CommandCenter Secure Gateway Administrators Guide Release 4.3 Copyright © 2010 Raritan, Inc. CCA-0K-v4.
This document contains proprietary information that is protected by copyright. All rights reserved. No part of this document may be photocopied, reproduced, or translated into another language without express prior written consent of Raritan, Inc. © Copyright 2009 Raritan, Inc., CommandCenter®, Dominion®, Paragon® and the Raritan company logo are trademarks or registered trademarks of Raritan, Inc. All rights reserved. Java® is a registered trademark of Sun Microsystems, Inc.
Contents What's New in the CC-SG Administrators Guide Chapter 1 Introduction xvi 1 Prerequisites .................................................................................................................................. 1 Terminology/Acronyms .................................................................................................................. 2 Client Browser Requirements ........................................................................................................
Contents How to Create Associations .............................................................................................. 22 Adding, Editing, and Deleting Categories and Elements.............................................................22 Add a Category.................................................................................................................. 22 Delete a Category..............................................................................................................
Contents Delete a Device Group ......................................................................................................54 Adding Devices with CSV File Import ..........................................................................................54 Devices CSV File Requirements .......................................................................................55 Sample Devices CSV File .................................................................................................
Contents About Interfaces................................................................................................................. 78 Viewing Nodes ............................................................................................................................. 78 Nodes Tab ......................................................................................................................... 78 Node Profile ..............................................................................
Contents Chapter 9 Users and User Groups 129 The Users Tab ...........................................................................................................................130 Default User Groups ..................................................................................................................131 CC Super-User Group .....................................................................................................131 System Administrators Group.................................
Contents Using Custom Views in the Admin Client ..................................................................................155 Custom Views for Nodes .................................................................................................155 Custom Views for Devices...............................................................................................157 Chapter 12 Remote Authentication 161 Authentication and Authorization (AA) Overview............................................
Contents Navigate Multiple Page Reports ......................................................................................181 Print a Report...................................................................................................................181 Save a Report to a File....................................................................................................181 Purge a Report's Data From CC-SG ...............................................................................
Contents Chapter 15 Advanced Administration 206 Configuring a Message of the Day ............................................................................................206 Configuring Applications for Accessing Nodes..........................................................................207 About Applications for Accessing Nodes.........................................................................207 Checking and Upgrading Application Versions ...................................................
Contents Security Manager.......................................................................................................................234 Remote Authentication ....................................................................................................234 AES Encryption................................................................................................................234 Configure Browser Connection Protocol: HTTP or HTTPS/SSL.....................................
Contents Edit Network Interfaces Configuration (Network Interfaces) ...........................................275 Ping an IP Address..........................................................................................................276 Use Traceroute ................................................................................................................277 Edit Static Routes ............................................................................................................
Contents CC-SG and Client for IPMI, iLO/RILOE, DRAC, RSA .....................................................318 CC-SG and SNMP...........................................................................................................318 CC-SG Internal Ports.......................................................................................................319 CC-SG Access via NAT-enabled Firewall .......................................................................319 RDP Access to Nodes ............
Contents Appendix C User Group Privileges 321 Appendix D SNMP Traps 330 Appendix E CSV File Imports 332 Common CSV File Requirements..............................................................................................333 Audit Trail Entries for Importing .................................................................................................334 Troubleshoot CSV File Problems ..............................................................................................
Contents Node Information .......................................................................................................................353 Location Information ..................................................................................................................354 Contact Information....................................................................................................................354 Service Accounts ...................................................................
What's New in the CC-SG Administrators Guide The following sections have changed or information has been added to the CommandCenter Secure Gateway Administrators Guide based on enhancements and changes to the equipment and/or documentation.
What's New in the CC-SG Administrators Guide • Configuring Power Control of Power IQ IT Devices (on page 306) • CC-SG Clustering (on page 315) See the Release Notes for a more detailed explanation of the changes applied to this version of the CommandCenter Secure Gateway.
Chapter 1 Introduction The CommandCenter Secure Gateway (CC-SG) Administrators Guide offers instructions for administering and maintaining your CC-SG. This guide is intended for administrators who typically have all available privileges. Users who are not administrators should see Raritan's CommandCenter Secure Gateway User Guide. In This Chapter Prerequisites..............................................................................................1 Terminology/Acronyms................................
Chapter 1: Introduction Terminology/Acronyms Terms and acronyms found in this document include: Access Client - HTML-based client intended for use by normal access users who need to access a node managed by CC-SG. The Access Client does not allow the use of administration functions. Admin Client - Java-based client for CC-SG useable by both normal access users and administrators. It is the only client that permits administration.
Chapter 1: Introduction Ghosted Ports - when managing Paragon devices, a ghosted port can occur when a CIM or target server is removed from the system or powered off (manually or accidentally). See Raritan's Paragon II User Guide. Hostname - can be used if DNS server support is enabled. See About Network Setup (on page 211). The hostname and its Fully-Qualified Domain Name (FQDN = Hostname + Suffix) cannot exceed 257 characters.
Chapter 1: Introduction Node Groups - a defined group of nodes that are accessible to a user. Node groups are used when creating a policy to control access to the nodes in the group. Ports - connection points between a Raritan device and a node. Ports exist only on Raritan devices, and they identify a pathway from that device to a node. SASL (Simple Authentication and Security Layer) - method for adding authentication support to connection-based protocols.
Chapter 2 Accessing CC-SG You can access CC-SG in several ways: • Browser: CC-SG supports numerous web browsers (for a complete list of supported browsers, see the Compatibility Matrix on the Raritan Support website). • Thick Client: You can install a Java Web Start thick client on your client computer. The thick client functions exactly like the browserbased client. • SSH: Remote devices connected via the serial port can be accessed using SSH.
Chapter 2: Accessing CC-SG JRE Incompatibility If you do not have the minimum required version of JRE installed on your client computer, you will see a warning message before you can access the CC-SG Admin Client. The JRE Incompatibility Warning window opens when CC-SG cannot find the required JRE file on your client computer.
Chapter 2: Accessing CC-SG 5. To check the setting in CC-SG: Choose Administration > Security. In the Encryption tab, look at the Browser Connection Protocol option. If the HTTPS/SSL option is selected, then you must select the Secure Socket Layer SSL checkbox in the thick client's IP address specification window. If the HTTP option is selected, deselect the Secure Socket Layer SSL checkbox in the thick client's IP address specification window. 6. Click Start.
Chapter 2: Accessing CC-SG CC-SG Admin Client Upon valid login, the CC-SG Admin Client appears.
Chapter 2: Accessing CC-SG • Nodes tab: Click the Nodes tab to display all known target nodes in a tree view. Click a node to view the Node Profile. Interfaces are grouped under their parent nodes. Click the + and - signs to expand or collapse the tree. Right-click an interface and select Connect to connect to that interface. You can sort the nodes by Node Name (alphabetically) or Node Status (Available, Busy, Unavailable).
Chapter 3 Getting Started Upon the first login to CC-SG, you should confirm the IP address, set the CC-SG server time, and check the firmware and application versions installed. You may need to upgrade the firmware and applications. Once you have completed your initial configurations, proceed to Guided Setup. See Configuring CC-SG with Guided Setup (on page 13). In This Chapter Confirming IP Address.............................................................................10 Setting CC-SG Server Time ..
Chapter 3: Getting Started Date - click the drop-down arrow to select the Month, use the up and down arrows to select the Year, and then click the Day in the calendar area. Time - use the up and down arrows to set the Hour, Minutes, and Seconds, and then click the Time zone drop-down arrow to select the time zone in which you are operating CC-SG. a.
Chapter 3: Getting Started 2. Select an Application name from the list. Note the number in the Version field. Some applications do not automatically show a version number. To upgrade an application: If the application version is not current, you must upgrade the application. You can download the application upgrade file from the Raritan website. For a complete list of supported application versions, see the Compatibility Matrix on the Raritan Support website.
Chapter 4 Configuring CC-SG with Guided Setup Guided Setup offers a simple way to complete initial CC-SG configuration tasks once the network configuration is complete. The Guided Setup interface leads you through the process of defining Associations, discovering and adding devices to CC-SG, creating device groups and node groups, creating user groups, assigning policies and privileges to user groups, and adding users.
Chapter 4: Configuring CC-SG with Guided Setup Associations in Guided Setup Create Categories and Elements To create categories and elements in Guided Setup: 1. In the Guided Setup window, click Associations, and then click Create Categories in the left panel to open the Create Categories panel. 2. In the Category Name field, type the name of a category into which you want to organize your equipment, such as “Location.” 3.
Chapter 4: Configuring CC-SG with Guided Setup Discover and Add Devices The Discover Devices panel opens when you click Continue at the end of the Associations task. You can also click Device Setup, and then click Discover Devices in the Guided Tasks tree view in the left panel to open the Discover Devices panel. To discover and add devices in Guided Setup: 1. Type the IP address range in which you want to search for devices in the From address and To address fields. 2.
Chapter 4: Configuring CC-SG with Guided Setup 14. If you are manually adding a PowerStrip device, click the Number of ports drop-down arrow and select the number of outlets the PowerStrip contains. 15. If you are adding an IPMI Server, type an Interval, used to check for availability, and an Authentication Method, which needs to match what has been configured on the IPMI Server, in the corresponding fields. 16.
Chapter 4: Configuring CC-SG with Guided Setup 3. There are two ways to add devices to a group, Select Devices and Describe Devices. The Select Devices tab allows you to select which devices you want to assign to the group by selecting them from the list of available devices. The Describe Devices tab allows you to specify rules that describe devices, and the devices whose parameters follow those rules will be added to the group. Select Devices a.
Chapter 4: Configuring CC-SG with Guided Setup Select Nodes a. Click the Select Nodes tab in the Node Group: New panel. b. In the Available list, select the node you want to add to the group, and then click Add to move the node into the Selected list. Nodes in the Selected list will be added to the group. c. To remove a node from the group, select the node name in the Selected list and click Remove. d. You can search for a node in either the Available or Selected list.
Chapter 4: Configuring CC-SG with Guided Setup Add User Groups and Users The Add User Group panel opens when you click Continue at the end of the Create Groups task. You can also click User Management, and then click Add User Group in the Guided Tasks tree view in the left panel to open the Add User Group panel. To add user groups and users in Guided Setup: 1. In the User Group Name field, type a name for the user group you want to create. User group names can contain up to 64 characters. 2.
Chapter 4: Configuring CC-SG with Guided Setup 13. Select the Login Enabled checkbox if you want the user to be able to log in to CC-SG. 14. Select the Remote Authentication checkbox only if you want the user to be authenticated by an outside server, such as TACACS+, RADIUS, LDAP, or AD. If you are using remote authentication, a password is not required. The New Password and Retype New Password fields will be disabled when Remote Authentication is checked. 15.
Chapter 5 Associations, Categories, and Elements In This Chapter About Associations ..................................................................................21 Adding, Editing, and Deleting Categories and Elements ........................22 Adding Categories and Elements with CSV File Import..........................23 About Associations You can set up Associations to help organize the equipment that CC-SG manages.
Chapter 5: Associations, Categories, and Elements Policies also use categories and elements to control user access to servers. For example, the category/element pair Location/America can be used to create a Policy to control user access to servers in America. See Policies for Access Control. (see "Policies for Access Control" on page 149) You can assign more than one element of a category to a node or device via CSV file import.
Chapter 5: Associations, Categories, and Elements Select String if the value is read as text. Select Integer if the value is a number. 5. In the Applicable For field, select whether this category applies to: Devices, Nodes, or Device and Nodes. 6. Click OK to create the new category. The new category name appears in the Category Name field. Delete a Category Deleting a category deletes all of the elements created within that category.
Chapter 5: Associations, Categories, and Elements Categories and Elements CSV File Requirements The categories and elements CSV file defines the categories, their associated elements, their type, and whether they apply to devices, nodes or both. • All CATEGORY and CATEGORYELEMENT records are related. A CATEGORY record must have one or more CATEGORYELEMENT records. • CATEGORYELEMENT records can be present without a corresponding CATEGORY record if that CATEGORY already exists in CC-SG.
Chapter 5: Associations, Categories, and Elements Sample Categories and Elements CSV File ADD, CATEGORY, OS, String, Node ADD, CATEGORYELEMENT, OS, UNIX ADD, CATEGORYELEMENT, OS, WINDOWS ADD, CATEGORYELEMENT, OS, LINUX ADD, CATEGORY, Location, String, Device ADD, CATEGORYELEMENT, Location, Aisle 1 ADD, CATEGORYELEMENT, Location, Aisle 2 ADD, CATEGORYELEMENT, Location, Aisle 3 Import Categories and Elements Once you've created the CSV file, validate it to check for errors then import it.
Chapter 5: Associations, Categories, and Elements Export Categories and Elements The export file contains comments at the top that describe each item in the file. The comments can be used as instructions for creating a file for importing. To export categories and elements: 1. Choose Administration > Export > Export Categories. 2. Click Export to File. 3. Type a name for the file and choose the location where you want to save it 4. Click Save.
Chapter 6 Devices, Device Groups, and Ports To add Raritan PowerStrip Devices that are connected to other Raritan devices to CC-SG, see Managed PowerStrips (on page 69). Note: To configure iLO/RILOE devices, IPMI devices, Dell DRAC devices, IBM RSA devices, or other non-Raritan devices, use the Add Node menu and add these items as an interface. See Nodes, Node Groups, and Interfaces (on page 77). In This Chapter Viewing Devices ..............................................................................
Chapter 6: Devices, Device Groups, and Ports Viewing Devices The Devices Tab Click the Devices tab to display all devices under CC-SG management. Each device's configured ports are nested under the devices they belong to. Devices with configured ports appear in the list with a + symbol. Click the + or - to expand or collapse the list of ports. Device and Port Icons For easier identification, KVM, Serial, and Power devices and ports have different icons in the Devices tree.
Chapter 6: Devices, Device Groups, and Ports Icon Meaning Serial port unavailable Ghosted port (See Raritan's Paragon II User Guide for details on Ghosting Mode.) Device paused Device unavailable Power strip Outlet port Blade chassis available Blade chassis unavailable Blade server available Blade server unavailable Port Sorting Options Configured ports are nested under their parent devices in the Devices tab. You can change the way ports are sorted.
Chapter 6: Devices, Device Groups, and Ports Note: For blade servers without an integrated KVM switch, such as HP BladeSystem servers, their parent device is the virtual blade chassis that CC-SG creates, not the KX2 device. These servers will be sorted only within the virtual blade chassis device so they will not appear in order with the other KX2 ports unless you restore these blade servers ports to normal KX2 ports. See Restore Blade Servers Ports to Normal KX2 Ports (on page 47).
Chapter 6: Devices, Device Groups, and Ports The Device Profile includes tabs that contain information about the device. Associations tab The Associations tab contains all categories and elements assigned to the node. You can change the associations by making different selections. See Associations, Categories, and Elements (on page 21).
Chapter 6: Devices, Device Groups, and Ports 2. Choose Devices > Device Manager > Topology View. The Topology View for the selected device appears. Click + or - to expand or collapse the view. Right Click Options in the Devices Tab You can right-click a device or port in the Devices tab to display a menu of commands available for the selected device or port. Searching for Devices The Devices tab provides the ability to search for devices within the tree.
Chapter 6: Devices, Device Groups, and Ports Discovering Devices Discover Devices initiates a search for all devices on your network. After discovering the devices, you may add them to CC-SG if they are not already managed. To discover devices: 1. Choose Devices > Discover Devices. 2. Type the range of IP addresses where you expect to find the devices in the From Address and To Address fields. The To Address should be larger than the From Address. Specify a mask to apply to the range.
Chapter 6: Devices, Device Groups, and Ports Adding a Device Devices must be added to CC-SG before you can configure ports or add interfaces that provide access to the nodes connected to ports. The Add Device screen is used to add devices whose properties you know and can provide to CC-SG. To search for devices to add, use the Discover Devices option. See Discovering Devices (on page 33).
Chapter 6: Devices, Device Groups, and Ports 6. Type the time (in seconds) that should elapse before timeout between the new device and CC-SG in the Heartbeat timeout (sec) field. 7. When adding a Dominion SX or Dominion KX2 version 2.2 or later device, the Allow Direct Device Access checkbox enables access to targets directly through the device even while it is under CC-SG management. 8. Type a short description of this device in the Description field. Optional. 9.
Chapter 6: Devices, Device Groups, and Ports 14. If the firmware version of the device is not compatible with CC-SG, a message appears. Click Yes to add the device to CC-SG. You can upgrade the device firmware after adding it to CC-SG. See Upgrading a Device (on page 59). Add a PowerStrip Device The process of adding a PowerStrip Device to CC-SG varies, based on which Raritan device the powerstrip is connected to physically. See Managed PowerStrips (on page 69).
Chapter 6: Devices, Device Groups, and Ports If you do not see the Category or Element values you want to use, you can add others. See Associations, Categories, and Elements (on page 21). 8. When you are done configuring this device, click Apply to add this device and open a new blank Add Device screen that allows you to continue adding devices, or click OK to add this device without continuing to a new Add Device screen.
Chapter 6: Devices, Device Groups, and Ports Adding Notes to a Device Profile You can use the Notes tab to add notes about a device for other users to read. All notes display in the tab with the date, username, and IP address of the user who added the note. If you have the Device, Port, and Node Management privilege, you can clear all notes that display in the Notes tab. To add notes to the device profile: 1. Select a device in the Devices tab. The Device Profile page opens. 2. Click the Notes tab. 3.
Chapter 6: Devices, Device Groups, and Ports Deleting a Device You can delete a device to remove it from CC-SG management. Important: Deleting a device will remove all ports configured for that device. All interfaces associated with those ports will be removed from the nodes. If no other interface exists for these nodes, the nodes will also be removed from CC-SG. To delete a device: 1. Click the Devices tab and select the device you want to delete. 2. Choose Devices > Device Manager > Delete Device. 3.
Chapter 6: Devices, Device Groups, and Ports 6. Click the Access Application drop-down menu and select the application you want to use when you connect to this port from the list. To allow CC-SG to automatically select the correct application based on your browser, select Auto-Detect. 7. Click OK to add the port. Configure a KVM Port To configure a KVM port: 1. Click the Devices tab and select a KVM device. 2. Choose Devices > Port Manager > Configure Ports.
Chapter 6: Devices, Device Groups, and Ports Editing a Port You can edit ports to change various parameters, such as port name, access application, and serial port settings. The changes you can make vary, based on port type and device type. Note: You can also edit Dominion KX2 port settings by using Launch Admin and using the KX2's web interface. To edit a KVM or serial port name or access application: Some ports support only one access application, so you cannot change the access application preference.
Chapter 6: Devices, Device Groups, and Ports Deleting a Port Delete a port to remove the port entry from a Device. When a port is down, the information in the Port Profile screen is read-only. You can delete a port that is down. Important: If you delete a port that is associated with a node, the associated out-of-band KVM or Serial interface provided by the port will be removed from the node. If the node has no other interfaces, the node will also be removed from CC-SG. To delete a port: 1.
Chapter 6: Devices, Device Groups, and Ports Blade Chassis without an Integrated KVM Switch A blade chassis without an integrated KVM switch, such as HP BladeSystem series, allows each blade server to connect to KX2 respectively via a CIM. As each blade server in that chassis has a CIM for access, when a user accesses one blade server, others still can access the other blade servers. When configuring all KX2 ports in CC-SG, the blade servers connected to the KX2 device are configured.
Chapter 6: Devices, Device Groups, and Ports 3. CC-SG automatically creates a virtual blade chassis and adds the blade chassis icon in one tab. Note that a virtual blade chassis never appears as a node in the Nodes tab. In the Devices tab, the virtual blade chassis device appears beneath the KX2 device, as a virtual container to the blade servers, which appear beneath the virtual blade chassis.
Chapter 6: Devices, Device Groups, and Ports To configure slots using the Configure Blades command: 1. In the Devices tab, click the + next to the KX2 device that is connected to the blade chassis device. 2. Select the blade chassis device whose slots you want to configure. 3. Choose Nodes > Configure Blades. To configure multiple slots with the default names shown in the screen, select the checkbox for each slot you want to configure, and then click OK to configure each slot with the default name.
Chapter 6: Devices, Device Groups, and Ports Deleting Slots on a Blade Chassis Device You can delete unused blade servers or slots so they do not appear in the Devices and Nodes tabs. To delete a slot from the Delete Ports screen: 1. In the Devices tab, click the + next to the KX2 device that is connected to the blade chassis device. 2. Select the blade chassis device whose slots you want to delete. 3. Choose Devices > Port Manager > Delete Ports. 4.
Chapter 6: Devices, Device Groups, and Ports Delete a Blade Chassis Device You can delete a blade chassis device connected to a KX2 device from CC-SG. When you delete the blade chassis device from the KX2 device, the blade chassis device and all configured blade servers or slots disappear from the Devices tab as well as from the Nodes tab. To delete a blade chassis device: 1. Click the Devices tab and select a KX2 device whose blade chassis device you want to delete. 2.
Chapter 6: Devices, Device Groups, and Ports 2. Change the blade port group for these blade servers to a non-blade port group. a. In CC-SG, choose Devices > Device Manager > Launch Admin. The KX2 Admin Client opens. b. Click Port Group Management. c. Click the blade port group whose group property you want to change. d. Deselect the Blade Server Group checkbox. e. Click OK. f. Exit the KX2 Admin Client. 3. The virtual blade chassis disappears in the Devices tab.
Chapter 6: Devices, Device Groups, and Ports 7. In the Location and Contacts tab, select the checkbox for the information you want to copy: Select the Copy Location Information checkbox to copy the location information displayed in the Location section. Select the Copy Contact Information checkbox to copy the contact information displayed in the Contacts section. You may change, add or delete any data in these tabs.
Chapter 6: Devices, Device Groups, and Ports • If the group was formed based on common attributes, the Describe Devices tab will appear, showing the rules that govern selection of the devices for the group. To search for a device in the device group list, type a string in the Search field at the bottom of the list, and then click Search. The method of searching is configured through the My Profile screen. See Users and User Groups (on page 129).
Chapter 6: Devices, Device Groups, and Ports 3. Select the Create Full Access Policy for Group checkbox to create a policy for this device group that allows access to all devices in the group at all times with control permission. 4. To add another device group, click Apply to save this group, then repeat these steps. Optional. 5. If you have finished adding device groups, click OK to save your changes. To add a device group with the Describe Devices option: 1.
Chapter 6: Devices, Device Groups, and Ports & - the AND operator. A node must satisfy rules on both sides of this operator for the description (or that section of a description) to be evaluated as true. | - the OR operator. A device needs to satisfy only one rule on either side of this operator for the description (or that section of a description) to be evaluated as true. ( and ) - grouping operators. This breaks the description into a subsection contained within the parentheses.
Chapter 6: Devices, Device Groups, and Ports 7. Click View Devices to see what nodes satisfy this expression. A Devices in Device Group Results window opens, displaying the devices that will be grouped by the current expression. This can be used to check if the description was correctly written. If not, you can return to the rules table or the Short Expression field to make adjustments. 8.
Chapter 6: Devices, Device Groups, and Ports Delete a Device Group To delete a device group: 1. Choose Associations > Device Groups. The Device Groups Manager window opens. 2. Existing device groups appear in the left panel. Select the device group you want to delete. The Device Group Details panel appears. 3. Choose Groups > Delete. 4. The Delete Device Group panel appears. Click Delete. 5. Click Yes in the confirmation message that appears.
Chapter 6: Devices, Device Groups, and Ports Devices CSV File Requirements The devices CSV file defines the devices, ports, and their details required to add them to CC-SG. • For devices that support power strips connected to a port (SX, KX, KX2, KSX2), configuring the port will configure the power strip. • If device ports are configured, CC-SG also adds a node with out-ofband KVM or out-of-band Serial interface for each port.
Chapter 6: Devices, Device Groups, and Ports Column number Tag or value Details 9 TCP Port Default is configured in the Admin Client in Administration > Configuration > Device Settings tab. 10 Configure All Ports TRUE or FALSE Default is TRUE for Dominion PX devices. Default is FALSE for all other device types. When set to TRUE, all ports are configured and nodes with the appropriate out-of-band interface are created.
Chapter 6: Devices, Device Groups, and Ports Column number Tag or value Details Use "OUTLET" for configuring outlets on a PX device. 5 Port or Outlet Number Required field. 6 Port or Outlet Name Optional. If left blank, a default name or the name already assigned at the device level will be used. 7 Node Name For KVM and Serial ports, enter a name for the node that is created when this port is configured.
Chapter 6: Devices, Device Groups, and Ports Column number Tag or value Details 2 DEVICECATEGORYELEMENT Enter the tag as shown. 3 Device Name Required field. 4 Category Name Required field. 5 Element Name Required field. Tags are not case sensitive. Sample Devices CSV File ADD, DEVICE, DOMINION KX2, Lab-Test,192.168.50.
Chapter 6: Devices, Device Groups, and Ports 5. Check the Actions area to see the import results. Items that imported successfully show in green text. Items that failed import show in red text. Items that failed import because a duplicate item already exists or was already imported also show in red text. 6. To view more import results details, check the Audit Trail report. See Audit Trail Entries for Importing (on page 334).
Chapter 6: Devices, Device Groups, and Ports 5. A message appears. Click Yes to restart the device. A message appears when the device has been upgraded. 6. To ensure that your browser loads all upgraded files, close your browser window, and then login to CC-SG in a new browser window. Backing Up a Device Configuration You can back up all user configuration and system configuration files for a selected device.
Chapter 6: Devices, Device Groups, and Ports Restoring Device Configurations The following device types allow you to restore a full backup of the device configuration. • KX • KSX • KX101 • SX • IP-Reach KX2, KSX2, and KX2-101 devices allow you to choose which components of a backup you want to restore to the device.
Chapter 6: Devices, Device Groups, and Ports Restore All Configuration Data Except Network Settings to a KX2, KSX2, or KX2-101 Device The Protected restore option allows you to restore all configuration data in a backup file, except network settings, to a KX2, KSX2, or KX2-101 device. You can use the Protected option to restore a backup of one device to another device of the same model (KX2, KSX2, and KX2-101 only).
Chapter 6: Devices, Device Groups, and Ports Restore All Configuration Data to a KX2, KSX2, or KX2-101 Device The Full restore option allows you to restore all configuration data in a backup file to a KX2, KSX2, or KX2-101 device. To restore all configuration data to a KX2, KSX2, or KX2-101 device: 1. Click the Devices tab and select the device you want to restore to a backup configuration. 2. Choose Devices > Device Manager > Configuration > Restore. 3.
Chapter 6: Devices, Device Groups, and Ports 3. Click Upload. Navigate to and select the device backup file. The file type is .rfp. Click Open. The device backup file uploads to CC-SG and appears in the page. Copying Device Configuration The following device types allow you to copy configurations from one device to one or more other devices. • SX • KX2 • KSX2 • KX2-101 Configuration can be copied only between the same models with the same number of ports.
Chapter 6: Devices, Device Groups, and Ports Restarting a Device Use the Restart Device function to restart a device. To restart a device 1. Click the Devices tab and select the device you want to restart. 2. Choose Devices > Device Manager > Restart Device. 3. Click OK to restart the device. 4. Click Yes to confirm that all users accessing the device will be logged off. Pinging the Device You can ping a device to determine if the device is available in your network. To ping a device: 1.
Chapter 6: Devices, Device Groups, and Ports 2. Choose Devices > Device Manager > Resume Management. The device icon in the Device Tree will indicate the device's active state. Device Power Manager Use the Device Power Manager to view the status of a PowerStrip device (including voltage, current, and temperature) and to manage all power outlets on the PowerStrip device. Device Power Manager provides a PowerStrip-centric view of its outlets.
Chapter 6: Devices, Device Groups, and Ports Disconnecting Users Administrators can terminate any user's session on a device. This includes users who are performing any kind of operation on a device, such as connecting to ports, backing up the configuration of a device, restoring a device's configuration, or upgrading the firmware of a device. Firmware upgrades and device configuration backups and restores are allowed to complete before the user's session with the device is terminated.
Chapter 6: Devices, Device Groups, and Ports IP-Reach and UST-IP Administration You can perform administrative diagnostics on IP-Reach and UST-IP devices connected to your Paragon System setup directly from the CCSG interface. After adding the Paragon System device to CC-SG, it appears in the Devices tree. To access Remote User Station Administration: 1. Click the Devices tab, and then select the Paragon II System Controller. 2. Choose Devices > Device Manager > Launch User Station Admin.
Chapter 7 Managed Powerstrips There are three ways to configure power control using powerstrips in CC-SG. 1. All supported Raritan-brand powerstrips can be connected to another Raritan device and added to CC-SG as a Powerstrip device. Raritanbrand powerstrips include Dominion PX and RPC powerstrips. Check the Compatibility Matrix for supported versions. To configure this type of managed powerstrip in CC-SG, you must know to which Raritan device the powerstrip is physically connected.
Chapter 7: Managed Powerstrips Configuring Powerstrips that are Managed by Another Device in CC-SG In CC-SG, managed powerstrips can be connected to one of the following devices: • Dominion KX • Dominion KX2 • Dominion KX2-101 • Dominion SX 3.0 • Dominion SX 3.
Chapter 7: Managed Powerstrips Configuring PowerStrips Connected to KX, KX2, KX2-101, KSX2, and P2SC CC-SG automatically detects PowerStrips connected to KX, KX2, KX2101, KSX2, and P2SC devices. You can perform the following tasks in CC-SG to configure and manage PowerStrips connected to these devices.
Chapter 7: Managed Powerstrips Delete a PowerStrip Connected to a KX, KX2, KX2-101, KSX2, or P2SC Device You cannot delete a PowerStrip connected to a KX, KX2, KX2-101, KSX2, or P2SC device from CC-SG. You must physically disconnect the PowerStrip from the device to delete the PowerStrip from CC-SG. When you physically disconnect the PowerStrip from the device, the PowerStrip and all configured outlets disappear from the Devices tab. Configuring PowerStrips Connected to SX 3.
Chapter 7: Managed Powerstrips 10. For each Category listed, click the Element drop-down menu and select the element you want to apply to the device. Select the blank item in the Element field for each Category you do not want to use. See Associations, Categories, and Elements (on page 21). Optional. 11.
Chapter 7: Managed Powerstrips Configuring Powerstrips Connected to SX 3.1 You can perform the following tasks in CC-SG to configure and manage Powerstrips connected to SX 3.1 devices. • Add a Powerstrip Connected to an SX 3.1 Device (on page 74) • Move an SX 3.1's Powerstrip to a Different Port (on page 75) • Delete a Powerstrip Connected to an SX 3.1 Device (on page 75) Add a Powerstrip Connected to an SX 3.1 Device The procedure for adding a powerstrip connected to an SX 3.
Chapter 7: Managed Powerstrips Move an SX 3.1's Powerstrip to a Different Port When you physically move a Powerstrip from one SX 3.1 device or port to another SX 3.1 device or port, you must delete the Powerstrip from the old SX 3.1 port and add it to the new SX 3.1 port. See Delete a Powerstrip Connected to an SX 3.1 Device (on page 75) and Add a Powerstrip Device Connected to an SX 3.1 Device (see "Add a Powerstrip Connected to an SX 3.1 Device" on page 74). Delete a PowerStrip Connected to an SX 3.
Chapter 7: Managed Powerstrips 3. Choose Devices > Port Manager > Configure Ports. To configure multiple outlets with the default names shown in the screen, select the checkbox for each outlet you want to configure, and then click OK to configure each outlet with the default name. To configure each outlet individually, click the Configure button next to the outlet, and then type a name for the outlet in the Port name field. Click OK to configure the port. To delete an outlet: 1.
Chapter 8 Nodes, Node Groups, and Interfaces This section covers how to view, configure, and edit nodes and their associated interfaces, and how to create node groups. Connecting to nodes is covered briefly. See Raritan's CommandCenter Secure Gateway User Guide for details on connecting to nodes. In This Chapter Nodes and Interfaces Overview ..............................................................77 Viewing Nodes........................................................................................
Chapter 8: Nodes, Node Groups, and Interfaces Node Names Node names must be unique. CC-SG will prompt you with options if you attempt to manually add a node with an existing node name. When CCSG automatically adds nodes, a numbering system ensures that node names are unique. See Naming Conventions (on page 353) for details on CC-SG's rules for name lengths. About Interfaces In CC-SG, nodes are accessed through interfaces. You must add at least one interface to each new node.
Chapter 8: Nodes, Node Groups, and Interfaces Node Profile Click a Node in the Nodes tab to open the Node Profile page. The Node Profile page includes tabs that contain information about the node.
Chapter 8: Nodes, Node Groups, and Interfaces Interfaces tab The Interfaces tab contains all the node's interfaces. You can add, edit, and delete interfaces on this tab, and select the default interface. Nodes that support virtual media include an additional column that shows whether virtual media is enabled or disabled. Associations tab The Associations tab contains all categories and elements assigned to the node. You can change the associations by making different selections.
Chapter 8: Nodes, Node Groups, and Interfaces Control system server nodes, such as VMware's Virtual Center, include the Control System Data tab. The Control System Data tab contains information from the control system server that is refreshed when the tab opens. You can access a topology view of the virtual infrastructure, link to associated node profiles, or connect to the control system and open the Summary tab.
Chapter 8: Nodes, Node Groups, and Interfaces Service Accounts Service Accounts Overview Service accounts are special login credentials that you can assign to multiple interfaces. You can save time by assigning a service account to a set of interfaces that often require a password change. You can update the login credentials in the service account, and the change is reflected in every interface that uses the service account.
Chapter 8: Nodes, Node Groups, and Interfaces Add, Edit, and Delete Service Accounts To add a service account: 1. Choose Nodes > Service Accounts. The Service Accounts page opens. 2. Click the Add Row icon to add a row to the table. 3. Enter a name for this service account in the Service Account Name field. 4. Enter the username in the Username field. 5. Enter the password in the Password field. 6. Re-type the password in the Retype Password field. 7.
Chapter 8: Nodes, Node Groups, and Interfaces 2. Find the service account whose password you want to change. 3. Enter the new password in the Password field. 4. Re-type the password in the Retype Password field. 5. Click OK. Note: CC-SG updates all interfaces that use the service account to use the new login credentials when you change the username or password. Assign Service Accounts to Interfaces You can assign a service account to multiple interfaces.
Chapter 8: Nodes, Node Groups, and Interfaces Adding, Editing, and Deleting Nodes Add a Node To add a node to CC-SG: 1. Click the Nodes tab. 2. Choose Nodes > Add Node. 3. Type a name for the node in the Node Name field. All node names in CC-SG must be unique. See Naming Conventions (on page 353) for details on CC-SG's rules for name lengths. 4. Type a short description for this node in the Description field. Optional. 5. You must configure at least one interface.
Chapter 8: Nodes, Node Groups, and Interfaces Nodes Created by Configuring Ports When you configure the ports of a device, a node is created automatically for each port. An interface is also created for each node. When a node is automatically created, it is given the same name as the port to which it is associated. If this node name already exists, an extension is added to the node name. For example, Channel1(1). The extension is the number in parentheses.
Chapter 8: Nodes, Node Groups, and Interfaces Adding Location and Contacts to a Node Profile Enter details about the location of the node, and contact information for the people who administer or use the node. To add location and contacts to a node profile: 1. Select a node in the Nodes tab. The Node Profile page opens. 2. Click the Location & Contacts tab. 3. Enter Location information. Department: Maximum 64 characters. Site: Maximum 64 characters. Location: Maximum 128 characters. 4.
Chapter 8: Nodes, Node Groups, and Interfaces Configuring the Virtual Infrastructure in CC-SG Terminology for Virtual Infrastructure CC-SG uses the following terminology for virtual infrastructure components. 88 Term Definition Example Control System The Control System is the managing server. The Control System manages one or more Virtual Hosts. VMware's Virtual Center Virtual Host The Virtual Host is the physical hardware that contains one or more Virtual Machines.
Chapter 8: Nodes, Node Groups, and Interfaces Virtual Nodes Overview You can configure your virtual infrastructure for access in CC-SG. The Virtualization page offers two wizard tools, Add Control System wizard and Add Virtual Host wizard, that help you add control systems, virtual hosts, and their virtual machines properly. Once you complete the configuration, all control systems, virtual hosts, and virtual machines are available for access as nodes in CC-SG.
Chapter 8: Nodes, Node Groups, and Interfaces Enter a Username and Password for authentication. Maximum 64 characters each. 8. To allow users who access this control system to automatically log into the VI Client interface, select the Enable Single Sign On For VI Client checkbox. Optional. 9. Click Next. CC-SG discovers the control system's virtual hosts and virtual machines. Click the column header to sort the table by that attribute in ascending order.
Chapter 8: Nodes, Node Groups, and Interfaces Leave these fields blank if you prefer to add names and login credentials to each interface individually. The interface will take the name of the node if the field is left blank. a. Enter names for interfaces. Maximum 32 characters. Virtual Host VI Client Interfaces VMware Viewer Interfaces Virtual Power Interfaces RDP, VNC, and SSH Interfaces, if specified b. Enter login credentials, if needed.
Chapter 8: Nodes, Node Groups, and Interfaces 4. Click Add Virtual Host. 5. Hostname/IP Address: Enter the IP Address or hostname of the virtual host. Maximum 64 characters. 6. Connection Protocol: Specify HTTP or HTTPS communications between the virtual host and CC-SG. 7. TCP Port: Enter the TCP port. The default port is 443. 8. Check Interval (seconds): Enter the time in seconds that should elapse before timeout between the virtual host and CC-SG. 9.
Chapter 8: Nodes, Node Groups, and Interfaces Use Ctrl+click or Shift+click to select multiple virtual machines that you want to add. In the Check/Uncheck Selected Rows section, select the Virtual Machine checkbox. To add a VNC, RDP, or SSH interface to the virtual host nodes and virtual machine nodes that will be created, select the VNC, RDP or SSH checkboxes in the Check/Uncheck Selected Rows section. Optional. Click Check. 13. Click Next.
Chapter 8: Nodes, Node Groups, and Interfaces One node for each virtual host. Each virtual host node has a VI Client interface. Virtual host nodes are named with their IP addresses or host names. Edit Control Systems, Virtual Hosts, and Virtual Machines You can edit the control systems, virtual hosts, and virtual machines configured in CC-SG to change their properties. You can delete virtual machine nodes from CC-SG by deselecting the Configure checkbox for the virtual machine.
Chapter 8: Nodes, Node Groups, and Interfaces 10. For each interface type, enter a name and login credentials. The name and login credentials will be shared by all the interfaces added to each virtual machine node and virtual host node configured. Optional. You can leave these fields blank if you prefer to add names and login credentials to each interface individually. a. Enter names for interfaces (maximum 32 characters).
Chapter 8: Nodes, Node Groups, and Interfaces Delete a Virtual Machine Node There are two ways to delete virtual machine nodes: • Use the Delete Node feature. See Delete a Node (on page 86). • Deselect the Configure checkbox for the virtual machine. See Edit Control Systems, Virtual Hosts, and Virtual Machines (on page 94). Delete a Virtual Infrastructure Follow these steps to delete a whole virtual infrastructure from CC-SG, including the control system, virtual hosts, and virtual machines.
Chapter 8: Nodes, Node Groups, and Interfaces 2. In the list of nodes, select the nodes you want to synchronize. Use Ctrl+click to select multiple items. 3. Click Synchronize. If the virtual infrastructure had changed since the last synchronization, the information in CC-SG updates. The Configured in Secure Gateway column shows the number of virtual machines or hosts that are configured in CC-SG. The Last Synchronization Date shows the date and time of the synchronization.
Chapter 8: Nodes, Node Groups, and Interfaces 3. Click Reboot or Force Reboot. Accessing the Virtual Topology View The Topology View is a tree structure that shows the relationships of the control system, virtual hosts, and virtual machines associated with the selected node. You must have the Device, Port, and Node Management privilege to open the topology view. Open the topology view from the virtual node profile: 1.
Chapter 8: Nodes, Node Groups, and Interfaces Pinging a Node You can ping a node from CC-SG to make sure that the connection is active. To ping a node: 1. Click the Nodes tab, and then select the node you want to ping. 2. Choose Nodes > Ping Node. The ping results appear in the screen.
Chapter 8: Nodes, Node Groups, and Interfaces In-Band - VNC: Select this item to create a KVM connection to a node through VNC server software. See Interfaces for In-Band Connections (on page 101). Out-of-Band Connections: Out-of-Band - KVM: Select this item to create a KVM connection to a node through a Raritan KVM device (KX, KX101, KSX, IPReach, Paragon II). Out-of-Band - Serial: Select this item to create a serial connection to a node through a Raritan serial device (SX, KSX).
Chapter 8: Nodes, Node Groups, and Interfaces See Web Browser Interface (on page 106). 3. A default name appears in the Name field depending on the type of interface you select. You can change the name. This name appears next to the interface in the Nodes list. See Naming Conventions (on page 353) for details on CC-SG's rules for name lengths. Interfaces for In-Band Connections In-band connections include RDP, VNC, SSH, RSA KVM, iLO Processor KVM, DRAC KVM, and TELNET.
Chapter 8: Nodes, Node Groups, and Interfaces Microsoft RDP Connection Details • If using a Windows XP client, you must have Terminal Server Client 6.0 or higher to connect a Microsoft RDP interface from CC-SG. Update the Terminal Server Client to 6.0 using this link: http://support.microsoft.com/kb/925876. • Internet Explorer only. • Targets supported include Vista, Win2008 server, and Windows 7, and all prior Windows releases, including Windows XP and Windows 2003 targets.
Chapter 8: Nodes, Node Groups, and Interfaces Interfaces for DRAC Power Control Connections To add an interface for DRAC power control connections: 1. Type the IP Address or Hostname for this interface in the IP Address/Hostname field. 2. Type a TCP Port for this connection in the TCP Port field. DRAC 5 only. TCP Port is not required for DRAC 4. 3. Enter authentication information: To use a service account for authentication, select the Use Service Account Credentials checkbox.
Chapter 8: Nodes, Node Groups, and Interfaces RSA Interface Details When you create an In-Band RSA KVM or Power interface, CC-SG discards the username and password associated with the interface, and creates two user accounts on the RSA server. This allows you to have simultaneous KVM and power access to the RSA server. New usernames: • cc_kvm_user • cc_power_user These usernames replace the username you entered when you created the interfaces.
Chapter 8: Nodes, Node Groups, and Interfaces 6. Click OK to save your changes. Note: A Managed Power Strip interface can be added to a blade chassis node, but not to a blade server node. Interfaces for IPMI Power Control Connections To add an interface for IPMI power control connections: 1. Type the IP Address or Hostname for this interface in the IP Address/Hostname field. 2. Type a UDP Port number for this interface in the UDP Port field. 3.
Chapter 8: Nodes, Node Groups, and Interfaces If the IT device has not been added to Power IQ yet, accept the default value for the external key or change it, but make sure to use the same value when adding the IT device to Power IQ. You can quickly make a file of all node and interface information by exporting. See Export Nodes (on page 123). 2. Select the Power IQ that manages the IT device in the Managing Device field.
Chapter 8: Nodes, Node Groups, and Interfaces http(s)://www.example.com/cgi/login http(s)://example.com/home.html 4. Enter authentication information: Optional. To use a service account for authentication, select the Use Service Account Credentials checkbox. Select the service account to use in the Service Account Name menu. or Enter a Username and Password for authentication. Type the username and password that will allow access to this interface.
Chapter 8: Nodes, Node Groups, and Interfaces Example: Adding a Web Browser Interface to a PX Node A Dominion PX-managed powerstrip can be added to CC-SG as a node. Then you can add a Web Browser Interface that enables users to access the Dominion PX's Web-based administration application to the node. Use the following values to add a Web Browser Interface for a Dominion PX node: URL: /auth.
Chapter 8: Nodes, Node Groups, and Interfaces Delete an Interface You can delete any interface from a node except for these: A VMW Viewer interface or a VMW Power interface on a virtual machine node. A Web Browser interface on a blade chassis which has an integrated KVM switch and has a URL or IP address assigned to it on the KX2 device. To delete an interface from a node: 1. Click the Nodes tab. 2. Click the node with the interface you want to delete. 3.
Chapter 8: Nodes, Node Groups, and Interfaces 4. A default name for the bookmark appears in the Bookmark Name field. You can change the name, which will appear in your Favorites list in Internet Explorer. 5. Click OK. The Add Favorite window opens. 6. Click OK to add the bookmark to your Favorites list. To access a bookmarked interface: 1. Open a browser window. 2. Choose the bookmarked interface from the list of bookmarks in the browser. 3.
Chapter 8: Nodes, Node Groups, and Interfaces 6. In the Associations tab, select the Copy Node Associations checkbox to copy all categories and elements of the node. You may change, add or delete any data in this tab. The modified data will be copied to multiple nodes in the Selected Nodes list as well as the current node displayed in the Node Name field. Optional. 7.
Chapter 8: Nodes, Node Groups, and Interfaces Adding Nodes with CSV File Import You can add nodes and interfaces to CC-SG by importing a CSV file that contains the values. You must have the Device, Port, and Node Management and CC Setup and Control privileges to import and export nodes. You must be assigned a policy that gives you access to all relevant devices and nodes. A full access policy for All Nodes and All Devices is recommended.
Chapter 8: Nodes, Node Groups, and Interfaces Nodes CSV File Requirements The nodes CSV file defines the nodes, interfaces, and their details required to add them to CC-SG. • Node names must be unique. If you enter duplicate node names, CC-SG adds a number in parentheses to the name to make it unique, and adds the node. If you are also assigning categories and elements to nodes in the CSV file, and you have duplicate node names, categories and elements may be assigned to the wrong nodes.
Chapter 8: Nodes, Node Groups, and Interfaces Column number Tag or value Details 3 Node Name Enter the same value as entered for Raritan Port Name. 4 Raritan Device Name Required field. The device must already be added to CC-SG. 5 Port Number Required field. 6 Blade Slot If the node is associated with a blade, enter the slot number. 7 Raritan Port Name If left blank, CC-SG will use the existing port name from the device.
Chapter 8: Nodes, Node Groups, and Interfaces Column number Tag or value Details 9 Parity Valid for SX ports only. 10 Flow Control Valid for SX ports only. 11 Description Optional. To add an RDP interface to the CSV file: Column number in CSV file Tag or value Details 1 ADD The first column for all tags is the command ADD. 2 NODE-RDP-INTERFACE Enter the tag as shown. Tags are not case sensitive. 3 Node Name Required field. 4 Interface Name Required field.
Chapter 8: Nodes, Node Groups, and Interfaces To add an SSH or TELNET interface to the CSV file: Column number Tag or value Details 1 ADD The first column for all tags is the command ADD. 2 NODE-SSH-INTERFACE for SSH interfaces Enter the tag as shown. Tags are not case sensitive. NODE-TELNETINTERFACE for TELNET interfaces 3 Node Name Required field. 4 Interface Name Required field. 5 IP Address or Hostname Required field. 6 TCP Port Default is 22 for SSH. Default is 23 for TELNET.
Chapter 8: Nodes, Node Groups, and Interfaces Column number Tag or value Details 8 Password Optional. Leave blank if specifying service account. 9 Description Optional. To add a DRAC KVM, DRAC Power, ILO KVM, ILO Power, Integrity ILO2 Power, or RSA Power interface to the CSV file: When importing DRAC, ILO and RSA interfaces, you must specify both the KVM interface and the Power interface, or the import will fail.
Chapter 8: Nodes, Node Groups, and Interfaces Column number Tag or value Details account or a username and password. Leave blank if specifying service account. 8 Password You must enter either a service account or a username and password. Leave blank if specifying service account. 9 Description Optional. 10* TCP Port *For NODE-DRAC-POWERINTERFACE only, specify a TCP port. Default is 22.
Chapter 8: Nodes, Node Groups, and Interfaces To add an IPMI power control interface to the CSV file: Column number Tag or value Details 1 ADD The first column for all tags is the command ADD. 2 NODE-IPMI-INTERFACE Enter the tag as shown. Tags are not case sensitive. 3 Node Name Required field. 4 Interface Name Required field. 5 IP Address or Hostname Required field. 6 UDP Port Default is 623 7 Authentication MD5, None, OEM, or PASSWORD Default is PASSWORD.
Chapter 8: Nodes, Node Groups, and Interfaces Column number Tag or value Details power strip is connected to. Required field for all power strips except Dominion PX. 8 Managing Port The name of the port on the device that the power strip is connected to. Required field for all power strips except Dominion PX. 9 Description Optional. To add a Web Browser interface to the CSV file: Column number Tag or value Details 1 ADD The first column for all tags is the command ADD.
Chapter 8: Nodes, Node Groups, and Interfaces To add a Power IQ Proxy power control interface tothe CSV file: See Power Control of Power IQ IT Devices (on page 305) for details about configuring this interface type. Column number Tag or value Details 1 ADD The first column for all tags is the command ADD. 2 NODE-POWER-PIQINTERFACE Enter the tag as shown. 3 Node Name Required field. 4 Interface Name Required field.
Chapter 8: Nodes, Node Groups, and Interfaces To assign categories and elements to a node to the CSV file: Categories and elements must already be created in CC-SG. You can assign multiple elements of the same category to a node in the CSV file. Column number Tag or value Details 1 ADD The first column for all tags is the command ADD. 2 NODE-CATEGORYELEMENT Enter the tag as shown. Tags are not case sensitive. 3 Node Name Required field. 4 Category Name Required field.
Chapter 8: Nodes, Node Groups, and Interfaces If the file is not valid, an error message appears. Click OK and look at the Problems area of the page for a description of the problems with the file. Click Save to File to save the problems list. Correct your CSV file and then try to validate it again. See Troubleshoot CSV File Problems (on page 335). 4. Click Import. 5. Check the Actions area to see the import results. Items that imported successfully show in green text.
Chapter 8: Nodes, Node Groups, and Interfaces Adding, Editing, and Deleting Node Groups Node Groups Overview Node groups are used to organize nodes into a set. The node group will become the basis for a policy either allowing or denying access to this particular set of nodes. See Adding a Policy (on page 150). Nodes can be grouped manually, using the Select method, or by creating a Boolean expression that describes a set of common attributes, using the Describe method.
Chapter 8: Nodes, Node Groups, and Interfaces 2. Choose Groups > New. A template for a node group appears. 3. In the Group Name field, type a name for a node group you want to create. See Naming Conventions (on page 353) for details on CCSG's rules for name lengths. 4. There are two ways to add nodes to a group, Select Nodes and Describe Nodes. The Select Nodes method allows you to arbitrarily assign nodes to the group by selecting them from the list of available nodes.
Chapter 8: Nodes, Node Groups, and Interfaces 4. If you want to create a policy that allows access to the nodes in this group at any time, select the Create Full Access Policy for Group checkbox. 5. When you are done adding nodes to the group, click OK to create the node group. The group will be added to the list of Node Groups on the left. Describe Nodes To add a node group with the Describe Nodes option: 1. Click the Select Nodes tab. 2.
Chapter 8: Nodes, Node Groups, and Interfaces 4. If you want to add another rule, click the Add New Row icon again, and make the necessary configurations. Configuring multiple rules will allow more precise descriptions by providing multiple criteria for evaluating nodes. To remove a rule, highlight the rule in the table, and then click the Remove Row icon . 5. The table of rules makes available criteria for evaluating nodes.
Chapter 8: Nodes, Node Groups, and Interfaces 6. Click Validate when a description has been written in the Short Expression field. If the description is formed incorrectly, a warning appears. If the description is formed correctly, a normalized form of the expression appears in the Normalized Expression field. 7. Click View Nodes to see what nodes satisfy this expression. A Nodes in Node Group window opens, displaying the nodes that will be grouped by the current expression.
Chapter 9 Users and User Groups User accounts are created so that users can be assigned a username and password to access CC-SG. A User Group defines a set of privileges for its members. You cannot assign privileges to users themselves, only to user groups. All users must belong to at least one user group. CC-SG maintains a centralized user list and user group list for authentication and authorization. You can also configure CC-SG to use external authentication. See Remote Authentication (on page 161).
Chapter 9: Users and User Groups The Users Tab Click the Users tab to display all user groups and users in CC-SG. Users are nested underneath the user groups to which they belong. User groups with users assigned to them appear in the list with a + symbol next to them. Click the + to expand or collapse the list. Active users those currently logged into CC-SG - appear in bold. The Users tab provides the ability to search for users within the tree.
Chapter 9: Users and User Groups Default User Groups CC-SG is configured with three default user groups: CC-Super User, System Administrators, and CC Users. CC Super-User Group The CC Super-User group has full administrative and access privileges. Only one user can be a member of this group. The default username is admin. You can change the default username. You cannot delete the CC-Super User group.
Chapter 9: Users and User Groups Adding, Editing, and Deleting User Groups Add a User Group Creating user groups first will help you organize users when the users are added. When a user group is created, a set of privileges is assigned to the user group. Users assigned to the group will inherit those privileges. For example, if you create a group and assign it the User Management privilege, all users assigned to the group will be able to see and execute the commands on the User Manager menu.
Chapter 9: Users and User Groups The All Policies table lists all the policies available on CC-SG. Each policy represents a rule allowing or denying access to a group of nodes. See Policies for Access Control (on page 149) for details on policies and how they are created. 9. In the All Policies list, select a policy that you want to assign to the user group, and then click Add to move the policy to the Selected Policies list.
Chapter 9: Users and User Groups 7. Select the checkbox that corresponds to each privilege you want to assign to the user group. Deselect a privilege to remove it from the group. 8. In the Node Access area, click the drop-down menu for each kind of interface you want this group to have access through and select Control. 9. Click the drop-down menu for each kind of interface you do not want this group to have access through and select Deny. 10. Click the Policies tab. Two tables of policies appear. 11.
Chapter 9: Users and User Groups Limit the Number of KVM Sessions per User You can limit the number of KVM sessions allowed per user for sessions with Dominion KXII, KSXII and KX (KX1) devices. This prevents any single user from using all available channels at once. When a user attempts a connection to a node that would exceed the limit, a warning message displays with information on the current sessions. The event is logged in the Access Report with the message Connection Denied.
Chapter 9: Users and User Groups 2. Select the Require Users to Enter Access Information When Connecting to a Node checkbox. 3. In the Message to Users field, enter a message that users will see when attempting to access a node. A default message is provided. 256 character maximum. 4. Move the user groups to enable access auditing for the group into the Selected list by clicking the arrow buttons. Use Ctrl+click to select multiple items.
Chapter 9: Users and User Groups Note: See Naming Conventions (on page 353) for details on CCSG's rules for name lengths. If strong passwords are enabled, the password entered must conform to the established rules. The information bar at the top of the screen will display messages to assist with the password requirements. See Advanced Administration (on page 206) for details on strong passwords. 8.
Chapter 9: Users and User Groups 3. Select the Remote Authentication only checkbox if you want the user to be authenticated by an external server such as TACACS+, RADIUS, LDAP, or AD. If you are using remote authentication, a password is not required and the New Password and Retype New Password fields will be disabled. 4. In the New Password and Retype New Password fields, type a new password to change this user's password.
Chapter 9: Users and User Groups Assigning a User to a Group Use this command to assign an existing user to another group. Users assigned in this way will be added to the new group while still existing in any group they were previously assigned to. To move a user, use this command in conjunction with Delete User From Group. To assign a user to a group: 1. In the Users tab, select the user group to which you want to assign a users. 2. Choose Users > User Group Manager > Assign Users To Group. 3.
Chapter 9: Users and User Groups Adding Users with CSV File Import You can add user information to CC-SG by importing a CSV file that contains the values. If you have multiple CC-SG units in a neighborhood, exporting users from one CC-SG then importing the users into another CC-SG is a quick way to ensure all locally authenticated users are present on both members. You must have the User Management and CC Setup and Control privileges to import and export user information.
Chapter 9: Users and User Groups Column number Tag or value Details 6 Maximum number of KVM sessions allowed per user Enter just the number, from 1-8. Default is 2. To assign permissions to a user group in the CSV file: Enter the value TRUE to assign a permission to the user group. Enter the value FALSE to deny the permission to the user group. Column number Tag or value Details 1 ADD The first column for all tags is the command ADD. 2 USERGROUPPERMISSIONS Enter the tag as shown.
Chapter 9: Users and User Groups Column number Tag or value Details Tags are not case sensitive. 3 User Group Name Required field. User Group names are case sensitive. 4 Policy Name Required field. To associate an AD module to a user group in the CSV file: Column number Tag or value Details 1 ADD The first column for all tags is the command ADD. 2 USERGROUP-ADMODULE Enter the tag as shown. Tags are not case sensitive. 3 User Group Name Required field.
Chapter 9: Users and User Groups Column number Tag or value Details Email address is used with system notifications. 8 Telephone Number Optional. 9 Login Enabled TRUE or FALSE Default is TRUE Enable login to allow the user to log in to CC-SG. 10 Remote Authentication TRUE or FALSE 11 Force Password Change Periodically TRUE or FALSE 12 Expiration Period If Force Password Change Periodically is set to TRUE, specify the number of days after which password must be changed.
Chapter 9: Users and User Groups Sample Users CSV File ADD, USERGROUP, Windows Administrators, MS IT Team ADD, USERGROUP-PERMISSIONS, Windows Administrators, FALSE, TRUE, TRUE, TRUE, TRUE, TRUE, TRUE, TRUE ADD, USERGROUP-POLICY, Windows Administrators, Full Access Policy ADD, USERGROUP-ADMODULE, Windows Administrators, AD-USA57-120 ADD, USERGROUP-MEMBER, Windows Administrators, user1 ADD, USERGROUP-MEMBER, Windows Administrators, user2 ADD, USER, Windows Administrators, user1, password, userfirstname userl
Chapter 9: Users and User Groups Export Users The export file contains all users that have a user account created in CCSG. This excludes AD-authorized users, unless they also have a user account created on CC-SG. The export file includes user and the details from the user profile, user groups, user group permissions and policies, associated AD modules. Passwords export as a blank field. To export users: 1. Choose Administration > Export > Export Users. 2. Click Export to File. 3.
Chapter 9: Users and User Groups Change your name You cannot change your user name. You can change the first and last name associated with your user name. To change your name: 1. Choose Secure Gateway > My Profile. 2. Type your first and last name in the Full Name field. See Naming Conventions (on page 353) for details on CC-SG's rules for name lengths. Change your default search preference 1. Choose Secure Gateway > My Profile. 2.
Chapter 9: Users and User Groups Change the CC-SG Super User's Username You must be logged into CC-SG using the CC Super User account to change the CC Super User's username. The default CC Super User username is admin. 1. Choose Secure Gateway > My Profile. 2. Type a new name in the Username field. 3. Click OK to save your changes. Logging Users Out You can log active users out of CC-SG, either individually or by user group. To log out users: 1.
Chapter 9: Users and User Groups Bulk Copying Users You can use Bulk Copy for users to copy one user's user group affiliations to another user or list of users. If the users receiving the affiliations have existing group affiliations, the existing affiliations will be removed. To perform a Bulk Copy for users: 1. In the Users tab, click the + symbol to expand the user group that contains the user whose policies and privileges you want to copy, and then select the user. 2.
Chapter 10 Policies for Access Control Policies are rules that define which nodes and devices users can access, when they can access them, and whether virtual-media permissions are enabled, where applicable. The easiest way to create policies is to categorize your nodes and devices into node groups and device groups, and then create policies that allow and deny access to the nodes and devices in each group. After you create a policy, you assign it to a user group.
Chapter 10: Policies for Access Control Adding a Policy If you create a policy that denies access (Deny) to a node group or device group, you also must create a policy that allows access (Control) for the selected node group or device group. Users will not automatically receive Control rights when the Deny policy is not in effect. Note 1: When CC-SG is in Proxy or Both mode, you can give users access to virtual media on KXII devices. However, users can only use VKC in Proxy or Both mode.
Chapter 10: Policies for Access Control 13. In the Device/Node Access Permission field, select Control to define this policy to allow access to the selected node or device group for the designated times and days. Select Deny to define this policy to deny access to the selected node or device group for the designated times and days. 14. If you selected Control in the Device/Node Access Permission field, the Virtual Media Permission section will become enabled.
Chapter 10: Policies for Access Control 7. Click the Days drop-down arrow, and then select which days of the week this policy covers: All (everyday), Weekday (Monday through Friday only) and Weekend (Saturday and Sunday only), or Custom (select specific days). 8. Select Custom to select your own set of days. The individual day checkboxes will become enabled. 9. Select the checkbox that corresponds to each day you want this policy to cover. 10.
Chapter 10: Policies for Access Control Support for Virtual Media CC-SG provides remote virtual media support for nodes connected to virtual media-enabled KX2, KSX2, and KX2-101 devices. For detailed instructions on accessing virtual media with your device, see: • Dominion KX II User Guide • Dominion KSX II User Guide • Dominion KXII-101 User Guide See Adding a Policy (on page 150) for details on creating policies to assign virtual media permission to user groups in CC-SG.
Chapter 11 Custom Views for Devices and Nodes Custom Views enable you to specify different ways to display the nodes and devices in the left panel, using Categories, Node Groups, and Device Groups. In This Chapter Types of Custom Views.........................................................................154 Using Custom Views in the Admin Client ..............................................
Chapter 11: Custom Views for Devices and Nodes Using Custom Views in the Admin Client Custom Views for Nodes Add a Custom View for Nodes To add a custom view for nodes: 1. Click the Nodes tab. 2. Choose Nodes > Change View > Create Custom View. The Custom View screen appears. 3. In the Custom View panel, click Add. The Add Custom View window opens. 4. Type a name for the new custom view in the Custom View Name field. 5.
Chapter 11: Custom Views for Devices and Nodes 2. Click the Name drop-down arrow and select a custom view from the list. 3. Click Apply View. or • Choose Nodes > Change View. All defined custom views are options in the pop-up menu. Choose the custom view you want to apply. Change a Custom View for Nodes 1. Click the Nodes tab. 2. Choose Nodes > Change View > Create Custom View. The Custom View screen appears. 3. Click the Name drop-down arrow and select a custom view from the list.
Chapter 11: Custom Views for Devices and Nodes 2. Choose Nodes > Change View > Create Custom View. The Custom View screen appears. 3. Click the Name drop-down arrow, and select a custom view from the list. Details of the items included and their order appear in the Custom View Details panel 4. In the Custom View panel, click Delete. The Delete Custom View confirmation message appears. 5. Click Yes. Assign a Default Custom View for Nodes To assign a default custom view for nodes: 1. Click the Nodes tab. 2.
Chapter 11: Custom Views for Devices and Nodes 3. In the Custom View panel, click Add. The Add Custom View window appears. 4. Type a name for the new custom view in the Custom View Name field. 5. In the Custom View Type section: Select Filter by Device Group to create a custom view that displays only the device groups you specify. Select View by Category to create a custom view that displays devices according to the categories you specify. 6. Click OK. 7. In the Custom View Details section: a.
Chapter 11: Custom Views for Devices and Nodes 2. Choose Devices > Change View > Create Custom View. The Custom View screen appears. 3. Click the Name drop-down arrow, and select a custom view from the list. Details of the items included and their order appear in the Custom View Details panel. To change a custom view's name: 1. In the Custom View panel, click Edit. The Edit Custom View window opens. 2. Type a new name for the custom view in the Enter new name for custom view field, and then click OK.
Chapter 11: Custom Views for Devices and Nodes Assign a Default Custom View for Devices To assign a default custom view for devices: 1. Click the Devices tab. 2. Choose Devices > Change View > Create Custom View. The Custom View screen appears. 3. Click the Name drop-down arrow, and select a custom view from the list. 4. In the Custom View panel, click Set as Default. The next time you login the selected custom view will be used by default.
Chapter 12 Remote Authentication In This Chapter Authentication and Authorization (AA) Overview ..................................161 Distinguished Names for LDAP and AD................................................162 Specifying Modules for Authentication and Authorization .....................163 Establishing Order of External AA Servers ...........................................163 AD and CC-SG Overview ......................................................................
Chapter 12: Remote Authentication 3. Username and password are either accepted or rejected and sent back. If authentication is rejected, this results in a failed login attempt. 4. If authentication is successful, authorization is performed. CC-SG checks if the username entered matches a group that has been created in CC-SG or imported from AD, and grants privileges according to the assigned policy. When remote authentication is disabled, both authentication and authorization are performed locally on CC-SG.
Chapter 12: Remote Authentication Specify a Username for AD When authenticating CC-SG users on an AD server by specifying cn=administrator,cn=users,dc=xyz,dc=com in username, if a CC-SG user is associated with an imported AD group, the user will be granted access with these credentials. Note that you can specify more than one common name, organizational unit, and domain component. Specify a Base DN You also enter a Distinguished Name to specify where the search for users begins.
Chapter 12: Remote Authentication 2. Click the Authentication tab. All configured external Authorization and Authentication Servers appear in a table. 3. Select a server from the list, and then click the up and down arrows to prioritize the order of engagement. 4. Click Update to save your changes. AD and CC-SG Overview CC-SG supports authentication and authorization of users imported from an AD domain controller, without requiring that users be defined locally in CC-SG.
Chapter 12: Remote Authentication AD General Settings In the General tab, you must add the information that allows CC-SG to query the AD server. Do not add duplicate AD modules. If your users see a message that says "You are not a member of any group" when attempting to login, you may have configured duplicate AD modules. Check the modules you have configured to see if they describe overlapping domain areas. 1. Type the AD domain you want to query in the Domain field.
Chapter 12: Remote Authentication 5. Type the password for the user account you want to use to query the AD server in the Password and Confirm Password fields. Maximum length is 32 characters. 6. Click Test Connection to test the connection to the AD server using the given parameters. You should receive a confirmation of a successful connection. If you do not see a confirmation, review the settings carefully for errors and try again. 7. Click Next to proceed. The Advanced tab opens.
Chapter 12: Remote Authentication Select the Use Bind checkbox if the user logging in from the applet has permissions to perform search queries in the AD server. If a username pattern is specified in Bind username pattern, the pattern will be merged with the username supplied in the applet and the merged username will be used to connect to the AD server.
Chapter 12: Remote Authentication 4. Click Next to proceed. The Trusts tab opens. AD Trust Settings In the Trusts tab, you can set up trust relationships between this new AD domain and any existing domains. A trust relationship allows resources to be accessible by authenticated users across domains. Trust relationships can be incoming, outgoing, bidirectional, or disabled.
Chapter 12: Remote Authentication 3. Select the AD module you want edit, and then click Edit. 4. Click each tab in the Edit Module window to view the configured settings. Make changes as needed. See AD General Settings (on page 165), AD Advanced Settings (on page 166), AD Group Settings (on page 167), and AD Trust Settings (on page 168). 5. If you change the connection information, click Test Connection to test the connection to the AD server using the given parameters.
Chapter 12: Remote Authentication To search for user groups, type a search string in the Search for User Group field, and then click Go. Click a column header to sort the list of user groups by the information in that column. Click Select all to select all user groups for import. Click Deselect all to deselect all selected user groups. 6. In the Policies column, select a CC-SG access policy from the list to assign the policy to the selected group. 7.
Chapter 12: Remote Authentication Synchronize All User Groups with AD You should synchronize all user groups if you have made a change to a user group, such as moving a user group from one AD module to another. You can also change the AD association of a user group manually, in the User Group Profile's Active Directory Associations tab. If you have made changes to users or domain controllers, you should synchronize all AD modules. See Synchronize All AD Modules (on page 172).
Chapter 12: Remote Authentication Synchronize All AD Modules You should synchronize all AD Modules whenever you change or delete a user in AD, change user permissions in AD, or make changes to a domain controller. When you synchronize all AD modules, CC-SG retrieves the user groups for all configured AD modules, compares their names with the user groups that have been imported into CC-SG or associated with the AD module within CC-SG, and refreshes the CC-SG local cache.
Chapter 12: Remote Authentication To disable daily synchronization of all AD modules: 1. Choose Administration > Security. 2. Click the Authentication tab. All configured Authorization and Authentication Servers appear in a table. 3. Deselect the Daily synchronization of All Modules checkbox. 4. Click Update to save your changes. Change the Daily AD Synchronization Time When daily synchronization is enabled, you can specify the time at which automatic synchronization occurs.
Chapter 12: Remote Authentication LDAP General Settings 1. Click the General tab. 2. Type the IP address or hostname of the LDAP server in the IP Address/Hostname field. See Terminology/Acronyms (on page 2) for hostname rules. 3. Type the port value in the Port field. The default port is 389. 4. Select "LDAP over SSL" if using a secure LDAP server. 5. Select Anonymous Bind if your LDAP server allows anonymous queries. You do not need to enter a user name and password with anonymous binding.
Chapter 12: Remote Authentication 2. Select Base 64 if you want the password to be sent to the LDAP server with encryption. Select Plain Text if you want the password to be sent to the LDAP server as plain text. 3. Default Digest: select the default encryption of user passwords. 4. Type the user attribute and group membership attribute parameters in the User Attribute and Group Membership Attribute fields. These values should be obtained from your LDAP directory schema. 5.
Chapter 12: Remote Authentication OpenLDAP (eDirectory) Configuration Settings If using an OpenLDAP server for remote authentication, use this example: Parameter Name IP Address/Hostname Open LDAP Parameters User Name CN=, O= Password User Base O=accounts, O= User Filter (objectclass=person) Passwords (Advanced screen) Base64 Password Default Digest (Advanced) Crypt Use Bind Unchecked Use Bind After Search Ch
Chapter 12: Remote Authentication About TACACS+ and CC-SG CC-SG users who are remotely authenticated by a TACACS+ server must be created on the TACACS+ server and on CC-SG. The user name on the TACACS+ server and on CC-SG must be the same, although the passwords may be different. See Users and User Groups (on page 129). Add a TACACS+ Module To add a TACACS+ module: 1. Choose Administration > Security. 2. Click the Authentication tab. 3. Click Add to open the Add Module window. 4.
Chapter 12: Remote Authentication About RADIUS and CC-SG CC-SG users who are remotely authenticated by a RADIUS server must be created on the RADIUS server and on CC-SG. The user name on the RADIUS server and on CC-SG must be the same, although the passwords may be different. See Users and User Groups (on page 129). Add a RADIUS Module To add a RADIUS module: 1. Choose Administration > Security. 2. Click the Authentication tab. 3. Click Add to open the Add Module window. 4.
Chapter 12: Remote Authentication Two-Factor Authentication Using RADIUS By using an RSA RADIUS Server that supports two-factor authentication in conjunction with an RSA Authentication Manager, CC-SG can make use of two-factor authentication schemes with dynamic tokens. In such an environment, users logs into CC-SG by first typing their usernames in the Username field, then typing their fixed passwords, and then the dynamic token value in the Password field.
Chapter 13 Reports In This Chapter Using Reports........................................................................................180 Audit Trail Report...................................................................................182 Error Log Report....................................................................................183 Access Report .......................................................................................184 Availability Report......................................
Chapter 13: Reports View Report Details • Double-click a row to view details of the report. • When a row is highlighted, press the Enter key to view details. All details of the selected report display in a dialog that appears, not just the details you can view in the report screen. For example, the Access Report screen for nodes does not display the Interface Type and Message, but these are available in the Node Access Details dialog.
Chapter 13: Reports Purge a Report's Data From CC-SG You can purge the data that appears in the Audit Trail and Error Log reports. Purging these reports deletes all data that satisfy the search criteria used. For example, if you search for all Audit Trail entries from March 26, 2008 through March 27, 2008, only those records will be purged. Entries earlier than March 26 or later than March 27 will remain in the Audit Trail. Purged data is removed from CC-SG permanently.
Chapter 13: Reports 3. You can limit the data that the report will contain by entering additional parameters in the Message Type, Message, Username, and User IP address fields. Wildcards are accepted in these fields except for the Message Type field. To limit the report to a type of message, select a type in the Message Type field. To limit the report by the message text associated with an activity, type the text in the Message field.
Chapter 13: Reports Click Purge to delete the Error Log. See Purge a Report's Data from CC-SG (on page 182). Access Report Generate the Access report to view information about accessed devices and nodes, when they were accessed, and the user who accessed them. To generate the Access Report: 1. Choose Reports > Access Report. 2. Select Devices or Nodes. 3. Set the date and time range for the report in the Start Date and Time and End Date and Time fields.
Chapter 13: Reports 3. Click Apply. Active Users Report The Active Users report displays current users and user sessions. You can select active users from the report and disconnect them from CCSG. To generate the Active Users report: • Choose Reports > Users > Active Users. To disconnect a user from an active session in CC-SG: 1. In the Active Users report, select the user name you want to disconnect. 2. Click Logout.
Chapter 13: Reports The Password Expiration field displays the number of days that the user can use the same password before being forced to change it. See Add a User (on page 136). The Groups field displays the user groups to which the user belongs. The Privileges field displays the CC-SG privileges assigned to the user. See User Group Privileges (on page 321). The Email field displays the email address for the user, as specified in the User Profile.
Chapter 13: Reports Device Group Data Report The Device Group Data report displays device group information. To generate the Device Group Data report: 1. Choose Reports > Devices > Device Group Data. 2. Double-click a row to display the list of devices in the group. Query Port Report The Query Port Report displays all ports according to port status. To generate the Query Port report: 1. Choose Reports > Ports > Query Port. 2.
Chapter 13: Reports State Type Port State Definition been configured. 3. Select Ghosted Ports to include ports that are ghosted. A ghosted port can occur when a CIM or target server is removed from a Paragon system or powered off (manually or accidentally). See Raritan's Paragon II User Guide. Optional. 4. Select Paused Ports or Locked Ports to include ports that are paused or locked. Paused ports occur when a CC-SG management of a device is paused. Locked ports occur when a device is being upgraded.
Chapter 13: Reports 3. The URL column contains direct links to each node. You can use this information to create a web page with links to each node, instead of bookmarking each node individually. See Bookmarking an Interface (on page 109). Active Nodes Report The Active Nodes report includes the name and type of each active interface, the connection mode, the associated device, a timestamp, the current user, and the user IP address for each node with an active connection.
Chapter 13: Reports Node Group Data Report The Node Group Data report displays the list of nodes that belong to each group, the user groups that have access to each node group, and, if applicable, the rules that define the node group. The list of nodes is in the report details, which you can view by double-clicking a row in the report page, or save to a CSV file. See Save a Report to a File (on page 181). The Node Asset report displays the list of groups each node is a member of.
Chapter 13: Reports Scheduled Reports Scheduled Reports displays reports that were scheduled in the Task Manager. You can find the Upgrade Device Firmware reports and Restart Device reports in the Scheduled Reports screen. Scheduled reports can be viewed in HTML format only. See Task Manager (on page 246). To access scheduled reports: 1. Choose Reports > Scheduled Reports. 2. Select a Report Type. 3. Select a Report Owner. 4. Enter a Report Name to filter on the name.
Chapter 13: Reports Upgrade Device Firmware Report The Upgrade Device Firmware report is located in the Scheduled Reports list. This report is generated when an Upgrade Device Firmware task is running. View the report to get real-time status information about the task. Once the task has completed, the report information is static. See Scheduled Reports (on page 191) for details on viewing the report.
Chapter 14 System Maintenance In This Chapter Maintenance Mode ................................................................................193 Entering Maintenance Mode..................................................................193 Exiting Maintenance Mode ....................................................................194 Backing Up CC-SG................................................................................194 Saving and Deleting Backup Files........................................
Chapter 14: System Maintenance 2. Password: Type your password. Only users with the CC Setup and Control privilege can enter maintenance mode. 3. Broadcast message: Type the message that will display to users who will be logged out of CC-SG. 4. Enter maintenance mode after (min): Enter the number of minutes (from 0-720) that should elapse before CC-SG enters maintenance mode. Entering zero minutes causes Maintenance Mode to begin immediately.
Chapter 14: System Maintenance b. Type the IP address or hostname of the server in the IP Address/Hostname field. c. If you are not using the default port for the selected protocol (FTP: 21, SFTP: 22), type the communications port used in the Port Number field. d. Type a username for the remote server in the Username field. e. Type a password for the remote server in the Password field. f. In the Directory (Relative Path) field, specify the location to save the backup file on the FTP server.
Chapter 14: System Maintenance What is the difference between Full backup and Standard backup? Standard backup: A standard backup includes all data in all fields of all CCSG pages, except for data in the following pages: • Administration > Configuration Manager > Network tab • Administration > Cluster Configuration CCSG backup files stored on CCSG are also not backed up. You can view the list of backup files stored on CCSG in the System Maintenance > Restore page.
Chapter 14: System Maintenance 3. Click OK to delete the backup from the CC-SG system. Restoring CC-SG You can restore CC-SG using a backup file that you created. Important: The Neighborhood configuration is included in the CCSG backup file so make sure you remember or note down its setting at the backup time. This is helpful for determining whether the backup file is appropriate for the CC-SG unit you restore. To restore CC-SG: 1. Choose System Maintenance > Restore.
Chapter 14: System Maintenance Restore Data - CC-SG configuration, Device and Node configuration, and User Data. Selecting Data restores the Standard backup portion of a Full backup file. See What is the difference between Full backup and Standard backup? (on page 196) Restore Logs - Error logs and event reports stored on CC-SG Restore CC Firmware - Stored firmware files used for updating the CC-SG server itself.
Chapter 14: System Maintenance Option Description part of the CC-SG database. The SNMP configuration and traps are reset. The SNMP agent is not reset. IP-ACL settings are reset with a Full Database reset whether you select the IP ACL Tables option or not. The Neighborhood configuration is removed with the reset so CCSG no longer "remembers" being a Neighborhood member if it was. When the database is removed, all devices, nodes, and users are removed.
Chapter 14: System Maintenance Option Description SNMP Trap Destinations Default Firmware This option resets all device firmware files to factory defaults. This option does not change the CC-SG database. Upload Firmware to Database After Reset This option loads the firmware files for the current CC-SG version into the CC-SG database. Diagnostic Console This option restores Diagnostic Console settings back to factory defaults. IP-ACL Tables This option removes all entries from the IP-ACL table.
Chapter 14: System Maintenance 3. Broadcast message: Type the message that will display to users who will be logged off CC-SG. 4. Restart after (min): Enter the number of minutes (from 0-720) that should elapse before CC-SG restarts. If specifying over 10 minutes, the broadcast message displays to users immediately, and then repeats at 10 and 5 minutes before the event occurs. 5. Click OK to restart CC-SG. Upgrading CC-SG You can upgrade CC-SG's firmware when a newer version is released.
Chapter 14: System Maintenance 4. Once CC-SG is in maintenance mode, choose System Maintenance > Upgrade. 5. Click Browse. Navigate to and select the CC-SG firmware file (.zip) then click Open. 6. Click OK to upload the firmware file to CC-SG. After the firmware file is uploaded to CC-SG, a success message appears, indicating that CC-SG has begun the upgrade process. All users will be disconnected from CC-SG at this time. 7. You must wait for the upgrade to complete before logging into CCSG again.
Chapter 14: System Maintenance Clear the Browser's Cache These instructions may vary slightly for different browser versions. To clear the browser cache in Internet Explorer 6.0 or later: 1. Choose Tools > Internet Options. 2. On the General tab, click Delete Files then click OK to confirm. In FireFox 2.0 and 3.0: 1. Choose Tools > Clear Private Data. 2. Make sure Cache is selected then click Clear Private Data Now.
Chapter 14: System Maintenance If specifying over 10 minutes, the broadcast message displays to users immediately, and then repeats at 10 and 5 minutes before the event occurs. 5. Click OK to shut down CC-SG. Restarting CC-SG after Shutdown After shutting down CC-SG, use one of these two methods to restart the unit: • Use the Diagnostic Console. See Restart CC-SG with Diagnostic Console (on page 283). • Recycle the power to your CC-SG unit.
Chapter 14: System Maintenance Ending CC-SG Session There are two ways to end a CC-SG Session. • Log out to end your session while keeping the client window open. See Log Out of CC-SG (on page 205). • Exit to end your session and close the client window. See Exit CCSG (on page 205). Log Out of CC-SG 1. Choose Secure Gateway > Logout. The Logout window opens. 2. Click Yes to log out of CC-SG. Once you log out, the CC-SG login window opens. Exit CC-SG 1. Choose Secure Gateway > Exit. 2.
Chapter 15 Advanced Administration In This Chapter Configuring a Message of the Day ........................................................206 Configuring Applications for Accessing Nodes .....................................207 Configuring Default Applications ...........................................................209 Managing Device Firmware...................................................................210 Configuring the CC-SG Network ...........................................................
Chapter 15: Advanced Administration c. Click the Font Size drop-down menu and select a font size for the message text. If you select Message of the Day File: a. Click Browse to browse for the message file. b. Select the file in the dialog window that opens then click Open. c. Click Preview to review the contents of the file. 4. Click OK to save your changes.
Chapter 15: Advanced Administration 2. Click the Application name drop-down arrow and select the application that must be upgraded from the list. If you do not see the application, you must add it first. See Add an Application (on page 208). 3. Click Browse, locate and select the application upgrade file from the dialog that appears then click Open. 4. The application name appears in the New Application File field in the Application Manager screen. 5. Click Upload.
Chapter 15: Advanced Administration 5. Click OK. An Open dialog appears. 6. Navigate to and select the application file (usually a .jar or .cab file), and then click Open. 7. The selected application loads onto CC-SG. Delete an Application To delete an application: 1. Choose Administration > Applications. 2. Select an application from the Application Name drop-down menu. 3. Click Delete. A confirmation dialog appears. 4. Click Yes to delete the application.
Chapter 15: Advanced Administration View the Default Application Assignments To view the default application assignments: 1. Choose Administration > Applications. 2. Click the Default Applications tab to view and edit the current default applications for various Interfaces and Port Types. Applications listed here will become the default choice when configuring a node to allow access through a selected interface.
Chapter 15: Advanced Administration 2. Click Add to add a new firmware file. A search window opens. 3. Navigate to and select the firmware file you want to upload to CCSG, and then click Open. When the upload completes, the new firmware appears in the Firmware Name field. Delete Firmware To delete firmware: 1. Choose Administration > Firmware. 2. Click the Firmware Name drop-down arrow and select the firmware you want to delete. 3. Click Delete. A confirmation message appears. 4.
Chapter 15: Advanced Administration Model Primary LAN Name V1-0 or V1-1 LAN1 Primary LAN Location Secondary LAN Name Secondary LAN Location Left LAN port LAN2 Right LAN port E1 LAN Ports: Model Primary LAN Name Primary LAN Location Secondary LAN Name E1-0 Not labeled Top LAN port in set of 2 Not labeled ports in center of unit back panel E1-1 LAN1 Left LAN port LAN2 Secondary LAN Location Bottom LAN port in set of 2 ports in center of unit back panel Right LAN port What is IP Failover mode?
Chapter 15: Advanced Administration If the Primary LAN is connected and receiving a Link Integrity signal, CCSG uses this LAN port for all communications. If the Primary LAN loses Link Integrity, and Secondary LAN is connected, CC-SG will failover its assigned IP address to the Secondary LAN. The Secondary LAN will be used until the Primary LAN returns to service. When the Primary LAN is back in service, CC-SG automatically reverts to using the Primary LAN.
Chapter 15: Advanced Administration 6. Click the Adapter Speed drop-down arrow and select a line speed from the list. Make sure your selection agrees with your switch's adapter port setting. If your switch uses 1 Gig line speed, select Auto. 7. If you selected Auto in the Adapter Speed field, the Adapter Mode field is disabled, with Full Duplex selected automatically. If you specified an Adapter Speed other than Auto, click the Adapter Mode drop-down arrow and select a duplex mode from the list. 8.
Chapter 15: Advanced Administration What is IP Isolation mode? IP Isolation mode allows you to isolate clients from devices by placing them on separate sub-networks and forcing clients to access the devices through CC-SG. In this mode, CC-SG manages traffic between the two separate IP domains. IP Isolation mode does not offer failover. If either LAN connection fails, users will not have access.
Chapter 15: Advanced Administration • Specify at most one Default Gateway in the Network Setup panel in CC-SG. Use Diagnostic Console to add more static routes if needed. See Edit Static Routes (on page 278). To configure IP Isolation mode in CC-SG: 1. Choose Administration > Configuration. 2. Click the Network Setup tab. 3. Select IP Isolation mode. 4. Type the CC-SG hostname in the Host name field. See Terminology/Acronyms (on page 2) for hostname rules.
Chapter 15: Advanced Administration Recommended DHCP Configurations for CC-SG Review the following recommended DHCP configurations. Make sure that your DHCP server is set up properly before you configure CC-SG to use DHCP. • Configure the DHCP to statically allocate CC-SG's IP address. • Configure the DHCP and DNS servers to automatically register the CC-SG with the DNS when the DHCP allocates an IP address to CC-SG.
Chapter 15: Advanced Administration 2. Click the Logs tab. 3. Click Purge. 4. Click Yes. Configuring the CC-SG Server Time and Date CC-SG's time and date must be accurately maintained to provide credibility for its device-management capabilities. Important: The Time/Date configuration is used when scheduling tasks in Task Manager. See Task Manager (on page 246). The time set on your client PC may be different than the time set on CC-SG.
Chapter 15: Advanced Administration Connection Modes: Direct and Proxy About Connection Modes CC-SG offers three connection modes for in-band and out-of-band connections: Direct, Proxy, and Both. • Direct mode allows you to connect to a node or port directly, without passing data through CC-SG. Direct mode generally provides faster connections. • Proxy mode allows you to connect to a node or port by passing all data through CC-SG.
Chapter 15: Advanced Administration Configure Proxy Mode for All Client Connections To configure proxy mode for all client connections: 1. Choose Administration > Configuration. 2. Click the Connection Mode tab. 3. Select Proxy mode. 4. Click Update Configuration.
Chapter 15: Advanced Administration 3. Type a new timeout duration in the Heartbeat (sec) field. The valid range is 30 seconds to 50,000 seconds. 4. Click Update Configuration to save your changes. To enable or disable a warning message for all power operations: Select the Display Warning Message For All Power Operations checkbox to enable a warning message that alerts a user before a requested power operation occurs. Only the user who initiated the power operation sees the message.
Chapter 15: Advanced Administration Enable AKC Download Server Certificate Validation Overview If you are using the AKC client, you can choose to use the Enable AKC Download Server Certificate Validation feature or opt not to use this feature.
Chapter 15: Advanced Administration Configuring Custom JRE Settings CC-SG will display a warning message to users who attempt to access CC-SG without the minimum JRE version that you specify. Check the Compatibility Matrix for the minimum supported JRE version. Choose Administration > Compatibility Matrix. If a user attempting to log into CC-SG does not have the specified JRE version installed, the JRE Incompatibility Warning window opens.
Chapter 15: Advanced Administration To clear the default message and minimum JRE version: 1. Choose Administration > Configuration. Click the Custom JRE tab. 2. Click Clear. Configuring SNMP Simple Network Management Protocol allows CC-SG to push SNMP traps (event notifications) to an existing SNMP manager on the network. You should be trained in handling SNMP infrastructure to configure CCSG to work with SNMP. CC-SG also supports SNMP GET/SET operations with third-party solutions, such as HP OpenView.
Chapter 15: Advanced Administration 9. Select the checkboxes before the traps you want CC-SG to push to your SNMP hosts: Under Trap Sources, a list of SNMP traps grouped into two different categories: System Log traps, which include notifications for the status of the CC unit itself, such as a hard disk failure, and Application Log traps for notifications generated by events in the CC application, such as modifications to a user account.
Chapter 15: Advanced Administration Requirements for CC-SG Clusters • The Primary and Secondary nodes in a cluster must be running the same firmware version on the same hardware version (V1 or E1). • Your CC-SG network must be in IP Failover mode to be used for clustering. Clustering will not work with an IP Isolation mode configuration. See About Network Setup (on page 211). • Date, time, and time zone settings are not replicated from the Primary node to the Secondary node.
Chapter 15: Advanced Administration 5. Type a valid user name and password for the Backup node in the Username for Backup Secure Gateway and Password for Backup Secure Gateway fields. 6. Select the Redirect by Hostname checkbox to specify that secondary to primary redirection access should be via DNS. Optional. See Access a CC-SG Cluster (on page 226).
Chapter 15: Advanced Administration Switch the Primary and Secondary Node Status You can exchange the roles of Primary and Secondary nodes when the Secondary, or Backup, node is in the "Joined" state. When the Secondary node is in the "Waiting" state, switching is disabled. After the roles are switched, the former Primary node is in the "Waiting" state. To recover the cluster configuration, join the "Waiting" node as the Backup. See Recover a Cluster (on page 228).
Chapter 15: Advanced Administration Note: If the clustered CC-SG units do not share the same time zone, when the Primary node failure occurs, and the Secondary node becomes the new Primary node, the time specified for Automatic Rebuild still follows the time zone of the old Primary node. Delete a Cluster Deleting a cluster completely deletes the information entered for the cluster, and restores both of Primary and Secondary CC-SG nodes to the Standalone state.
Chapter 15: Advanced Administration Create a Neighborhood You can log into a CC-SG unit where you want to create a Neighborhood and which is not a member of any Neighborhood yet. After a Neighborhood is created, all members in the Neighborhood share the same Neighborhood information. If any member is the Primary Node of clustered CC-SG units, the IP address or hostname of the Secondary, or Backup, Node also displays in the Neighborhood configuration. To create a Neighborhood 1.
Chapter 15: Advanced Administration To deactivate any CC-SG unit, deselect the Activate checkbox next to that unit. Deactivated CC-SG units operate as standalone units and do not show up as one of the Neighborhood members to Access Client users. Click the column header to sort the table by that attribute in ascending order. Click the header again to sort the table in descending order. 9. To return to previous screen, click Back and repeat prior steps. Optional. 10. Click Finish.
Chapter 15: Advanced Administration 4. If new CC-SG units meet the Neighborhood criteria and are found, they display in the Neighborhood Configuration table. Otherwise, a message appears and return you to the Add Member dialog. Then make changes in the dialog as needed. 5. Select the Active checkbox next to each new CC-SG unit. 6. To change any CC-SG's Secure Gateway Name, click the name, type a new one and press Enter. The default is a short CC-SG hostname. Optional. 7.
Chapter 15: Advanced Administration Delete a Neighborhood Member When a CC-SG unit in a Neighborhood becomes inappropriate, you may either remove or deactivate it in the Neighborhood configuration. Otherwise, Access Client users may find these units inaccessible when trying to switch to them.
Chapter 15: Advanced Administration 2. Choose Administration > Neighborhood. 3. Click Delete Neighborhood. 4. Click Yes to confirm the deletion. Security Manager The Security Manager is used to manage how CC-SG provides access to users. Within Security Manager you can configure authentication methods, SSL access, AES Encryption, strong password rules, lockout rules, the login portal, certificates, and access control lists.
Chapter 15: Advanced Administration Check Your Browser for AES Encryption CC-SG supports AES-128 and AES-256. If you do not know if your browser uses AES, check with the browser manufacturer. You may also want to try navigating to the following web site using the browser whose encryption method you want to check: https://www.fortify.net/sslcheck.html https://www.fortify.net/sslcheck.html. This web site will detect your browser's encryption method and display a report.
Chapter 15: Advanced Administration Click the Key Length drop-down arrow to select the encryption level - 128 or 256. The CC-SG Port field displays 80. The Browser Connection Protocol field displays HTTPS/SSL selected. 5. Click Update to save your changes. Configure Browser Connection Protocol: HTTP or HTTPS/SSL In Security Manager, you can configure CC-SG to either use regular HTTP connections from clients or require HTTPS/SSL connections.
Chapter 15: Advanced Administration Require strong passwords for all users 1. Choose Administration > Security. 2. Click the Login Settings tab. 3. Select the Strong Passwords Required for All Users checkbox. 4. Select a Maximum Password Length. Passwords must contain fewer than the maximum number of characters. 5. Select a Password History Depth. The number specifies how many previous passwords are kept in the history and cannot be reused.
Chapter 15: Advanced Administration Lockout settings Administrators can lock out CC-SG users and SSH users after a specified number of failed login attempts. You can enable this feature for locally authenticated users, for remotely authenticated users, or for all users. Note: By default, the admin account is locked out for five minutes after three failed login attempts. For admin, the number of failed login attempts before lockout and after lockout is not configurable. To enable lockout: 1.
Chapter 15: Advanced Administration 2. Open the Login Settings tab. 3. Deselect the Lockout Enabled for Local Users checkbox to disable lockout for locally authenticated users. Deselect the Lockout Enabled for Remote Users checkbox to disable lockout for remotely authenticated users. 4. Click Update to save your changes. Allow concurrent logins per username You can permit more than one concurrent CC-SG session with the same username. 1. Choose Administration > Security. 2. Click the Login Settings tab.
Chapter 15: Advanced Administration Logo A small graphic file can be uploaded to CC-SG to act as a banner on the login page. The maximum size of the logo is 998 by 170 pixels. To upload a logo: 1. Click Browse in the Logo area of the Portal tab. An Open dialog appears. 2. Select the graphic file you want to use as your logo in the dialog, and then click Open. 3. Click Preview to preview the logo. The selected graphic file appears to the right. 4. Click Update to save your changes.
Chapter 15: Advanced Administration Click Browse. A dialog window opens. In the dialog window, select the text file with the message you want to use, and then click Open. The maximum length of the text message is 10,000 characters. Click Preview to preview the text contained in the file. The preview appears in the banner message field above. 3. Click Update to save your changes. The updates will appear on the login screen the next time a user accesses CC-SG.
Chapter 15: Advanced Administration a. Encryption Mode: If Require AES Encryption between Client and Server is selected in the Administration > Security > Encryption screen, AES-128 is the default. If AES is not required, DES 3 is the default. b. Private Key Length: 1024 is the default. c. Validity Period (days): Maximum 4 numeric characters. d. Country Code: CSR tag is Country Name. e. State or Province: Maximum 64 characters. Type in the whole state or province name. Do not abbreviate. f.
Chapter 15: Advanced Administration 14. Type raritan in the Password field if the CSR was generated by CCSG. If a different application generated the CSR, use the password for that application. Note: If the imported certificate is signed by a root and subroot CA (certificate authority), using only a root or subroot certificate will fail. To resolve this, copy and paste both root and subroot certificate into one file, and then import it. To generate self signed certificate request: 1.
Chapter 15: Advanced Administration Access Control List An IP Access Control List specifies ranges of client IP addresses for which you want to deny or allow access to CC-SG. Each entry in the Access Control List becomes a rule that determines whether a user in a certain group, with a certain IP address, can access CC-SG. You can also set rules that apply to the whole CC-SG system (select System instead of a user group) at an operating system level.
Chapter 15: Advanced Administration 6. Click the Action drop-down arrow and select Allow or Deny to specify whether the specified users in the IP range can access CC-SG. 7. Click Update to save your changes. To change the order in which CC-SG applies rules: 1. Choose Administration > Security. 2. Click the Access Control List tab. 3. Select a rule you want to move up or down in the list. 4. Click the up or down arrow until the rule is in position. 5. Click Update to save your changes.
Chapter 15: Advanced Administration 7. Type a valid email address that will identify messages from CC-SG in the From field. 8. Type the number of times emails should be re-sent should the send process fail in the Sending retries field. 9. Type the number of minutes (from 1-60) that should elapse between sending retries in the Sending retry interval (minutes) field. 10. Check Use SSL if you want emails to be sent securely using Secure Sockets Layer (SSL). 11.
Chapter 15: Advanced Administration Schedule Sequential Tasks You may want to schedule tasks sequentially to confirm that expected behavior occurred. For example, you may want to schedule an Upgrade Device Firmware task for a given device group, and then schedule an Asset Management Report task immediately after it to confirm that the correct versions of firmware were upgraded. Email Notifications for Tasks Upon completion of a task, an email message can be sent to a specified recipient.
Chapter 15: Advanced Administration Schedule a Task This section covers most tasks that can be scheduled. See Schedule a Device Firmware Upgrade (on page 250) for details on scheduling device firmware upgrades. To schedule a task: 1. Choose Administration > Tasks. 2. Click New. 3. In the Main tab, type a name and description for the task. Names can have 1-32 alphanumeric characters or underscores, no spaces. 4. Click the Task Data tab. 5.
Chapter 15: Advanced Administration b. Periodic: Use the up and down arrows to select the Start time at which the task should begin. Type the number of times the task should be executed in the Repeat Count field. Type the time that should elapse between repetitions in the Repeat Interval field. Click the drop-down menu and select the unit of time from the list.
Chapter 15: Advanced Administration 12. Specify email addresses to which a notification should be sent upon task success or failure. By default, the email address of the user currently logged in is available. User email addresses configured in the User Profile. To add another email address, click Add, type the email address in the window that opens, and then click OK. By default, email is sent if the task is successful. To notify recipients of failed tasks, select On Failure. 13.
Chapter 15: Advanced Administration a. Start Date/Time: Select the date and time at which the task begins. The start date/time must be later than the current date/time. b. Restrict Upgrade Window and Latest Upgrade Start Date/Time: If you must finish all upgrades within a specific window of time, use these fields to specify the date and time after which no new upgrades can begin. Select Restrict Upgrade Window to enable the Latest Upgrade Start Date/Time field. 7.
Chapter 15: Advanced Administration Change a Scheduled Task You can change a scheduled task before it runs. To change a scheduled task: 1. Select the task you want to change. 2. Click Edit. 3. Change the task specifications as needed. See Schedule a Task (on page 248) and Schedule a Device Firmware Upgrade (on page 250) for tab descriptions. 4. Click Update to save your changes. Reschedule a Task The Save As function in Task Manager enables you to reschedule a completed task that you want to run again.
Chapter 15: Advanced Administration Delete a Task You can delete a task to remove it from the Task Manager. You cannot delete a task that is currently running. To delete a task: • Select the task, then click Delete. SSH Access to CC-SG Use Secure Shell (SSH) clients, such as Putty or OpenSHH Client, to access a command line interface to SSH (v2) server on CC-SG. Only a subset of CC-SG commands is provided via SSH to administer devices and CC-SG itself.
Chapter 15: Advanced Administration To display all SSH commands: • At the shell prompt, type ls to display all commands available. Get Help for SSH Commands You can get limited help for all commands at once. You can also get indepth help on a single command at a time. To get help for a single SSH command: 1. At the shell prompt, type the command you want help for, followed by a space and -h. For example: connect -h 2. Information on the command, parameters, and usage appear in the screen.
Chapter 15: Advanced Administration SSH Commands and Parameters The following table lists all commands available in SSH. You must be assigned the appropriate privileges in CC-SG to access each command. Some commands have additional parameters that you must type to execute the command. For more information about how to type commands, see Command Tips (on page 257).
Chapter 15: Advanced Administration To search for text from piped output stream: grep search_term To view the help screen for all commands: help To list available device configuration backups: listbackups <[-id ] | [host]> To list available devices: listdevices To list firmware versions available for upgrade: listfirmwares [[-id ] | [host]] To list all interfaces: listinterfaces [-id ] To list all nodes: listnodes To list all ports: listports [[-id ] | [host]] To
Chapter 15: Advanced Administration To restart a device: restartdevice <[-id ] | [host]> To restore a device configuration: restoredevice <[-host ] | [-id ]> [backup_id] To shutdown CC-SG: shutdowncc minutes [message] To open an SSH connection to an SX device: ssh [-e ] <[-id ] | [host]> To change a user: su [-u ] To upgrade a device's firmware: upgradedevice <[-id ] | [host]> To list all current users: userlist To exit the SSH ses
Chapter 15: Advanced Administration Command syntax Device ID value You should type ssh -id 100 ssh -id 100 • The default escape character is a tilde followed by a period. For example: ~. See End SSH Connections (on page 260) for details on using the escape character and the exit command. You may have problems using the escape character in the Linux terminal or client. Raritan recommends that you define a new escape character when establishing a port connection.
Chapter 15: Advanced Administration 2. Connect to the device by typing ssh -id . Using the figure above as an example, you can connect to SX-229 by typing ssh -id 1370. Use SSH to Connect to a Node via a Serial Out-of-Band Interface You can use SSH to connect to a node through its associated serial outof-band interface. The SSH connection is in proxy mode. 1. Type listinterfaces to view the node ids and associated interfaces. 2.
Chapter 15: Advanced Administration Command get_write Alias gw Description Gets Write Access. Allows SSH user to execute commands at target server while browser user can only observe proceedings. get_history gh Gets History. Displays the last few commands and results at target server. send_break sb Sends Break. Breaks the loop in target server initiated by browser user. help ?,h Prints help screen.
Chapter 15: Advanced Administration Serial Admin Port The serial admin port on CC-SG can be connected directly to a Raritan serial device, such as Dominion SX or KSX. You can connect to the SX or KSX via the IP address using a terminal emulation program, such as HyperTerminal or PuTTY. Set the baud rate in the terminal emulation program to match the SX or KSX baud rate. V1 Serial Admin Port: E1 Serial Admin Port: - OR - About Terminal Emulation Programs HyperTerminal is available on many Windows OS.
Chapter 15: Advanced Administration 3. A new window opens with your CC-SG serial number. Web Services API You must accept the End User Agreement before adding a Web Services API client to CC-SG. You can add up to five WS-API clients. See the CC-SG Web Services API Guide for details on using the API. To add a Web Services API: 1. Select Access > Add Web Services API. This option is available only for users with the CC Setup and Control Privilege. 2. Read the End User Agreement.
Chapter 15: Advanced Administration h. Division/Department Name: CSR tag is Organization Unit Name. Maximum 64 characters. i. Fully Qualified Domain Name: CSR tag is Common Name. j. Administrator Email Address: Type in the email address of the administrator who is responsible for the certificate request. k. Challenge Password: Maximum 64 characters. Note: The Challenge Password is used internally by CC-SG to generate the certificate. You do not need to remember it. l.
Chapter 16 Diagnostic Console The Diagnostic Console is a non-graphical, menu-based interface that provides local access to CC-SG. You can access Diagnostic Console from a serial or KVM port. See Access Diagnostic Console via VGA/Keyboard/Mouse Port (on page 264). Or, you can access Diagnostic Console from a Secure Shell (SSH) client, such as PuTTY or OpenSSH Client. See Access Diagnostic Console via SSH (on page 264). Diagnostic Console includes two interfaces: 1.
Chapter 16: Diagnostic Console Status Console About Status Console • You can use the Status Console to check the health of CC-SG, the various services CC-SG uses, and the attached network. • By default, Status Console does not require a password. • You can configure CC-SG to provide the Status Console information over a Web interface. You must enable the Web Status Consolerelated options. See Access Status Console via Web Browser (on page 265).
Chapter 16: Diagnostic Console 2: Access the Status Console via web browser: 1. Using a supported Internet browser, type this URL: http(s):///status/ where is the IP address of the CC-SG. Note the forward slash (/) following /status is mandatory. For example, https://10.20.3.30/status/. 2. A status page opens. This page contains the same information as the Status Console.
Chapter 16: Diagnostic Console CC-SG Title, Date and Time The CC-SG title is constant so users know that they are connected to a CC-SG unit. The date and time at the top of the screen is the last time when the CCSG data was polled. The date and time reflect the timing values saved on the CC-SG server. Message of the Day The Message of the Day (MOTD) box displays the first 5 lines of the MOTD which are entered in the CC-SG Admin Client.
Chapter 16: Diagnostic Console Information Web Status RAID Status Description Restoring CC-SG is in the process of restoring itself and database queries are temporarily suspended. Down Database server has not started yet. Most of the access to the CC-SG server is through the Web. This field shows the state of the Web server and available statuses include: Responding/Unsecured The Web server is up and answering http (unsecured) requests.
Chapter 16: Diagnostic Console Information Description Speed The speed that this interface is operating: 10, 100 or 1000 Mbits per second. Duplex Indicate whether the interface is Full- or Half-duplex. IPAddr The current Ipv4 Address of this interface. RX -Pkts The number of IP packets received on this interface since CC-SG was booted. TX -Pkts The number of IP packets transmitted on this interface since CC-SG was booted.
Chapter 16: Diagnostic Console Status Console via Web Browser After connecting to the Status Console via the web browser, the readonly Status Console web page appears. The web page displays the same information as the Status Console, and also updates the information approximately every 5 seconds. For information on the links for CC-SG Monitors at the bottom of the web page, see Display Historical Data Trending Reports (on page 294) and CC-SG Disk Monitoring (on page 340).
Chapter 16: Diagnostic Console Administrator Console About Administrator Console The Administrator Console allows you to set some initial parameters, provide initial networking configuration, debug log files, and perform some limited diagnostics and restarting CC-SG.
Chapter 16: Diagnostic Console The main Administrator Console screen appears. Administrator Console Screen Administrator Console screen consists of 4 main areas. • Menu bar: You can perform Administrator Console functions by activating the menu bar. Press Ctrl+X to activate the menu bar or click a menu item using the mouse if you access Administrator Console via the SSH client. The File menu provides an alternative option to exit the Diagnostic Console.
Chapter 16: Diagnostic Console • Status bar: Status bar is just above the navigation keys bar. It displays some important system information, including CC-SG's serial number, firmware version, and the time when the information shown in the main display area was loaded or updated. Screenshots containing this information may be useful when reporting your problems to Raritan Technical Support. • Navigation keys bar: See Navigate Administrator Console (on page 273).
Chapter 16: Diagnostic Console Edit Diagnostic Console Configuration The Diagnostic Console can be accessed via the serial port (COM1), VGA/Keyboard/Mouse (KVM) port, or from SSH clients. If you want to access Status Console, one more access mechanism, Web access, is also available. For each port type, you can configure whether or not status or admin logins are allowed, and whether field support can access Diagnostic Console from the port.
Chapter 16: Diagnostic Console 4. Click Save. Edit Network Interfaces Configuration (Network Interfaces) In Network Interface Configuration, you can perform initial setup tasks, such as setting the hostname and IP address of the CC-SG. 1. Choose Operation > Network Interfaces > Network Interface Config. 2. If the network interfaces have already been configured, you will see a Warning message stating that you should use the CC-SG Admin Client to configure the interfaces. If you want to continue, click YES.
Chapter 16: Diagnostic Console Even if DHCP is being used to determine the IP configuration for an interface, you must provide a properly formatted IP address and Netmask. 6. In the Adapter Speed, select a line speed. The other values of 10, 100, and 1000 Mbps are on a scrollable list (where only one value is visible at any given time) and the arrow keys are used to navigate to them. Press the Space bar to select the option displayed. For 1 GB line speeds, select AUTO. 7.
Chapter 16: Diagnostic Console Option Record Route Description Records route. Turns on the IP record route option, which will store the route of the packet inside the IP header. Use Broadcast Address Allows pinging a broadcast message. Adaptive Timing Adaptive ping. Interpacket interval adapts to round-trip time, so that effectively not more than one unanswered probes present in the network. Minimal interval is 200 msec. 4.
Chapter 16: Diagnostic Console Option No DNS Resolution Description Does not resolve addresses to host names. Use ICMP (vs. normal UDP) Use ICMP ECHO instead of UDP datagrams. 4. Type values for how many hops the traceroute command will use in outgoing probe packets (default is 30), the UDP destination port to use in probes (default is 33434), and the size for the traceroute packets. If left blank, defaults will be used. Optional. 5. Click Traceroute in the bottom right-hand corner of the window. 6.
Chapter 16: Diagnostic Console Although you can delete all other routes, including the Default Gateway, doing this will greatly impact the communication with CCSG.
Chapter 16: Diagnostic Console View Log Files in Diagnostic Console You can view one or more log files simultaneously via LogViewer, which allows browsing through several files at once to examine system activity. The Logfile list is updated only when the associated list becomes active, as when a user enters the logfile list area, or when a new sorting option is selected. File names are preceded by a timestamp indicating either how recently the logfile has received new data or the file size of the logfile.
Chapter 16: Diagnostic Console 3. Click with the mouse or use the arrow keys to navigate and press the Space bar to select a log file, marking it with an X. You can view more than one log file at a time. To sort the Logfiles to View list: The Sort Logfile list by options control the order in which logfiles are displayed in the Logfile to View list. Option Individual Windows Description Display the selected logs in separate sub-windows. Merged Windows Merge the selected logs into one display window.
Chapter 16: Diagnostic Console Option Description contents of this package is not available to customer. Exported logfiles will be available for up to 10 days, and then the system will automatically delete them. View View the selected log(s). When View is selected with Individual Windows, the LogViewer displays: 282 While viewing log files, press Q, Ctrl+Q, or Ctrl+C to return to the previous screen. You can change colors in a log file to highlight what is important.
Chapter 16: Diagnostic Console Note: System load is static as of the start of this Admin Console session - use the TOP utility to dynamically monitor system resources. To filter a log file with a regular expression: 1. Type e to add or edit a regular expression and select a log from the list if you have chosen to view several. 2. Type A to add a regular expression. For example, to display information on the WARN messages in sg/jboss/console.log log file, enter WARN and select match.
Chapter 16: Diagnostic Console Diagnostic Console. See Restarting CC-SG (on page 200). Restarting CC-SG in Diagnostic Console will NOT notify users that it is being restarted. To restart CC-SG with Diagnostic Console: 1. Choose Operation > Admin > CC-SG Restart. 2. Either click Restart CC-SG Application or press Enter. Confirm the restart in the next screen to proceed. Reboot CC-SG with Diagnostic Console This option will reboot the entire CC-SG, which simulates a power cycle.
Chapter 16: Diagnostic Console 2. Either click REBOOT System or press Enter to reboot CC-SG. Confirm the reboot in the next screen to proceed. Power Off CC-SG System from Diagnostic Console This option will power off the CC-SG unit. Logged-in users will not receive a notification. CC-SG, SSH, and Diagnostic Console users (including this session) will be logged off. Any connections to remote target servers will be terminated.
Chapter 16: Diagnostic Console 2. Either click Power OFF the CC-SG or press Enter to remove AC power from the CC-SG. Confirm the power off operation in the next screen to proceed. Reset CC Super-User Password with Diagnostic Console This option will reset the password for the CC Super User account to the factory default value. Factory default password: raritan Note: This is not the password for the Diagnostic Console admin user. See Diagnostic Console Password Settings (on page 289).
Chapter 16: Diagnostic Console 2. Either click Reset CC-SG GUI Admin Password or press Enter to change the admin password back to factory default. Confirm the password reset in the next screen to proceed. Reset CC-SG Factory Configuration (Admin) This option will reset all or parts of the CC-SG system back to their factory default values. All active CC-SG users will be logged out without notification and SNMP processing will stop. It is recommended to use the default options selected.
Chapter 16: Diagnostic Console Option Full CC-SG Database Reset Description This option removes the existing CC-SG database and builds a new version with the factory default values. Network settings, SNMP settings, firmware, and diagnostic console settings are not part of the CC-SG database. IP-ACL settings are reset with a Full Database reset whether you select the IP ACL Tables option or not.
Chapter 16: Diagnostic Console Option Diagnostic Console Reset Description This option restores Diagnostic Console settings back to factory defaults. IP Access Control Lists Reset This option removes all entries from the IP-ACL table. IP-ACL settings are reset with a Full Database reset whether you select the IP Access Control Lists reset option or not. See Access Control List (on page 244). To reset CC-SG to the factory configuration: 1. Choose Operation > Admin > Factory Reset. 2.
Chapter 16: Diagnostic Console 2. In the Password History Depth field, type the number of passwords that will be remembered. The default setting is five. 3. Select either Regular, Random, or Strong for the admin and status (if enabled) passwords. Password setting Regular Description These are standard. Passwords must be longer than four characters with few restrictions. This is the system default password configuration. Random Provides randomly generated passwords.
Chapter 16: Diagnostic Console Password setting Description every password must have at least one digit in it. Diagnostic Console Account Configuration By default, the status account does not require a password, but you can configure it to require one. Other aspects of the admin password can be configured and the Field Support accounts can be enabled or disabled. To configure accounts: 1. Choose Operation > Admin > DiagCon Passwords > Account Configuration. 2.
Chapter 16: Diagnostic Console Setting Description User \ User Name (Read-only). This is the current user name or ID for this account. Last Changed (Read-only). This is the date of the last password change for this account. Expire (Read-only). This is the day that this account must change its password. Mode A configurable option if the account is disabled (no login allowed), or enabled (authentication token required), or access is allowed and no password is required.
Chapter 16: Diagnostic Console Configure Remote System Monitoring You can enable the remote system monitoring feature to use the GKrellM tool. The GKrellM tool provides a graphical view of resource utilization on the CC-SG unit. This tool is similar to the Windows Task Manager's Performance tab. 1: Enable remote system monitoring for the CC-SG unit: 1. Choose Operation > Utilities > Remote System Monitoring. 2. Select Enabled in the Remote Monitoring Service field. 3.
Chapter 16: Diagnostic Console 3: Configure the remote system monitoring client to work with CC-SG: Follow the instructions in the Read Me file to set the CC-SG unit as the target to monitor. Windows users must use the command line to locate the Gkrellm installation directory and then run the commands specified in the Read. Display Historical Data Trending Reports Historical data trending gathers information about CPU utilization, memory utilization, Java Heap space, and network traffic.
Chapter 16: Diagnostic Console Display RAID Status and Disk Utilization This option displays the status of CC-SG disks, including disk size, active and up status, state of the RAID-1, and amount of space currently used by various file systems. To display disk status of the CC-SG: 1. Choose Operation > Utilities > Disk / RAID Utilities > RAID Status + Disk Utilization. 2. Either click Refresh or press Enter to refresh the display.
Chapter 16: Diagnostic Console Perform Disk or RAID Tests You can manually perform SMART disk drive tests or RAID check and repair operations. To perform a disk drive test or a RAID check and repair operation: 1. Choose Operation > Utilities > Disk/RAID Utilities > Manual Disk/RAID Tests. 2. To perform a SMART disk drive test: a. In the Disk Test section, select the type of test, and the disk drive that you want to test. b. Select Submit. c. The test is scheduled and a SMART information screen displays.
Chapter 16: Diagnostic Console d. After the test is complete, you can view the results in the Repair/Rebuild RAID screen. See Repair or Rebuild RAID Disks (on page 299). If a non-zero value displays in the MisMatch column for the given Array, indicating that there may be a problem, you should contact Raritan Technical Support for assistance.
Chapter 16: Diagnostic Console Schedule Disk Tests You can schedule SMART-based tests of the disk drives to be periodically performed. Firmware on the disk drive will perform these tests, and you can view the test results in the Repair/Rebuild screen. See Repair or Rebuild RAID Disks (on page 299). SMART tests can be performed while CC-SG is operational and in use. They have a marginal impact on the CC-SG performance, but CC-SG activities may significantly delay the completion of the SMART tests.
Chapter 16: Diagnostic Console 2. Click with the mouse or use the arrow keys to navigate and press the Space bar to select a test type, marking it with an X. Different types of tests take a different period of time. A Short test takes about 2 minutes to complete when the system is lightly loaded. A Conveyance test takes about 5 minutes. A Long test takes about 50 minutes. An OffLine test takes up to 50 minutes. 3. Specify the date and time for running this test.
Chapter 16: Diagnostic Console 2. If any item does not show "No" under the "Replace??" or "Rebuild??" column, contact Raritan Technical Support for assistance. A good system: A contrived system showing multiple problems: The system will update displayed information when you move between Disk Drive Status, RAID Array Status, and Potential Operations box using the Tab key or mouse clicks. 3.
Chapter 16: Diagnostic Console 4. Selecting either Replace Disk Drive or Rebuild RAID Array, and follow onscreen instructions until you finish the operation. View Top Display with Diagnostic Console Top Display allows you to view the list of currently-running processes and their attributes, as well as overall system health. To display the processes running on CC-SG: 1. Choose Operation > Utilities > Top Display. 2. View the total running, sleeping, total number, and processes that have stopped. 3.
Chapter 16: Diagnostic Console 302 NTP is not enabled or not configured properly: NTP is properly configured and running:
Chapter 16: Diagnostic Console Take a System Snapshot When CC-SG does not function properly, it is extremely helpful if you can capture the information stored in CC-SG, such as the system logs, configurations or database, and provide it to Raritan Technical Support for analysis and troubleshooting. 1: Take a snapshot of CC-SG: 1. Choose Operation > Utilities > System Snapshot. 2. Click or select Yes. The System Snapshot menu opens. 3.
Chapter 16: Diagnostic Console 2: Retrieve the CC-SG snapshot file: 1. Using a supported Internet browser, type this URL: http(s):///upload/ where is the IP address of the CC-SG. Note the forward slash (/) following /upload is mandatory. For example, https://10.20.3.30/upload/. 2. The Enter Network Password dialog appears. Type the User Name and Password of the Diagnostic Console admin account, and click OK to log in. 3.
Chapter 17 Power IQ Integration If you have a CC-SG and Power IQ, there are severals ways to use them together. 1. Control power to Power IQ IT devices via CC-SG. For example, if you want to control power to a Power IQ IT device which is also a CC-SG node, you can use a Power IQ Proxy interface to give power control commands in CC-SG. 2. Use CSV file imports and exports to share data between these two systems.
Chapter 17: Power IQ Integration 2. Type a name for the device in the Power IQ Device Name field. The name must be unique for the Power IQ Device providing the service. CC-SG does not accept duplicate names. See Naming Conventions (on page 353) for details on CC-SG's rules for name lengths. 3. Type the IP Address or Hostname of the device in the IP Address/Hostname field. See Terminology/Acronyms (on page 2) for hostname rules. 4.
Chapter 17: Power IQ Integration Import Power Strips from Power IQ You can import Dominion PX devices and their outlet names from Power IQ. If the Dominion PX devices are already managed by CC-SG, you must delete them first. The import adds the Dominion PX devices, and configures and names the outlets specified in the CSV file. Non-Dominion PX devices and outlets in the CSV file are ignored during import.
Chapter 17: Power IQ Integration Column number Tag or value Details Default is FALSE. Description 7 Optional. Step 3: Import the edited CSV file into CC-SG 1. In the CC-SG Admin Client, choose Administration > Import > Import Powerstrips. 2. Click Browse and select the CSV file to import. Click Open. 3. Click Validate. The Analysis Report area shows the file contents. If the file is not valid, an error message appears.
Chapter 17: Power IQ Integration 4. Click Save. Step 2: Edit the CSV file and import into Power IQ: The export file contains three sections. Read the comments in the CSV file for instructions on how to use each section as part of a Power IQ multi-tabbed CSV import file. See the Power IQ User Guide and CSV Import Template in the Support section of Raritan.com, on the Firmware and Documentation page.
Appendix A Specifications for V1 and E1 In This Chapter V1 Model................................................................................................310 E1 Model................................................................................................311 V1 Model V1 General Specifications Form Factor 1U Dimensions (DxWxH) 24.21”x 19.09” x 1.75” 615 mm x 485 mm x 44 mm Weight 23.80lb (10.
Appendix A: Specifications for V1 and E1 Operating Humidity 5% - 95% RH Altitude Operate properly at any altitude between 0 to 10,000 feet, storage 40,000 feet (Estimated) Vibration 5-55-5 HZ, 0.38mm,1 minutes per cycle; 30 minutes for each axis (X,Y,Z) Shock N/A E1 Model E1 General Specifications Form Factor 2U Dimensions (DxWxH) 27.05”x 18.7” x 3.46”-687 mm x 475 mm x 88 mm Weight 44.
Appendix A: Specifications for V1 and E1 Operating 312 Non-Operating Temperature -40°-70° C Humidity 5-90%, non-condensing Altitude Sea level to 40,000 feet Vibration 10 Hz to 300 Hz sweep at 2 g constant acceleration for one hour on each of the perpendicular axes X, Y, and Z Shock 30 g for 11 ms with a ½ sine wave for each of the perpendicular axes X, Y, and Z
Appendix B CC-SG and Network Configuration This appendix contains network requirements, including addresses, protocols, and ports, of a typical CC-SG deployment. It includes information about how to configure your network for both external access and internal security and routing policy enforcement. Details are provided for the benefit of a TCP/IP network administrator. The TCP/IP administrator's role and responsibilities may extend beyond that of a CCSG administrator.
Appendix B: CC-SG and Network Configuration Port Number Protocol Purpose Details Raritan device that will be externally accessed. The other ports in the table must be opened only for accessing CC-SG. AES-128/AES-256 encrypted if configured. 80 and 443 for Control System nodes TCP Virtual Node Access N/A TCP SX Target Access (Direct Mode) AES-128/AES-256 encrypted if configured.
Appendix B: CC-SG and Network Configuration CC-SG and Raritan Devices A main role of CC-SG is to manage and control Raritan devices, such as Dominion KX II.
Appendix B: CC-SG and Network Configuration Communication Direction Port Number Protocol Configurable? Details CC-SG to CC-SG 5432 TCP no From HA-JDBC on Primary to Backup PostgreSQL DB server. Not encrypted. CC-SG to CC-SG 8732 TCP no Primary-Backup server sync clustering control data exchange. MD5 encrypted. CC-SG to CC-SG 3232 TCP no Primary-Backup SNMP sync configuration changes forwarding. Not encrypted.
Appendix B: CC-SG and Network Configuration Communication Direction Port Number Protocol Configurable? Details PC Client to CC-SG 443 TCP no Client-server communication. SSL/AES-128/AES-256 encrypted if configured. PC Client to CC-SG 80 TCP no Client-server communication. Not encrypted. If SSL is enabled, Port 80 is redirected to 443. PC Client to CC-SG 8080 TCP no Client-server communication. SSL/AES-128/AES-256 encrypted if configured. Port 8080 is open on CC-SG, not on the PC client.
Appendix B: CC-SG and Network Configuration Communication Direction Port Number Protocol Configurable? Details Client to Raritan Device 5000 to Out-of-Band KVM (on Raritan Node Device) (Direct Mode) TCP yes Client-server communication. Client to Raritan 51000 Dominion SX Device to (on Raritan Out-of-Band Serial Device) Node TCP SSL/AES-128/AES-256 encrypted if configured. yes Client-server communication. SSL/AES-128/AES-256 encrypted if configured.
Appendix B: CC-SG and Network Configuration Communication Direction Port Number Protocol Configurable? Details CC-SG to SNMP Manager 162 UDP yes SNMP standard CC-SG Internal Ports CC-SG uses several ports for internal functions, and its local firewall function blocks access to these ports. However, some external scanners may detect these as “blocked” or “filtered.” External access to these ports is not required and can be further blocked.
Appendix B: CC-SG and Network Configuration VNC Access to Nodes Port 5800 or 5900 must be open for VNC access to nodes. SSH Access to Nodes Port 22 must be open for SSH access to nodes. Remote System Monitoring Port When the Remote System Monitoring feature is enabled, port 19150 is opened by default. See Configure Remote System Monitoring (on page 293).
Appendix C User Group Privileges This table shows which privilege must be assigned for a user to have access to a CC-SG menu item. *None means that no particular privilege is required. Any user who has access to CC-SG will be able to view and access these menus and commands. Menu > Submenu Menu Item Required Privilege Description Secure Gateway This menu is available for all users.
Appendix C: User Group Privileges Menu > Submenu Menu Item Required Privilege Description Devices This menu and the Devices tree is available only for users with any one of the following privileges: Device, Port, and Node Management Device Configuration and Upgrade Management Discover Devices Device, Port, and Node Management > Device Manager >> Configuration 322 > Add Device Device, Port, and Node Management (Editing devices) Device, Port, and Node Management > Delete Device Device, Port, an
Appendix C: User Group Privileges Menu > Submenu Menu Item Required Privilege Description Management or Device Configuration and Upgrade Management > Change View > Port Manager > Launch User Station Admin Device, Port, and Node Management > Disconnect Users Device, Port, and Node Management or Device Configuration and Upgrade Management > Topology View Device, Port, and Node Management > Create Custom View Device, Port, and Node Management or Device Configuration and Upgrade Management > Tre
Appendix C: User Group Privileges Menu > Submenu Menu Item Required Privilege Description > By Port Number Device, Port, and Node Management or Device Configuration and Upgrade Management Nodes This menu and the Nodes tree is available only for users with any one of the following privileges: Device, Port, and Node Management Node In-Band Access Node Out-of-Band Access Node Power Control Add Node Device, Port, and Node Management (Editing Nodes) Device, Port, and Node Management Delete Node Device
Appendix C: User Group Privileges Menu > Submenu Menu Item Required Privilege Description Control Configure Blades Device, Port, and Node Management > Node Sorting Options Ping Node Device, Port, and Node Management Bookmark Node Interface Node In-band Access or Node Out-of-band Access > By Node Name Any of the following: Device, Port, and Node Management or Node In-band Access or Node Out-of-band Access or Power Control > By Node Status Any of the following: Device, Port, and Node Management or
Appendix C: User Group Privileges Menu > Submenu Menu Item Required Privilege Description Node Power Control > Tree View Any of the following: Device, Port, and Node Management or Node In-band Access or Node Out-of-band Access or Node Power Control Associations Reports > Users This menu is available only for users with the User Security Management privilege > Association User Security Management Includes ability to add, modify, and delete.
Appendix C: User Group Privileges Menu > Submenu Menu Item Required Privilege > Devices > Device Asset Report Device, Port, and Node Management or Device Configuration and Upgrade Management > Device Group Data Device, Port, and Node Management > Query Port Device, Port, and Node Management > Node Asset Report Device, Port, and Node Management > Active Nodes Device, Port, and Node Management > Node Creation Device, Port, and Node Management > Node Group Data Device, Port, and Node Manageme
Appendix C: User Group Privileges Menu > Submenu Menu Item Required Privilege Upgrade Management > Import Configuration CC Setup and Control Cluster Configuration CC Setup and Control Neighborhood CC Setup and Control Security CC Setup and Control Notifications CC Setup and Control Tasks CC Setup and Control Compatibility Matrix Device, Port, and Node Management or Device Configuration and Upgrade Management Import Categories CC Setup and Control and User Security Management Import Users
Appendix C: User Group Privileges Menu > Submenu Menu Item Required Privilege Description Device, Port, and Node Management Export Devices CC Setup and Control and Device, Port, and Node Management Export Power IQ Data CC Setup and Control and Backup CC Setup and Control Restore CC Setup and Control Reset CC Setup and Control Restart CC Setup and Control Upgrade CC Setup and Control Shutdown CC Setup and Control > Enter Maintenance Mode CC Setup and Control > Exit Maintenance Mode CC
Appendix D SNMP Traps CC-SG provides the following SNMP traps: SNMP Trap ccUnavailable Description CC-SG application is unavailable. ccAvailable CC-SG application is available. ccUserLogin CC-SG user logged in. ccUserLogout CC-SG user logged out. ccPortConnectionStarted CC-SG session started. ccPortConnectionStopped CC-SG session stopped. ccPortConnectionTerminated CC-SG session terminated. ccImageUpgradeStarted CC-SG image upgrade started. ccImageUpgradeResults CC-SG image upgrade results.
Appendix D: SNMP Traps SNMP Trap ccDiagnosticConsoleLogout Description User has logged out of the CC-SG Diagnostic Console. ccUserGroupAdded A new user group has been added to CC-SG. ccUserGroupDeleted CC-SG user group has been deleted. ccUserGroupModified CC-SG user group has been modified. ccSuperuserNameChanged CC-SG Superuser username has changed. ccSuperuserPasswordChanged CC-SG Superuser password has changed. ccLoginBannerChanged CC-SG login banner has changed.
Appendix E CSV File Imports This section contains more information about CSV file imports. In This Chapter Common CSV File Requirements .........................................................333 Audit Trail Entries for Importing .............................................................334 Troubleshoot CSV File Problems ..........................................................
Appendix E: CSV File Imports Common CSV File Requirements The best way to create the CSV file is to export a file from CC-SG, and then use the exported CSV file as an example for creating your own. The export file contains comments at the top that describe each item in the file. The comments can be used as instructions for creating a file for importing. It is recommended to create the import file in a spreadsheet program like Microsoft Excel. Enter each item in its own cell.
Appendix E: CSV File Imports Audit Trail Entries for Importing Each item imported into CC-SG is logged in the Audit Trail. Skipped duplicates are not logged in the Audit Trail. The Audit Trail includes an entry for the following actions, under the Message Type "Configuration." • Import of CSV file started • Import of CSV file completed, including number of records successfully added, number of records failed, and number of duplicate records ignored.
Appendix E: CSV File Imports Troubleshoot CSV File Problems To troubleshoot CSV file validation: Error messages appear in the Problems area of the Import page. The error messages identify problems that are found in the CSV file during validation. You can save the list of errors to a CSV file. Each error includes the line number where the error occurs in the CSV file. See the comments at the top of an export file to help you correct errors. When the file has been corrected, validate the file again.
Appendix F Troubleshooting • Launching CC-SG from your web browser requires a Java plug-in. If your machine has an incorrect version, CC-SG will guide you through the installation steps. If your machine does not have a Java plug-in, CC-SG cannot automatically launch. In this case, you must uninstall or disable your old Java version and provide serial port connectivity to CC-SG to ensure proper operation. • If CC-SG does not load, check your web browser settings.
Appendix F: Troubleshooting • If you access more than one CC-SG unit using the same client and Firefox, you may see a "Secure Connection Failed" message that says you have an invalid certificate. You can resume access by clearing the invalid certificate from your browser. a. In Firefox, choose Tools > Options. b. Click Advanced. c. Click the Encryption tab. d. Click View Certificates and find "Raritan" in the list. e. Select the CommandCenter item and click Delete. Click OK to confirm.
Appendix G Diagnostic Utilities CC-SG comes with a few diagnostic utilities which may be extremely helpful for you or Raritan Technical Support to analyse and debug the cause of CC-SG problems. In This Chapter Memory Diagnostic................................................................................338 Debug Mode ..........................................................................................339 CC-SG Disk Monitoring .........................................................................
Appendix G: Diagnostic Utilities Capture the Memtest86+ screen containing the memory errors and contact Raritan Technical Support for assistance. Shut down CC-SG and re-install the memory DIMM modules to ensure the contact is good. Then perform the Memtest86+ diagnostic to verify if the memory issue is resolved. 2: Terminate the Memtest86+ diagnostic program: 1. Press Esc. 2. CC-SG will reset and reboot.
Appendix G: Diagnostic Utilities CC-SG Disk Monitoring If CC-SG disk space exhaustion in one or more file systems occurs, it may negatively impact your operation and even results in the loss of some engineering data. Therefore, you should monitor the CC-SG disk usage and take corrective actions to prevent or resolve potential issues. You may perform the disk monitoring either via the Diagnostic Console or via the Web browser.
Appendix G: Diagnostic Utilities File system Data Corrective action /sg/DB CC-SG database Contact Raritan Technical Support /opt CC-SG backups and snapshots 1. Save any new snapshot files on a remote client PC. See Take a System Snapshot (on page 303) for the retrieval procedure. 2. Enter the System Snapshot menu (see "Take a System Snapshot" on page 303). 3. Select Pre-Clean-up SNAP area. 4. Select Pre-Clean-up UPLOAD area. 5. Deselect SNAP. 6. Deselect Package & Export. 7. Click or select Submit.
Appendix G: Diagnostic Utilities Note: For file system problems that are not mentioned in this section, or when the corrective actions you take cannot resolve the problems, contact Raritan Technical Support for assistance.
Appendix H Two-Factor Authentication CC-SG can be configured to point to an RSA RADIUS Server that supports two-factor authentication via an associated RSA Authentication Manager. CC-SG acts as a RADIUS client and sends user authentication requests to RSA RADIUS Server. The authentication request includes user id, a fixed password, and a dynamic token code. In This Chapter Supported Environments for Two-Factor Authentication ......................343 Two-Factor Authentication Setup Requirements............
Appendix I FAQs In This Chapter General FAQs........................................................................................344 Authentication FAQs..............................................................................346 Security FAQs .......................................................................................347 Accounting FAQs...................................................................................348 Performance FAQs...................................................
Appendix I: FAQs Question Answer Can I upgrade to newer versions of CC-SG software as they become available? Yes. Contact your authorized Raritan sales representative or Raritan, Inc. directly.
Appendix I: FAQs Question Answer model with IP-Reach and the IP User Station (UST-IP). The network model scales through use of the TCP/IP network and aggregates access through CC-SG, so users don't have to know IP addresses or the topology of access devices. It also provides the convenience of single sign-on.
Appendix I: FAQs Question Answer security tools such as LDAP, TACACS+, RADIUS, and LDAP. AD, RADIUS, and so on? Why does the error message "Incorrect username and/or password" appear after I correctly enter a valid username and password to log into CC-SG? Check the user account in AD. If AD is set to "Logon To" specific computers on the domain, it disallows you to log into CC-SG. In this case, remove the "Logon To" restriction in AD.
Appendix I: FAQs Question WAN, but LAN, too)? Answer Does CC-SG support CRL List, that is, LDAP list of invalid certificates? No. Does CC-SG support Client Certificate Request? No. Accounting FAQs Question Answer Accounting The event times in the Audit Trail report seem incorrect. Why? Log event times are logged according to the time settings of the client computer. You can adjust the computer's time and date settings.
Appendix I: FAQs Grouping FAQs Question Answer Grouping Is it possible to put a given server in more than one group? Yes. Just as one user can belong to multiple groups, one device can belong to multiple groups. What impact to other usage would be blocked through the active usage of the console port, for example, some UNIX variants not allowing admin over network interfaces? A console is generally considered a secure and reliable access path of last resort.
Appendix I: FAQs Interoperability FAQs Question Answer Interoperability How does CC-SG integrate with Blade Chassis products? CC-SG can support any device with a KVM or serial interface as a transparent pass-through.
Appendix I: FAQs 351
Appendix J Keyboard Shortcuts The following keyboard shortcuts can be used in the Java-based Admin Client.
Appendix K Naming Conventions This appendix includes information about the naming conventions used in CC-SG. Comply with the maximum character lengths when naming all the parts of your CC-SG configuration. In This Chapter User Information ....................................................................................353 Node Information ...................................................................................353 Location Information ...........................................................
Appendix K: Naming Conventions Field in CC-SG Number of characters CC-SG allows Audit Information 256 Location Information Field in CC-SG Number of characters CC-SG allows Department 64 Site 64 Location 128 Contact Information Field in CC-SG Number of characters CC-SG allows Primary Contact Name 64 Telephone Number 32 Cell Phone 32 Secondary Contact Name 64 Telephone Number 32 Cell Phone 32 Field in CC-SG Number of characters CC-SG allows Service Account Name 64 User Name 64
Appendix K: Naming Conventions Field in CC-SG periods are converted to hyphens.
Appendix L Diagnostic Console Bootup Messages Prior to version 4.0, CC-SG Diagnostic Console displays a number of messages on the screen each time when it boots up. These messages are standard Linux diagnostic and warning messages and usually do not imply any system problems. The table offers a short introduction to a few frequent messages. Message Description hda: The message indicates that something on the system is trying to communicate with the DVD-ROM drive.
Index A About Administrator Console • 264, 271 About Applications for Accessing Nodes • 207 About Associations • 21 About CC-SG LAN Ports • 211, 212, 215 About CC-SG passwords • 237 About Connection Modes • 78, 219 About Default Applications • 209 About Interfaces • 78, 219 About LDAP and CC-SG • 173 About Network Setup • 3, 10, 211, 226, 275 About Nodes • 77 About RADIUS and CC-SG • 178 About Status Console • 264, 265 About TACACS+ and CC-SG • 177 About Terminal Emulation Programs • 261 Access a CC-SG Clus
Index Adding, Editing, and Deleting User Groups • 84, 132 Adding, Editing, and Deleting Users • 136 Administration • 355 Administrator Console • 271 Administrator Console Screen • 272 Advanced Administration • 137, 138, 165, 169, 206 AES Encryption • 234 All Users Data Report • 185 Allow concurrent logins per username • 239 Apply a Custom View for Devices • 158 Apply a Custom View for Nodes • 155 Assign a Default Custom View for Devices • 160 Assign a Default Custom View for Nodes • 157 Assign a Default Cu
Index Checking and Upgrading Application Versions • 11, 207 Checking the Compatibility Matrix • 11 Clear the Browser's Cache • 202, 203, 336 Clear the Java Cache • 202, 203, 208, 336 Client Browser Requirements • 4 Command Tips • 255, 257 Common CSV File Requirements • 24, 55, 113, 140, 333 Configure a Combination of Direct Mode and Proxy Mode • 215, 220 Configure a KVM Port • 40, 48 Configure a Serial Port • 39 Configure an External SMTP Server • 245 Configure Browser Connection Protocol HTTP or HTTPS/SSL
Index Delete a User • 138 Delete a User Group • 134 Delete a Virtual Infrastructure • 96 Delete a Virtual Machine Node • 95, 96 Delete an Application • 209 Delete an Interface • 94, 109 Delete Control Systems and Virtual Hosts • 95, 96 Delete Firmware • 211 Deleting a Device • 30, 39 Deleting a Policy • 152 Deleting a Port • 42 Deleting a User From a Group • 138, 139 Deleting Slots on a Blade Chassis Device • 46 Describe Method versus Select Method • 53, 125 Describe Nodes • 126 Device and Port Icons • 28
Index Finding Your CC-SG Serial Number • 261 Flow for Authentication • 161 G General FAQs • 344 Get Help for SSH Commands • 254 Getting Started • 10 Grouping FAQs • 349 H Hide or Show Report Filters • 182 How to Create Associations • 22 I IBM LDAP Configuration Settings • xvi, 176 Import Categories and Elements • 25 Import Devices • 58 Import Nodes • 122 Import Power Strips from Power IQ • 305, 307 Import Users • 144 Importing AD User Groups • 169 Importing and Exporting Dominion PX Data from Power IQ •
Index Notification Manager • 245, 247 O Older Version of Application Opens After Upgrading • xvi, 12, 208 OpenLDAP (eDirectory) Configuration Settings • 176 P Paragon II System Controller (P2-SC) • 67 Pausing CC-SG's Management of a Device • 65 PC Clients to CC-SG • 316 PC Clients to Nodes • 317 Perform Disk or RAID Tests • 296 Performance FAQs • 348 Ping an IP Address • 276 Pinging a Node • 99 Pinging the Device • 65 Policies for Access Control • 18, 22, 49, 129, 133, 149 Port Information • 355 Port Sor
Index Save, Upload, and Delete Device Backup Files • 63 Saving and Deleting Backup Files • 194, 196, 198 Schedule a Device Firmware Upgrade • 248, 250, 252 Schedule a Task • 170, 172, 248, 252 Schedule a Task that is Similar to Another Task • 252 Schedule Disk Tests • 298 Schedule Sequential Tasks • 247 Scheduled Reports • 191, 192, 247 Scheduled Tasks and Maintenance Mode • 193 Searching for Devices • 32 Security FAQs • 347 Security Manager • 234, 253 Select Nodes • 125 Serial Admin Port • 261 Service Acc
Index User Information • 353 User Management • 13, 18 Users and User Groups • 50, 124, 129, 153, 162, 177, 178 Users CSV File Requirements • xvi, 140 Using Chat • 111 Using Custom Views in the Admin Client • 155 Using Reports • 180 V V1 Environmental Requirements • 310 V1 General Specifications • 310 V1 Model • 310 View by Category • 154 View Log Files in Diagnostic Console • 280 View login settings • 236 View Report Details • 181 View the Default Application Assignments • 210 View Top Display with Diagno
U.S./Canada/Latin America Monday - Friday 8 a.m. - 6 p.m. ET Phone: 800-724-8090 or 732-764-8886 For CommandCenter NOC: Press 6, then Press 1 For CommandCenter Secure Gateway: Press 6, then Press 2 Fax: 732-764-8887 Email for CommandCenter NOC: tech-ccnoc@raritan.com Email for all other products: tech@raritan.com China Europe Europe Monday - Friday 8:30 a.m. - 5 p.m. GMT+1 CET Phone: +31-10-2844040 Email: tech.europe@raritan.com United Kingdom Monday - Friday 8:30 a.m. to 5 p.m.
