslave.
Appendix E - Upgrades and Troubleshooting Important! Black Box Technical Support is always ready to help with any configuration problems. Before calling, execute the command cat /proc/version and note the Linux version and BLACK BOX ® Advanced Console Server version written to the screen. This will speed the resolution of most problems. Hardware Test A hardware test called tstest is included with the BLACK BOX ® Advanced Console Server firmware.
Appendix E - Upgrades and Troubleshooting <- Packets -> From To <- Errors -> Sent Received Passes Data CTS DCD DSR 2 <-> 2 35 35 35 0 0 0 0 4 <-> 5 35 35 35 0 0 0 0 5 <-> 4 35 35 35 0 0 0 0 When this test is run with a cable or connector without the DSR signal (see the pinout diagram for the cable or connector being used), errors will appear in the DSR column. This does not indicate a problem with the port.
Appendix E - Upgrades and Troubleshooting First, type Ctrl-D to see the X in the DTR column move position, then type Ctrl-R to see the X in the RTS column change position. If each of the Xs moves in response to its command, the signals are being sent. Another method to test the signals is to use a loop-back connector. Enter the number of the port with the loopback connector and start the test. In this case, when Ctrl-D is typed, the Xs in the first three columns will move as shown below.
Appendix E - Upgrades and Troubleshooting zimage at: 00008100 0006827E relocated to: 00DB7000 00E1717E initrd at: 0006827E 0024F814 relocated to: 00E18000 00FFF596 avail ram: 0030B270 00E18000 Linux/PPC load: root=/dev/ram After printing “Linux/PPC load: root=/dev/ram,” the BLACK BOX ® Advanced Console Server waits approximately 10 seconds for user input. This is where the user should type “single” (spacebar, then the word “single”).
Appendix E - Upgrades and Troubleshooting your system. If your ftp server is on the same network as the BLACK BOX ® Advanced Console Server, the gw and mask parameters are optional. config_eth0 ip 200.200.200.1 mask 255.255.255.0 gw 200.200.200.5 At this point, the DNS configuration (in the file /etc/resolv.conf) should be checked. Then, download the kernel image using the ftp command.
Appendix E - Upgrades and Troubleshooting Firmware boot from ((F)lash or (N)etwork) [F] Boot type ((B)ootp,(T)ftp or Bot(H)) [T] Boot File Name [zvmppctsbin] Server's IP address [192.168.160.1] Console speed [9600] (P)erform or (S)kip Flash test [P] (S)kip, (Q)uick or (F)ull RAM test [F] Fast Ethernet ((A)uto Neg, (1)00 BtH, 100 Bt(F), 10 B(t)F, 10 Bt(H)) [A] Fast Ethernet Maximum Interrupt Events [0] Type for all fields but the Console Speed.
Appendix E - Upgrades and Troubleshooting CPU LED Normally the CPU status LED should blink consistently one second on, one second off. If this is not the case, an error has been detected during the boot. The blink pattern can be interpreted via the following table: Table 31: CPU LED Code Interpretation Event CPU LED Morse code Normal Operation S (short, short, short . . . ) Flash Memory Error - Code L (long, long, long . . .
Appendix F - Certificate for HTTP Security Introduction Appendix F - Certificate for HTTP Security The following configuration will enable you to obtaining a Signed Digital Certificate. A certificate for the HTTP security is created by a CA (Certificate Authority). Certificates are most commonly obtained through generating public and private keys, using a public key algorithm like RSA or X509. The keys can be generated by using a key generator software. Procedure Step 1: Enter OpenSSL command.
Appendix F - Certificate for HTTP Security Table 32: Required information for the OpenSSL package Parameter Email Address []: Description Your email address or the administrator’s email address. The other requested information can be skipped. The certificate signing request (CSR) generated by the command above contains some personal (or corporate) information and its public key. Step 2: Submit CSR to the CA. The next step is to submit the CSR and some personal data to the CA.
Appendix F - Certificate for HTTP Security Step E: Save the configuration in flash. #saveconf Step F: The certification will be effective in the next reboot.
Appendix F - Certificate for HTTP Security This page has been left intentionally blank.
Appendix G - IPSEC Introduction Appendix G - IPSEC This document contains some information that Technical Support may need to help customers with IPsec problems. It covers some basic aspects of tunneling, the kinds of tunnels supported by the BLACK BOX ® Advanced Console Server IPsec implementation, how to configure the BLACK BOX ® Advanced Console Server and how to manage the IPsec and the IPsec connections.
Appendix G - IPSEC Using IPsec to create a VPN A VPN, or Virtual Private Network lets two networks communicate securely when the only connection between them is over a third network which they do not trust. The method is to put a security gateway machine between each of the communicating networks and the untrusted network. The gateway machines encrypt packets entering the untrusted net and decrypt packets leaving it, creating a secure tunnel through it.
Appendix G - IPSEC The software parts The IPsec software has three main parts: KLIPS (kernel IPsec) Implements the IPsec code in the Linux kernel. PLUTO The user space IPsec. It negotiate connections with other systems. scripts Various scripts provide and administrator interface to the machinery. IPSec Configuration The configuration file IPsec uses a configuration file, ipsec.conf.
Appendix G - IPSEC 3. All other non-comment lines of a section must be indented. 4. Blank lines separate sections. 5. You cannot put a blank line within a section; use a lone '#' instead. The configuration file uses left and right to refer to the two gateways involved in a connection, and has other parameters which come in left/right pairs. For example, leftsubnet is the subnet behind left. Which gateway is left and which is right is entirely up to you. The setup section of ipsec.
Appendix G - IPSEC The variables set here are: interfaces Tells the IPsec code in the Linux kernel which network interface to use. The interfaces specified here are the only ones this gateway machine will use to communicate with other IPsec gateways. If this is not correct, nothing works. In many cases, the appropriate interface is just your default connection to the world (the Internet, or your corporate network). In these cases, you can use the default setting: interfaces=%defaultroute.
Appendix G - IPSEC plutostart List of connections to be automatically negotiated when Pluto starts. plutoload and plutostart can be quoted lists of connection names, but are often set to %search as in our example. Any connection with auto=add in its connection definition is then loaded, and any connection with auto=start is started. In most cases, you want plutostart=%search here and auto=start in your connection descriptions.
Appendix G - IPSEC # Some will override this with auto=start auto=add Variables set here are: keyingtries How persistent to be in (re)keying negotiations (0 means very). For testing, you might wish to set this to some small number, perhaps even to 1, to avoid wasting resources on incorrectly set up connections. In production, it is often set to zero (retry forever).
Appendix G - IPSEC # left security gateway (public-network address) left=10.0.0.1 # next hop to reach right leftnexthop=10.44.55.66 # subnet behind left (omit if there is no subnet) leftsubnet=172.16.0.0/24 # right s.g., subnet behind it, and next hop to reach left right=10.12.12.1 rightnexthop=10.88.77.66 rightsubnet=192.168.0.0/24 auto=start We are omitting the variables we have shown as set in the default connection above. All of them could also be set here.
Appendix G - IPSEC Leftnexthop Where left should send packets whose destination is right, typically the first router in the appropriate direction. This need not always be se., If the two gateways are directly linked (packets can go from one to the other without IP routing by any intermediate device) then you need not set either leftnexthop or rightnexthop. A connection with left=%defaultroute or right=%defaultroute must not have the corresponding nexthop parameter set.
Appendix G - IPSEC Example file for BLACK BOX ® Advanced Console Server-to-network connection For an BLACK BOX ® Advanced Console Server -to-network connection, a simple network diagram looks like this: BLACK BOX ® Advanced Console Server interface e.f.g.h =left | interface e.f.g.i =leftnexthop router interface we don't know | INTERNET | interface we don't know router interface j.k.l.m =rightnexthop | interface j.k.l.n =right right gateway machine interface 192.168.0.
Appendix G - IPSEC interfaces="%defaultroute" klipsdebug=none plutodebug=none plutoload=%search plutostart=%search # defaults that apply to all connection descriptions conn %default keyingtries=0 # How to authenticate gatways authby=rsasign # VPN connection for head office and branch office conn head-branch # identity we use in authentication exchanges leftid=@head.example.com leftrsasigkey=0x175cffc641f... # left security gateway (public-network address) left=e.f.g.
Appendix G - IPSEC rightsubnet=192.168.0.0/24 IPsec Usage The IPsec Daemon The IPsec daemon (PLUTO) is the program that loads and negotiates the connections. To start the IPsec daemon use the following command: /usr/local/sbin/ipsec setup --start Similarly, this command accepts the usual daemon commands as stop and restart. The ipsec daemon is not automatically initialized when you boot your Console Server equipment for the first time.
Appendix G - IPSEC Starting and Stopping a Connection All the connections can be negotiated at boot time if these connections have the auto parameter set to start. However if a certain connection doesn't have this option set you can set it.
Appendix G - IPSEC Generating an RSA key pair The Console Server doesn't have an RSA key pair by default. If you would like to create one, you can simply uncomment the lines regarding IPsec in the file /etc/rc.sysinit. Your key pair will then be generated in the next boot. You also can generate your key pair by issuing the following commands as root: . ipsec newhostkey --bits --output /etc/ipsec.secrets . chmod 600 /etc/ipsec.secrets Key generation may take some time.
Appendix G - IPSEC ipsec0->eth0 mtu=16260(1443)->1500 esp0x4e1a10ce@64.186.161.128 ESP_3DES_HMAC_MD5: dir=out src=64.186.161.96 iv_bits=64bits iv=0xd491678073a22185 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(4,0,0) esp0xa99f2a63@64.186.161.96 ESP_3DES_HMAC_MD5: dir=in src=64.186.161.128 iv_bits=64bits iv=0x46209cee5f952117 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(4,0,0) tun0x1005@64.186.161.96 IPIP: dir=in src=64.186.161.128 policy=64.186.161.128/32->64.186.161.
Appendix G - IPSEC 000 "teste": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "teste": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0; erouted 000 "teste": newest ISAKMP SA: #5; newest IPsec SA: #6; eroute owner: #6 000 000 #6: "teste" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28245s; newest IPSEC; eroute owner 000 #6: "teste" esp.4e1a10ce@64.186.161.128 esp.a99f2a63@64.186.161.96 tun.1006@64.186.161.128 tun.1005@64.186.161.
Appendix G - IPSEC Applications of IPsec Because IPsec operates at the network layer, it is remarkably flexible and can be used to secure nearly any type of Internet traffic. Two applications, however, are extremely widespread: • A Virtual Private Network, or VPN, allows multiple sites to communicate with the Console Server securely over an insecure Internet by encrypting all communication between the sites and the Console Server.
Appendix G - IPSEC • If Network Address Translation (NAT) is applied between the two IPsec Gateways, this breaks IPsec. IPsec authenticates packets on an end-to-end basis, to ensure they are not altered en route. NAT rewrites packets as they go by. In most situations, however, FreeS/WAN supports Road Warrior connections just fine.
Appendix G - IPSEC ever he might be. We refer to the remote machines as “Road Warriors.” For purposes of IPsec, anyone with a dynamic IP address is a Road Warrior. Information exchange To set up a Road Warrior connection, you need some information about the system on the other end. Connection descriptions use left and right to designate the two ends. We adopt the convention that, from the Console Server's point of view, left=local and right =remote.
Appendix G - IPSEC Setup on the Road Warrior machine Simply add a connection description us-to-Console Server, with the left and right information you gathered above to the ipsec.conf file. This might look like: # pre-configured link to Console Server conn us-to-acs # information obtained from Console Server admin left=1.2.3.4 # Console Server IP address leftid=@acs.example.com # real keys are much longer than shown here leftrsasigkey=0s1LgR7/oUM... # warrior stuff right=%defaultroute rightid=@xy.example.
Appendix G - IPSEC rightid=@xy.example.com rightrsasigkey=0s1LgR7/oUM... BLACK BOX ® Advanced Console Server-to-network VPN Often it may be useful to have explicitly configured IPsec tunnels between the Console Server and a gateway of an office with a fixed IP address (in this case every machine on the office network would have a secure connection with the Console Server), or between the Console Server and the Console Server administrator machine, which must, in this case, have a fixed IP address.
Appendix G - IPSEC rightnexthop=10.88.77.66 rightsubnet=192.168.0.0/24 auto=start # This line is only for RSA signature rightrsasigkey=0s1LgR7/oUM... # This line is only for shared secret authby=secret If you want to use shared secrets you must insert the following line to the ipsec.secrets file: 10.0.0.1 10.12.12.1 : PSK "secret" The good part is that this connection descriptor and the secret line can be added to both the Console Server and the other end.
Appendix G - IPSEC Generating an RSA key pair The Console Server doesn't have an RSA key pair by default. It will be generated on the first reboot after you have uncommented the IPsec lines in the file /etc/inittab. You also can generate your key pair by issuing the following commands as root: /usr/local/sbin/ipsec newhostkey --bits --output /etc/ipsec.secrets chmod 600 /etc/ipsec.secrets Key generation may take some time.
Appendix G - IPSEC The Configuration File Description The ipsec.conf file specifies most configuration and control information for the FreeS/WAN IPsec subsystem. (The major exception is secrets for authentication; ipsec.
Appendix G - IPSEC begin with white space too. There may be only one section of a given type with a given name. Lines within the section are generally of the following form: parameter=value (Note the mandatory preceding white space.) There can be white space on either side of the =. Parameter names follow the same syntax as section names, and are specific to a section type. Unless otherwise explicitly specified, no parameter name may appear more than once in a section.
Appendix G - IPSEC Conn Sections A conn section contains a connection specification, defining a network connection to be made using IPsec. The name given is arbitrary, and is used to identify the connection to ipsec_auto and ipsec_manual. Here's a simple example: conn snt left=10.11.11.1 leftsubnet=10.0.1.0/24 leftnexthop=172.16.55.66 right=192.168.22.1 rightsubnet=10.0.2.0/24 rightnexthop=172.16.88.
Appendix G - IPSEC type The type of the connection. Currently the accepted values are: tunnel (the default) signifying a host-to-host, host-to-subnet, or subnet-tosubnet tunnel; transport, signifying host-to-host transport mode; and passthrough (supported only for manual keying), signifying that no IPsec processing should be done at all. left Required. The IP address of the left participant's public-network interface.
Appendix G - IPSEC auto What operation, if any, should be done automatically at IPsec startup; currently-accepted values are add (signifying an ipsec auto --add), route (signifying that plus an ipsec auto --route), start (signifying that plus an ipsec auto --up), and ignore (also the default) (signifying no automatic startup operation). This parameter is ignored unless the plutoload or plutostart configuration parameter is set suitably; see the config setup discussion below.
Appendix G - IPSEC keylife How long a particular instance of a connection (a set of encryption/ authentication keys for user packets) should last, from successful negotiation to expiry. Acceptable values are an integer optionally followed by s (a time in seconds) or a decimal number followed by m, h, or d (a time in minutes, hours, or days respectively) (default 8.0h, maximum 24h). rekey Whether a connection should be renegotiated when it is about to expire.
Appendix G - IPSEC esp ESP encryption/authentication algorithm to be used for the connection, e.g. 3des-md5-96. espenckey ESP encryption key. espauthkey ESP authentication key. espreplay_window ESP replay-window setting. An integer from 0 to 64. Relevant only if ESP authentication is being used. leftespspi SPI to be used for the leftward ESP SA, overriding automatic assignment using spi or spibase. Typically a hexadecimal number beginning with 0x.
Appendix G - IPSEC Parameters are optional unless marked “required.” The currently-accepted parameter names in a config setup section are: Recommended Configuration Certain parameters are now strongly-recommended defaults, but cannot (yet) be made system defaults due to backward compatibility.
Appendix G - IPSEC The IPsec Daemon The ipsec daemon is automatically initialized when you first boot your Console Server equipment after you have uncommented the IPsec lines in the /etc/inittab and /etc/config_files. Rebooting your BLACK BOX ® Advanced Console Server is not mandatory. However, you can start the IPsec daemon by using the command: /usr/local/sbin/ipsec setup This program accepts the options: --start, --stop, and --restart.
Appendix H - Web User Management Introduction Appendix H- Web User Management In the BLACK BOX ® Advanced Console Server Web server, the user database is completely separated from the system’s (as defined in the /etc/passwd file), and the logic used for managing permissions is also different. The Web’s user database is stored in the /etc/websum.conf file, and it has basically three lists: users, user groups and access limits.
Appendix H - Web User Management Figure 43: Access Limit List default page 406 BLACK BOX ® Advanced Console Server
Appendix H - Web User Management How Web User Management works When a user logs in, the username and the password are encrypted and stored in the browser. Whenever a URL is requested, the User Manager will perform the following tasks: Task 1: Check the URL in the Access Limit List The Web server first scans for the full URL, and then it looks for the subdirectories, until reaching the root directory “/.
Appendix H - Web User Management Task 2: Read the Username and the Password This is done when the page must be accessed through authentication. If the username matches an entry in the users list, the following information will be available: Enabled The username must be enabled to be authenticated. Encrypted password The password passed by the browser must match the one registered in the entry. Group Each username is linked to a user group.
Appendix H - Web User Management Changing the Root Password The first thing to do after logging into a Web session the first time must be to change the root password. See Security Issue under . Step 1: Click on the link Web User Management > Users. Step 2: Select the root user and click the Change Password button. Step 3: Type the password twice and click the Submit button. Step 4: Click on the link Web User Management > Load/Save Web Configuration. The Login page will appear.
Appendix H - Web User Management Step 4: Click on the Submit button. A confirmation message will appear. Step 5: If there are more users to be added, repeat the steps 1 to 4. Step 6: Click on the link Web User Management > Load/Save Web Configuration. Step 7: Click on the Save Configuration button. This will save the users added in the file /etc/websum.conf. Step 8: Click on the link Administration > Load/Save Configuration. Step 9: Click on the Save to Flash button. Step 10: Test the user(s) added.
Appendix H - Web User Management Adding and Deleting User Groups The default configuration already comes with four user groups, and, for most of the cases, they will be enough. However, you have the option of editing the user groups. Adding a group Step 1: Click on the link Web User Management > Groups. Step 2: Click on the Add Group button Step 3: Configure the new group. Type the group name and select the access privilege this group will have. Leave the Enabled item checked.
Appendix H - Web User Management Step 3: If there are more groups to be deleted, repeat the steps 1 and 2. Step 4: Click on the link Web User Management > Load/Save Web Configuration. Step 5: Click on the Save Configuration button. This will save the users added in the file /etc/websum.conf Step 6: Click on the link Administration > Load/Save Configuration. Step 7: Click on the Save to Flash button.
Appendix H - Web User Management Step 3: Configure the new access limit. Type the URL (or the subdirectory), and select the access privilege. If authentication is required to access the page, select COOKIE ACCESS; otherwise, select FULL ACCESS. If this page is confidential, check the Secure box. Step 4: Click on the Submit button. A confirmation message will appear. Step 5: If there are more access limits to be added, repeat the steps 1 to 4.
Appendix H - Web User Management This page has been left intentionally blank.
Appendix I - Connect to Serial Ports from Web Introduction Appendix I - Connect to Serial Ports from Web Depending on how the serial port is configured, connecting to a serial port will either open up a telnet or ssh connection. A serial port configured as socket_server or raw_data will open up a telnet connection while socket_ssh will open up a ssh connection. Any Web user configured in the Web User Management section of the WMI will be able to use this application.
Appendix I - Connect to Serial Ports from Web On Windows From Internet Explorer Go to Tools → Internet Options → Advanced. Scroll down and look for a section on Java. There should be a checkbox that says “Use Java 2 v1.4.0 ...." If there isn't, this could either mean your browser is not activated to use the Java plug-in that came with the JRE you have installed or it just means that you don't have any JRE installed, in which case please install and repeat the check.
Appendix I - Connect to Serial Ports from Web Step-by-Step Process Step 1: Point your browser to the Console Server. In the address field of your browser type the Console Access Server’s IP address. For example: http://10.0.0.0 Step 2: Log in. Log in with a user configured in the Web User Management section, and its password. This will take you to the Configuration and Administration page. Step 3: Select the Connect to Serial Ports link.
Appendix I - Connect to Serial Ports from Web Figure 45: SSH User Authentication Popup Window Step 6: Enter command. Click in the terminal window and start entering commands. Step 7: To send a break to the terminal. Click on the SendBreak button. Step 8: Disconnect connection. Click on the Disconnect button. Make sure the Status bar shows an Offline status. Closing the popup window will also disconnect you from the server. Step 9: Reconnect to port.
Appendix J - Examples for Config Testing Introduction Appendix J - Examples for Configuration Testing The following three examples are just given to test a configuration. The steps should be followed after configuring the BLACK BOX ® Advanced Console Server. Console Access Server With the BLACK BOX ® Advanced Console Server set up as a CAS you can access a server connected to the BLACK BOX ® Advanced Console Server through the server’s serial console port from a workstation on the LAN or WAN.
Appendix J - Examples for Config Testing The following diagram, shows additional scenarios for the BLACK BOX ® Advanced Console Server: both remote and local authentication, data buffering, and remote access. BLACK BOX® Advanced Console Server User Figure 46: CAS diagram with various authentication methods As shown in the above figure, our “CAS with local authentication” scenario has either telnet or ssh (a secure shell session) being used.
Appendix J - Examples for Config Testing Step 1: Create a new user. Run the adduser to create a new user in the local database. Create a password for this user by running passwd . Step 2: Confirm physical connection. Make sure that the physical connection between the BLACK BOX ® Advanced Console Server and the servers is correct. A cross cable (not the modem cable provided with the product) should be used.
Appendix J - Examples for Config Testing Step 6: Activate the changes. Now continue on to Task 5: Activate the changes through Task 8: Reboot the BLACK BOX ® Advanced Console Server listed in Chapter 2 - Installation, Configuration, and Usage. Note: It is possible to access the serial ports from Microsoft stations using some off-the-shelf packages. Although Black Box is not liable for those packages, successful tests were done using at least one of them.
Appendix J - Examples for Config Testing No authentication is used in the example shown above and rlogin is chosen as the protocol. After configuring the serial ports as described in Chapter 3 - Additional Features or in Appendix C - The pslave Configuration File, the following step-by-step check list can be used to test the configuration. Step 1: Create a new user. Since authentication was set to none, theBLACK BOX ® Advanced Console Server will not authenticate the user.
Appendix J - Examples for Config Testing Dial-in Access The BLACK BOX ® Advanced Console Server can be configured to accommodate out-of-band management. Ports can be configured on the BLACK BOX ® Advanced Console Server to allow a modem user to access the LAN. Radius authentication is used in this example and ppp is chosen as the protocol on the serial (dial-up) lines. Black Box recommends that a maximum of two ports be configured for this option.
Appendix J - Examples for Config Testing Step 2: Confirm that the Radius server is reachable. From the console, ping 200.200.200.2 to make sure the Radius authentication server is reachable. Step 3: Confirm physical connections. Make sure that the physical connection between the BLACK BOX ® Advanced Console Server and the modems is correct. The modem cable provided with the product should be used. Please see Appendix B - Cabling, Hardware, and Electrical Specifications for pinout diagrams.
Appendix J - Examples for Config Testing This page has been left intentionally blank.
Appendix K - Wiz Application Parameters Basic Parameters (wiz) Appendix K - Wiz Application Parameters • Hostname • System IP • Domain Name • DNS Server • Gateway IP • Network Mask Access Method Parameters (wiz --ac ) (CAS profile) • Ipno • Socket_port • Protocol • Users • Poll_interval • Tx_interval • Idletimeout • Conf.group • .
Appendix K - Wiz Application Parameters • web_WinEMS • translation (TS profile) • Protocol • Socket_port • Userauto • Telnet_client_mode Alarm Parameter (wiz --al) • Alarm • xml_monitor Authentication Parameters (wiz --auth) • Authtype • Authhost1 • Accthost1 • Authhost2 • Accthost2 • Radtimeout • Radretries 428 BLACK BOX ® Advanced Console Server
Appendix K - Wiz Application Parameters • Secret Data Buffering Parameters (wiz --db) • Data_buffering • Conf.
Appendix K - Wiz Application Parameters Serial Settings Parameters (wiz --sset ) (CAS profile) • Speed • Datasize • Stopbits • Parity • Flow • Dcd • SttyCmd • DTR_reset (TS profile) • Speed • Datasize • Stopbits • Parity • Flow • Dcd 430 BLACK BOX ® Advanced Console Server
Appendix K - Wiz Application Parameters Sniffing Parameters (wiz --snf) • Admin_users • Sniff_mode • Escape_char • Multiple_sessions Syslog Parameters (wiz --sl) • Conf.facility • Conf.
Appendix K - Wiz Application Parameters Terminal Server Profile Other Parameters (wiz --tso) • Host • Term • Conf.
Appendix L - Copyrights References Appendix L - Copyrights The Advanced Secure Console Port Server is based in the HardHat Linux distribution, developed by Montavista Software for embedded systems. Additionally, several other applications were incorporated into the product, in accordance with the free software philosophy. The list below contains the packets and applications used in the Advanced Secure Console Port Server and a reference to their maintainers.
Appendix L - Copyrights Flex Flex version 2.5.4 vern@ee.lbl.gov COPYRIGHT: This product includes software developed by the University of California, Berkeley and its contributors GNU The GNU project http://www.gnu.org HardHat Linux MontaVista Software - HardHat version 2.1 http://www.montavista.com IPSec The Linux FreeS/WAN IPsec version 1.9.8 http://www.freeswan.org COPYRIGHT: This product includes software developed by Eric Young (eay@cryptsoft.com) IPtables Netfilter IPtables version 1.2.2.
Appendix L - Copyrights NTP NTP client http://doolittle.faludi.com/ntpclient/ OpenSSH OpenSSH version 3.5p1 http://www.openssh.org COPYRIGHT: This product includes software developed by the University of California, Berkeley and its contributors. OpenSSL OpenSSL Project version 0.9.6g http://www.openssl.org COPYRIGHT: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.
Appendix L - Copyrights Tinylogin TinyLogin version 0.80 ftp://ftp.lineo.com/pub/tinylogin/ WEBS GoAhead WEBS version 2.1 (modified) http://goahead.com/webserver/webserver.htm Copyright (c) 20xx GoAhead Software, Inc. All Rights Reserved ZLIB zlib version 1.1.4 http://www.gzip.
List of Figures List of Figures 1. Cable Package #1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2. Cable Package #2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 3. The BLACK BOX ® Advanced Console Server 32-Port, its cables, connectors and other box contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 4.
List of Figures 23. IP Tables Chains Table (table filter) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 24. IP Tables Rules Table (table: filter, chain: INPUT) . . . . . . . . . . . . . . . . . . . . . . . . . 168 25. IP Tables Append Rule (table: filter, chain: INPUT) . . . . . . . . . . . . . . . . . . . . . . . . 169 26. Sniff Session section of the Serial Port Configuration page . . . . . . . . . . . . . . . . . . 239 27. Syslog page 1 . . . . . . . . . . . . . . . . . . .
List of Figures 47. Terminal Server diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422 48. Ports configured for Dial-in Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
List of Figures This page has been left intentionally blank.
List of Tables List of Tables 1. Hardware vs. Configuration Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2. Applications Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 3. Configuration Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 4. Administration Section. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5.
List of Tables 24. Which cable to use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 25. Parameters Common to CAS, TS, & Dial-in Access . . . . . . . . . . . . . . . . . . . . . . . 311 26. Mostly CAS-specific Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 27. TS Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 28. Dial-in configuration Parameters. .
Glossary Glossary Authentication Authentication is the process of identifying an individual, usually based on a username and password. In security systems, authentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. (Source: www.webopedia.
Glossary IP packet filtering This is a set of facilities in network equipment that allows the filtering of data packets based on source/destination addresses, protocol, TCP port number and other parameters. Packet filtering is one of the main functions of a firewall. KVM Switch (KVM) Keyboard-Video-Mouse Switches connect to the KVM ports of many computers and allow the network manager to access them from a single KVM station. Mainframe Large, monolithic computer system. MIBs Management Information Bases.
Glossary RISC Reduced Instruction Set Computer. This describes a computer processor architecture that uses a reduced set of instructions (and achieves performance by executing those instructions very fast.) Most UNIX servers (Sun Sparc, HP, IBM RS6000, Compaq Alpha) were designed with a processor using a RISC architecture. The Intel ® x86 architecture. RS-232 A set of standards for serial communication between electronic equipment defined by the Electronic Industries Association in 1969.
Glossary Terminal Server A terminal server has one Ethernet LAN port and many RS-232 serial ports. It is used to connect many terminals to the network. Because they have the same physical interfaces, terminal servers are sometimes used as console access servers. TTY The UNIX name for the COM (Microsoft) port. U Rack height unit A standard computer rack has an internal width of 17 inches. Rack space on a standard rack is measured in units of height (U). One U is 1.75 inches.
Index Index A F Access Method 73 Alarm 181 Authentication 100 Filters 156 Flash Memory Loss 359 G B Basic Wizard Gateway 33 default 34 Generating Alarms 66 C Cable Length 301 CLI 32 Clustering 118 Command Line Interface 32, 65 Configuration using a Web browser Connectors 302 CronD 134 Custom Wizard 35 172 H Hardware Specifications Hardware Test 362 HyperTerminal 33 297 39 I IP Address IPsec 373 34 D Data Buffers 137 Default Configuration Parameters DHCP 150 DNS Server 34 Domain 35 K Kerber
Index Netmask 34 NTP 195 Sendsms 181 Snmptrap 181 Syslog-n 256 System Requirements P T Passwords 283 Port Test 362 Terminal Appearance Time Zone 280 R U N Radius authentication Routing Table 288 RS-232 Standard 300 424 S Secure Shell Session Sendmail 181 448 31 271 Upgrades 357 Using 72 Using the Wizard through your Browser 72 W 289 Wizard 34 BLACK BOX ® Advanced Console Server
This page has been left intentionally blank.
© Copyright 2002, Black Box Corporation. All rights reserved.
