CommandCenter Secure Gateway ® CC-SG Administrator Guide Release 3.1.1 Copyright © 2007 Raritan, Inc.
This page intentionally left blank.
Copyright and Trademark Information This document contains proprietary information that is protected by copyright. All rights reserved. No part of this document may be photocopied, reproduced, or translated into another language without express prior written consent of Raritan, Inc. © Copyright 2007 Raritan, CommandCenter, RaritanConsole, Dominion, and the Raritan company logo are trademarks or registered trademarks of Raritan, Inc. All rights reserved.
Safety Guidelines To avoid potentially fatal shock hazard and possible damage to Raritan equipment: • Do not use a 2-wire power cord in any product configuration. • Test AC outlets at your computer and monitor for proper polarity and grounding. • Use only with grounded outlets at both the computer and monitor. When using a backup UPS, power the computer, monitor and appliance off the supply.
CONTENTS i Contents Chapter 1: Introduction ....................................................................................................1 Prerequisites ..............................................................................................................................1 Intended Audience .....................................................................................................................1 Terminology/Acronyms ................................................................
ii CONTENTS Right Click Options in the Device Tab .............................................................................................35 Device and Port Icons......................................................................................................................36 Search for Devices ..........................................................................................................................36 Device Profile Screen.........................................................
CONTENTS iii Process for Configuring Power Control in CC-SG ...................................................................69 Configuring PowerStrips Connected to KX, KX2, and P2SC ...........................................................69 Add a PowerStrip Device Connected to a KX, KX2, or P2SC Device.......................................69 Move a KX, KX2, or P2SC’s PowerStrip to a Different Port......................................................
iv CONTENTS Delete User Group ...................................................................................................................94 Add User ..................................................................................................................................94 Edit a User ...............................................................................................................................95 Delete User ..................................................................
CONTENTS v LDAP Advanced Settings ..............................................................................................................128 Sun One LDAP (iPlanet) Configuration Settings.....................................................................129 OpenLDAP (eDirectory) Configuration Settings......................................................................129 Add a TACACS+ Module .......................................................................................................
vi CONTENTS Adding and Deleting Applications ..................................................................................................162 Adding an Application:............................................................................................................162 Deleting an Application: ..........................................................................................................163 Default Applications ..........................................................................
CONTENTS vii Configuring Browser Connection Protocol: HTTP or HTTPS/SSL .................................................188 Setting the Port Number for SSH Access to CC-SG......................................................................188 Login Settings ................................................................................................................................188 Strong Password Settings ............................................................................................
viii CONTENTS Diagnostic Console Passwords (Admin).................................................................................226 Displaying Disk Status (Utilities) .............................................................................................228 Displaying Top Display (Utilities) ............................................................................................229 Displaying NTP (Network Time Protocol) Status (Utilities) .....................................................
FIGURES ix Figures Figure 1 Login Window .................................................................................................................................. 3 Figure 2 Thick Client IP Address Specification Window .................................................................................... 4 Figure 3 CC-SG Window Components ............................................................................................................. 6 Figure 4 Confirm IP Address ......................
x FIGURES Figure 51 Devices Tree Regular View Screen.................................................................................................. 57 Figure 52 Custom View Screen...................................................................................................................... 58 Figure 53 Selecting a Custom View................................................................................................................ 58 Figure 54 Custom View Screen.............................
FIGURES Figure 104 Add LDAP Module .................................................................................................................... 126 Figure 105 LDAP General Settings .............................................................................................................. 127 Figure 106 LDAP Advanced Settings ........................................................................................................... 128 Figure 107 Add TACACS+ Module ................................
xii FIGURES Figure 157 Extra Initialization Commands .................................................................................................... 174 Figure 158 Create a New Connection............................................................................................................ 175 Figure 159 Connection Name ...................................................................................................................... 175 Figure 160 Phone Number to Dial .......................
FIGURES xiii Figure 211 NTP not configured in CC-SG GUI ............................................................................................. 230 Figure 212 NTP running on the CC-SG GUI ................................................................................................. 230 Figure 213 Serial Admin Port on G1............................................................................................................. 231 Figure 214 Serial Admin Port on E1 ...............................
xiv COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank.
CHAPTER 1: INTRODUCTION 1 Chapter 1: Introduction Congratulations on your purchase of CommandCenter Secure Gateway (CC-SG), Raritan’s convenient and secure method for managing various UNIX servers, firewalls, routers, load balancers, Power Management devices, and Windows servers. CC-SG provides central management and administration, using a set of serial and KVM appliances.
2 • • • • • • • • • • • • • • • • COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE etc. that are managed by CC-SG. These devices control the target servers and systems that are connected to them. Director Client—A Java-based client for CC-SG useable by both normal access users and administrators. It is the only client that permits administration. Elements—are the values of a category. For example, the “New York City” element belongs to the “Location” category.
CHAPTER 2: ACCESSING CC-SG 3 Chapter 2: Accessing CC-SG Once you have configured CC-SG with an IP address, the CC-SG unit can be placed at its final destination. Make all necessary hardware connections to make the unit operational. You can access CC-SG in several ways, each described in this chapter: • Browser: CC-SG supports numerous web browsers. (For a complete list of supported browsers and platforms, please refer to the Compatibility Matrix on http://www.raritan.com/support.
4 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Thick Client Access The CC-SG thick client allows you to connect to CC-SG by launching a Java Web Start application instead of running an applet through a web browser. The advantage of using the thick client instead of a browser is that the client can outperform the browser in terms of speed and efficiency. Install the Thick Client 1.
CHAPTER 2: ACCESSING CC-SG 5 9. Type your Username and Password in the corresponding fields, and then click Login to continue. Use the Thick Client Once the thick client is installed, there are 2 different ways to access it on your client computer. These are determined by the Java version you are using. • Java 1.4.x If your client computer is running Java version 1.4.
6 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE CC-SG Window Components Upon valid login, the CC-SG application window appears. 1 6 2 3 4 5 Figure 3 CC-SG Window Components 1. Nodes tab: Click the Nodes tab to display all known target nodes in a tree view. Click a node to view the Node Profile. Interfaces are grouped under their parent nodes. Click the + and signs to expand or collapse the tree. Right-click an interface and select Connect to connect to that interface.
CHAPTER 2: ACCESSING CC-SG 7 Initial Configurations Upon first login, you should confirm the IP address, set the CC-SG server time, and check the firmware and application versions installed. You may need to upgrade the firmware and applications. Confirm IP Address 1. On the Administration menu, click Configuration to open the Configuration Manager screen. 2. Click the Network Setup tab. Figure 4 Confirm IP Address 3. (Optional) Check that the network setting are correct, and make changes if needed.
8 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Set the CC-SG Server Time 1. Log onto CC-SG. 2. On the Administration menu, click Configuration to open the Configuration Manager screen. 3. Click the Time/Date tab. Figure 5 Time/Date Configuration 4. On the Administration menu, click Configuration to open the Configuration Manager screen. 5. Click the Time/Date tab. a.
CHAPTER 2: ACCESSING CC-SG 9 Check and Upgrade CC-SG Firmware Version 1. Login to CC-SG. 2. On the Help menu, click About Raritan Secure Gateway. A pop-up window containing the firmware version number appears. Click OK. 3. If the version is not current, you must upgrade your firmware. You can download the firmware upgrade file from the Raritan website. Save the firmware upgrade file to your client PC. 4. Switch to Maintenance Mode.
10 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Check and Upgrade Application Versions Check and upgrade the CC-SG applications, such as Raritan Console (RC) and Raritan Remote Client (RRC). 1. On the Administration menu, click Applications. Figure 7 CC-SG Application Manager 2. Click the Application name drop-down arrow and select an application from the list. Note the number in the Version field. 3. If the application version is not current, you must upgrade the application.
CHAPTER 2: ACCESSING CC-SG 11 Important: Do not hold the POWER button to forcibly power down CC-SG. The recommended way to power down CC-SG is to use the following procedure. To power down the CC-SG: 1. Remove the bezel and firmly tap the POWER button. On G1 units, the POWER button is on the back of the unit. 2. Wait approximately one minute while CC-SG gracefully powers down. Note: Users logged into CC-SG via Diagnostic Console will receive a short broadcast message when the CC-SG unit is powered down.
12 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank.
CHAPTER 3: CONFIGURING CC-SG WITH GUIDED SETUP 13 Chapter 3: Configuring CC-SG with Guided Setup Prepare to Configure CC-SG with Guided Setup Before proceeding with CC-SG configuration, you must complete system configuration. • Configure and install Dominion series and IP-Reach appliances (both serial and KVM devices), including assigning an IP address. Guided Setup Overview Guided Setup offers a simple way to complete initial CC-SG configuration tasks, once the network configuration is complete.
14 • • COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Create Groups—Categorize the devices and nodes that CC-SG manages into groups and create full access policies for each group. User Management—Add users and user groups to CC-SG, and select the policies and privileges that govern user access within CC-SG and to devices and nodes. Associations You can set up Associations to help organize the equipment that CC-SG manages.
CHAPTER 3: CONFIGURING CC-SG WITH GUIDED SETUP • 5. 6. 7. 8. 15 To delete an element, select its row, and then click the Delete Row icon to delete the selected element from the Elements table. Repeat these steps until you have added all the elements within the category to the Elements table. If you want to create another category, click Apply to save this category, and then repeat the steps in this section to add additional categories. When you have finished creating categories and elements, click OK.
16 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 5. Check Broadcast discovery if searching for devices on the same subnet on which CC-SG resides. Uncheck Broadcast discovery to discover devices across all subnets. 6. Click Discover. 7. When the discovery is complete, a confirmation message pops up. Click OK in the confirmation message. 8.
CHAPTER 3: CONFIGURING CC-SG WITH GUIDED SETUP 17 9. In the table of discovered devices, select the device you want to add to CC-SG, and then click Add. The Add Device panel opens. The Add Device panel is slightly different depending on the type of device you are adding. Figure 13 Guided Setup – Add Device 10. You can change the Device name and Description by typing new information in the corresponding fields. 11.
18 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 20. If you want the Element to apply to the device and to the nodes connected to the device, check the Apply to Nodes checkbox. 21. If you want to add another device, click Apply to save this device, and then repeat the steps in this section to add additional devices. 22. When you have finished adding devices, click OK. The Device Summary panel displays a list of the devices that you added. 23. Click Continue to start the next task, Create Groups.
CHAPTER 3: CONFIGURING CC-SG WITH GUIDED SETUP 19 Select Devices a. Click the Select Devices tab in the Add Devices Groups panel. Figure 14 Guided Setup—Add Device Groups, Select Devices • • b. In the Available list, select the device you want to add to the group, and then click Add to move the device into the Selected list. Devices in the Selected list will be added to the group. If you want to remove a device from the group, select the device name in the Selected list, and then click Remove.
20 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE g. In the Group name field, type a name for a node group you want to create. h. There are two ways to add nodes to a group, Select Nodes and Describe Nodes. The Select Nodes section allows you to select which nodes you want to assign to the group by selecting them from the list of available nodes. The Describe Nodes section allows you to specify rules that describe nodes, and the nodes whose parameters follow those rules will be added to the group.
CHAPTER 3: CONFIGURING CC-SG WITH GUIDED SETUP 21 Select Nodes a. Click the Select Nodes tab in the Add Nodes Groups panel. Figure 15 Guided Setup—Add Node Groups, Select Nodes b. In the Available list, select the node you want to add to the group, and then click Add to move the node into the Selected list. Nodes in the Selected list will be added to the group. c. If you want to remove a node from the group, select the node name in the Selected list, and then click Remove. d.
22 f. COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE When you have finished adding node groups, click OK. The Group Summary panel displays a list of the groups that you added. Figure 16 Guided Setup--Group Summary g. Click Continue to start the next task, User Management. Follow the steps in the next section. User Management The fourth task of Guided Setup is User Management. User Management allows you to select the Privileges and Policies that govern the access and activities of groups of users.
CHAPTER 3: CONFIGURING CC-SG WITH GUIDED SETUP 23 5. In the Node Access section, you can specify whether you want the user group to have access to In band and Out of band nodes, and to Power Management functions. Check the checkboxes that correspond to the types of access you want to assign to the group. Figure 17 Add User Group--Privileges 6. Click the Policies tab.
24 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 7. In the All Policies list, select the Policy that you want to assign to the user group then click Add to move the Policy to the Selected Policies list. Policies in the Selected Policies list will be assigned to the user group. Repeat this step to add additional policies to the user group. Figure 18 Add User Group-Policies 8.
CHAPTER 3: CONFIGURING CC-SG WITH GUIDED SETUP 25 20. Click the User Group drop-down arrow and select the user group to which you want to assign the user from the list. 21. If you want to add another user, click Apply to save this user, and then repeat the steps in this section to add additional users. 22. When you have finished adding users, click OK. The User Summary panel displays a list of the user groups and users that you added.
26 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank.
CHAPTER 4: CREATING ASSOCIATIONS 27 Chapter 4: Creating Associations Associations You can set up Associations to help organize the equipment that CC-SG manages. Each Association includes a Category, which is the top-level organizational group, and its related Elements, which are subsets of a Category. For example, you may have Raritan devices that manage target servers in data centers in America, Asia Pacific, and Europe. You could set up an Association that organizes this equipment by location.
28 • • COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Devices—are Raritan products such as Dominion KX, Dominion SX, Dominion KSX, IPReach, Paragon II System Controller, Paragon II UMT832 with USTIP, and others, that CCSG manages. These devices control the target systems, or nodes, that are connected to them. Nodes—are the target systems or servers that CC-SG can access and manage. In CC-SG, you can click a node to access and manage the node via interfaces.
CHAPTER 4: CREATING ASSOCIATIONS 29 How to Create Associations There are two ways to create associations, Guided Setup and Association Manager. • Guided Setup combines many configuration tasks into an automated interface. Guided Setup is recommended for your initial CC-SG configuration. Once you have completed Guided Setup, you can always edit your configurations individually. Please refer to Chapter 3: Configuring CC-SG with Guided Setup for additional information.
30 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. Click Add in the Category panel to add a new category. The Add Category window appears. Figure 21 Add Category Window 3. Type a category name in the Category Name field. Maximum length is 31 characters. 4. Click the Value Type drop-down arrow to select a value type of String or Integer. 5. Click the Applicable For drop-down arrow to select the type of device this category applies to: Device, Node, or Both. 6.
CHAPTER 4: CREATING ASSOCIATIONS 31 Delete Category Deleting a category deletes all of the elements created within that category. The deleted category will no longer appear in the Nodes or Devices trees once the screen refreshes or the user logs out and then logs back into CC-SG. 1. On the Associations menu, click Association. 2. Click the Category Name drop-down arrow and select the category you want to delete. 3. Click Delete in the Category panel of the screen to delete the category.
32 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 3. Click Add in the Elements For Category panel to add a new element. The Add Element window appears. Figure 24 Add Element Window 4. Type the new element name in the Enter Value for Element field. 5. Click OK to add the element or Cancel to exit the window. The new element appears in the Elements For Category panel. Edit Element 1. On the Associations menu, click Association Manager. 2.
CHAPTER 4: CREATING ASSOCIATIONS 33 3. Select the element to be deleted from the Element For Category list, and then click Delete in the Elements For Category panel. The Delete Element window appears. 4. Click Yes to delete the element or No to close the window. The element name is removed from the Element For Category list. Note: Deleting an element removes the element from all device and node category associations, leaving all pre-associated element fields blank.
34 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank.
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 35 Chapter 5: Adding KVM and Serial Devices and Device Groups You must add Raritan KVM and Serial devices to CC-SG before you can use CC-SG to configure and manage them. If you want to add Raritan PowerStrip Devices that are connected to other Raritan devices to CCSG, please refer to Chapter 6: Configuring Power Control for details.
36 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Device and Port Icons For easier identification, KVM, Serial, and Power devices and ports have different icons in the Devices tree. Hold the mouse pointer over an icon in the Devices tree to view a tool tip containing information about the device or port.
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 37 Device Profile Screen When you click a device from the Devices tab, the Device Profile screen appears, displaying information about the selected device. Figure 27 Devices Tab and Devices Profile Add a Device Devices must be added to CC-SG before you can configure ports or add interfaces that provide access to the nodes connected to ports. Add Device is used to add devices whose properties you know and can provide to CC-SG.
38 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Adding a KVM or Serial Device 3. Type a name for the device in the Device name field. Number of characters permitted varies by device. Hold your cursor over the field label to see the number of characters allowed in the name. 4. Type the IP Address or Hostname of the device in the Device IP or Hostname field. For hostname rules, refer to Terminology/Acronyms in Chapter 1: Introduction. 5.
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 39 Discover Devices Discover Devices initiates a search for all devices on your network. The search can automatically detect all new and previously existing Raritan devices on your network, including Paragon II System Controller, IP-Reach, Dominion KX, Dominion KX101, Dominion KSX, Dominion SX, and eRIC units. After discovering the devices, you may add them to CC-SG if they are not already managed. 1. On the Devices menu, click Discover Devices.
40 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Figure 31 Adding a Discovered Device 8. Type the user name and password (that were created specifically for CC-SG in the device) in the Username and Password fields to allow CC-SG to authenticate the device when communicating with it in the future. Select the Categories and Elements you want to apply to the device. If you want a Category and Element to apply to the nodes connected to the device, check the corresponding Apply to Nodes checkbox. 9.
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 41 Figure 32 The Device Profile Screen 2. Type the new device properties in the appropriate fields on this screen. If necessary, edit the Categories and Elements associated with this device. 3. Click OK to save your changes. A Device Updated Successfully message confirms that the device has been modified. Edit PowerStrip Device You can edit a Managed PowerStrip device to rename it, modify its properties, and view outlet configuration status. 1.
42 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Delete Device You can delete a device to remove it from CC-SG management. Important: Deleting a device will remove all ports configured for that device. All interfaces associated with those ports will be removed from the nodes. If no other interface exists for these nodes, the nodes will also be removed from CC-SG. 1. Click the Devices tab and select the device you want to delete. 2.
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 43 Configure Ports If the ports of a device were not all automatically added by checking Configure all ports when you added the device in the Add Device screen, you can use the Configure Ports screen to add individual ports or a set of ports on the device to CC-SG. You must configure ports before any Out-of-Band interfaces using those ports can be added to nodes. Configure a Serial Port 1. Click the Devices tab and select a serial device from the Devices tree.
44 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 3. Click the Configure button that corresponds to the serial port you want to configure. Figure 35 Configure Serial Ports Screen 4. Type a port name in Port Name field. For ease of use, name the port after the target that is connected to the port. 5. Type a node name in the Node Name field to create a new node with an Out-of-Band interface from this port. For ease of use, name the node after the target that is connected to the port.
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 45 Configure a KVM Port 1. Click the Devices tab and select a KVM device from the Devices tree. 2. On the Devices menu, click Port Manager, and then click Configure Ports. Figure 36 Configure Ports Screen • Click a column header to sort the ports by that attribute in ascending order. Click the header again to sort the ports in descending order. 3. Click the Configure button that corresponds to the KVM port you want to configure.
46 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE the port. This means that you will type the same name in the Port name and Node Name fields. 6. Click the Access Application drop-down menu and select the application you want to use when you connect to this port from the list. To allow CC-SG to automatically select the correct application based on your browser, select Auto-Detect. 7. Click OK to add the port.
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 47 Delete Ports Delete a port to remove the port entry from a Device. Important: If you delete a port that is associated with a node, the associated out-of-band KVM or Serial interface provided by the port will be removed from the node. If the node has no other interfaces, the node will also be removed from CC-SG. 1. Click the Devices tab and select a device whose ports you want to delete. 2. On the Devices menu, click Port Manager, and then click Delete Ports.
48 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 6. Click OK to bulk copy. A Device Copied Successfully message confirms that device categories and elements have been copied. Upgrade Device Upgrade Device allows you to download new versions of device firmware. 1. Click the Devices tab and select a device from the Devices tree. 2. On the Devices menu, click Device Manager, and then click Upgrade Device. Figure 40 Upgrade Device Screen 3.
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 49 Restore Device Configurations About Restoring Device Configurations The following device types allow you to restore a full backup of the device configuration. • KX • KSX • KX101 • SX • IP-Reach KX2 devices allow you to choose which components of a backup you want to restore to the device. • Protected: The entire content of the selected backup file, except the network settings (personality package), will be restored to the device.
50 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. On the Devices menu, click Device Manager, Configuration, and then click Restore. Figure 43 Protected Restore 3. In the Available Backups table, select the backup configuration you want to restore to the device. 4. In the Restore Type field, select Protected. 5. Click OK. 6. When the Restart message appears, click Yes to restart the device.
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 51 6. When the Restart message appears, click Yes to restart the device. A Device Configuration Restored Successfully message confirms that all user and system configuration data has been restored. To Restore Only Device Settings or User and User Group Data to a KX2 Device The Custom restore option allows you restore Device Settings, User and User Group Data, or both. 1. Click the Devices tab and select the device you want to restore to a backup configuration.
52 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4. Highlight the devices you want to copy this configuration to in the Available Devices column, and then click the right arrow to move them to the Copy Configuration To column. The left arrow moves selected devices out of the Copy Configuration To column. 5. Click OK to copy the configuration to the devices in the Copy Configuration To column. 6. When the Restart message appears, click Yes to restart the device.
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 53 Restart Device Use the Restart Device function to restart a device. 1. Click the Devices tab and select the device you want to restart. 2. On the Devices menu, click Device Manager, and then click Restart Device. Figure 46 Restart Device Screen 3. Click OK to restart the device. A Device Restart Successfully message confirms that the device has been restarted. Ping Device You can ping a device to determine if the device is available in your network. 1.
54 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Device Power Manager Device Power Manager is used to view the status of a PowerStrip device (including voltage, current, and temperature) as well as manage all power outlets on a PowerStrip device. As opposed to powering Nodes on and off individually, Device Power Manager provides a PowerStrip-centric view of its outlets.
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 55 Topological View Topological View displays the structural setup of all the connected appliances in your configuration. 1. Click the Devices tab and select the device whose topological view you want to see. 2. On the Devices menu, click Device Manager, and then click Topological View. The Topological View for the selected device appears. Figure 49 Topological View 3. Navigate the Topological View in the same way you navigate the Devices tree.
56 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Disconnect Users Administrators can terminate any user's session with a device. This includes users who are performing any kind of operation on a device, such as connecting to ports, backing up the configuration of a device, restoring a device’s configuration, or upgrading the firmware of a device. Note: Firmware upgrades and device configuration backups and restores are allowed to complete before the user's session with the device is terminated.
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 57 Viewing Devices CC-SG offers different options for displaying devices in the Devices tab. Tree View Select Tree View to view devices in the Devices tree grouped in the default view. Selecting Tree View will also return you to the standard view from a Custom View. Please refer to Custom Views later in this chapter for additional information. 1. On the Devices menu, click Change View, and then click Tree View.
58 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. On the Devices menu, click Change View, then click Create Custom View. Figure 52 Custom View Screen 3. To customize your view, click the Name drop-down arrow and select a custom view that has already been saved in the database. Details of the View categories appear in the Custom View Details field. 4. Click Set Current to arrange the Devices tree to reflect the selected custom view. 5.
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 59 4. Type a new custom view name, and then click OK or click Cancel to close the window. The new view name appears in the Name field. 5. In the Custom View Details panel, click the drop-down arrow at the bottom of the panel. This list contains categories that you can use to filter custom views. Select a detail from the drop-down list, and then click Add to add the detail to the Custom View Details panel. Select as many details as needed. 6.
60 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Special Access to Paragon II System Devices Paragon II System Controller (P2-SC) Paragon II System Integration users can add their P2-SC devices to the CC-SG Devices tree and configure them via the P2-SC Admin application from within CC-SG. Please refer to Raritan’s Paragon II System Controller User Guide for additional information on using P2-SC Admin.
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 61 IP-Reach and UST-IP Administration You can also perform administrative diagnostics on IP-Reach and UST-IP devices connected to your Paragon System setup directly from the CC-SG interface. After adding the Paragon System device to CC-SG, it appears in the Devices tree. To access Remote User Station Administration: 1. Click the Device tab, and then select the Paragon II System Controller. 2.
62 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Device Group Manager Use the Device Groups Manager screen to add device groups, edit device groups, and remove device groups. When you add a new device group, you can create a full access policy for the group. Please refer to Chapter 9: Policies for additional information. Add Device Group 1. On the Associations menu, click Device Groups. The Device Groups Manager window opens. Existing device groups display in the left panel.
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 2. Click the New Group icon 63 in the toolbar. The Device Group: New panel displays. Figure 58 Device Group: New Panel, Select Devices Tab 3. In the Group name field, type a name for a device group you want to create. 4. There are two ways to add devices to a group, Select Devices and Describe Devices. The Select Devices tab allows you to select which devices you want to assign to the group by selecting them from the list of available devices.
64 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Describe Devices a. Click the Describe Devices tab in the Device Group: New panel. In the Describe Devices tab, you create a table of rules that describe the devices you want to assign to the group. Figure 59 Describe Devices Tab b. Click the Add New Row icon to add a row to the table. c. Double-click the cell created for each column to activate a drop-down menu. Select the rule components you want to use from each list.
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 65 e. The table of rules only makes available criteria for evaluating nodes. To write a description for the device group, add the rules by Rule Name to the Short Expression field. If the description only requires a single rule, then simply type that rule’s name in the field. If multiple rules are being evaluated, type the rules into the field using a set of logical operators to describe the rules in relation to each other: • & - the AND operator.
66 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Edit Device Group 1. On the Associations menu, click Device Groups. The Device Groups Manager window opens. Figure 60 Device Groups Manager Screen 2. Existing device groups display in the left panel.. Select the Device Group whose name you want to edit. The Device Group Details panel appears. 3. If you want to edit the device group name, type a new name for the device group in the Group Name field. 4.
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 67 Delete Device Group 1. On the Associations menu, click Device Groups. The Device Groups Manager window opens. Figure 61 Device Groups Manager Screen 2. Existing device groups display in the left panel. Select the device group you want to delete. The Device Group Details panel appears. 3. On the Groups menu, click Delete.
68 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4. The Delete Device Group panel appears. Click Delete. Figure 63 Delete Device Group Panel 5. Click Yes in the confirmation message that displays.
CHAPTER 6: POWER CONTROL 69 Chapter 6: Configuring Power Control In CC-SG, PowerStrips must be connected to one of the following devices: • Dominion KX • Dominion KX2 • Dominion SX 3.0 • Dominion SX 3.1 • Dominion KSX • Paragon II System Controller (P2SC) To configure PowerStrips in CC-SG , you must know which Raritan device the powerstrip is connected to physically.
70 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Delete a PowerStrip Connected to a KX, KX2, or P2SC Device You cannot delete a PowerStrip connected to a KX or KX2 device from CC-SG. You must physically disconnect the PowerStrip from the KX or KX2 device to delete the PowerStrip from CC-SG. When you physically disconnect the PowerStrip from a KX or KX2 device, the PowerStrip and all configured outlets disappear from the Devices tab. Configuring PowerStrips Connected to SX 3.
CHAPTER 6: POWER CONTROL 71 6. Click the Managing Port drop-down menu, and then select the port on the SX 3.0 or KSX device to which this power strip is connected. 7. (Optional) Type a short description of this PowerStrip in the Description field 8. (Optional) Check Configure All Outlets if you want to automatically add each outlet on this PowerStrip device to the Devices tab. If you don’t configure all outlets now, you can configure them later. 9.
72 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE If the SX 3.1 device has already been added to CC-SG, and the PowerStrip is connected to the device later: 1. 2. 3. 4. 5. Add the SX 3.1 device to CC-SG. Configure the ports of the SX 3.1 device. In the Devices tab, select the SX 3.1 device to which the PowerStrip is connected. Click the + next to the device icon to expand the list of ports. Right-click the SX 3.1 port that the PowerStrip is connected to, and select Add Powerstrip from the pop-up menu.
CHAPTER 6: POWER CONTROL 73 2. Click the + next to the PowerStrip to expand all outlets. 3. On the Devices menu, click Port Manager, Delete Ports. 4. Select the checkbox for each outlet you want to delete, and then click OK to delete the outlet.
74 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank.
CHAPTER 7: CONFIGURING NODES AND NODE GROUPS 75 Chapter 7: Configuring Nodes and Interfaces This chapter discusses how to view, configure, and edit nodes and their associated interfaces. Please refer to Raritan’s CommandCenter Secure Gateway User Guide for additional information on connecting to nodes. View Nodes In CC-SG, you can view all nodes in the Nodes tree, and select a node to view its Node Profile. Nodes Tree When you click the Nodes tab, the Nodes tree displays the available nodes.
76 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Node unavailable – the node has does not have an interface that is up. Nodes and Interfaces Overview About Nodes Each node represents a target that is accessible through CC-SG, either via In-Band (direct IP) or Out-of Band (connected to a Raritan device) methods.
CHAPTER 7: CONFIGURING NODES AND NODE GROUPS 77 Add Node To add a new node to CC-SG: 1. Click the Nodes tab. 2. On the Nodes menu, click Add Node. Figure 66 Add Node Screen 3. Type a name for the node in the Node Name field. All node names in CC-SG must be unique. 4. (Optional) Type a short description for this node under the Description field. 5. You must configure at least one interface. Click Add in the Interfaces area of the Add Node screen to add an interface.
78 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE The Add Interface Window appears. 2. Click the Interface Type drop-down menu and select the type of connection being made to the node: In-Band Connections • DRAC KVM: Select this item to create a KVM connection to a Dell DRAC server through the DRAC interface. You will be required to configure a DRAC Power interface afterwards.
CHAPTER 7: CONFIGURING NODES AND NODE GROUPS 79 For In-Band connections and DRAC, RSA, and iLO/RILOE power connections: Figure 67 Add Interface—In-Band iLO/RILOE KVM 1. 2. 3. 4. 5. Type the IP Address or Hostname for this interface in the IP Address/Hostname field. If necessary, type a TCP Port for this connection in the TCP Port field. Type a username for this connection in the Username field. If necessary, type a password for this connection in the Password field.
80 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE For Out-of-Band KVM, Out-of-Band Serial connections: Figure 68 Configuring an Out-of-Band KVM Connection 1. Click the Application name drop-down menu and select the application you want to use to connect to the node with the interface from the list. To allow CC-SG to automatically select the application based on your browser, select Auto-Detect. 2. Click the Raritan Device Name drop-down menu and select the Raritan device providing access to this node.
CHAPTER 7: CONFIGURING NODES AND NODE GROUPS 81 For Managed Power Strip connections: Figure 69 Configuring a Managed Power Strip Power Control Interface 1. Click the Managing Device drop-down menu and select the Raritan device that the Power Strip that provides power to the node is connected to. The device must be added to CC-SG. 2. Click the Power Strip Name drop-down menu and select the Power Strip that provides power to the node.
82 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE For IPMI Power Control connections: Figure 70 Configuring an IPMI Power Control Interface 1. Type the IP Address or Hostname for this interface in the IP Address/Hostname field. 2. Type a UDP Port number for this interface in the UDP Port field. 3. Click the Authentication drop-down menu and select an authentication scheme for connecting to this interface. 4. Type a check interval for this interface in the Check Interval (seconds) field. 5.
CHAPTER 7: CONFIGURING NODES AND NODE GROUPS 83 Bulk Copy for Node Categories and Elements The Bulk Copy command allows you to copy the assigned categories and elements from one node to multiple other nodes. Please note that categories and elements are the only properties copied in this process. 1. Click the Nodes tab and select a node from Nodes tree. 2. On the Nodes menu, click Bulk Copy. 3.
84 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Figure 72 Editing an Interface 5. You cannot change the type of the existing interface. You can change the Interface Name, Description, and the values of the other fields for this type. Please refer to the Add Interface section above for additional information. Delete an Interface To delete an interface from a node: 1. Click the Nodes tab. 2. Click the node with the interface you want to delete. 3.
CHAPTER 7: CONFIGURING NODES AND NODE GROUPS 85 Figure 73 Edit Node Screen 2. If you want, type a new name for the node in the Node Name field. All node names in CCSG must be unique. 3. (Optional) Type a new short description for this node under the Description field. 4. Click Add in the Interfaces area to add a new interface. Please refer to the Add Interface section above for additional information on this procedure. 5.
86 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. Right-click the node you want to delete and select Delete Node. The Delete Node screen appears displaying the name of the selected node. Figure 74 Deleting a Node 3. Click OK to delete the node or Cancel to exit without deleting.
CHAPTER 7: CONFIGURING NODES AND NODE GROUPS 87 Chat Chat provides a way for users connected to the same node to communicate with each other. You must be connected to a node to start a chat session for that node. Only users on the same node will be able to chat with each other. To engage in a chat session: 1. Click the Nodes tab to the left. 2. Right-click a node you are currently connected to and select Chat, then Start Chat Session if no session has been created yet. A Chat session will be created.
88 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank.
CHAPTER 8: ADDING AND MANAGING USERS AND USER GROUPS 89 Chapter 8: Adding and Managing Users and User Groups Users make up the individual users and administrators that connect to CC-SG in order to access nodes and manage devices. User Groups are organizations that define a set of privileges for its member users; users by themselves have no privileges. In general, all users must belong to a user group.
90 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Special User Groups CC-SG is configured with three user groups by default: CC-Super User, System Administrators, and CC Users. CC Super-User Group The CC Super-User group has full administrative and access privileges. Only one user can be a member of this group. The default username is admin. You can change the default username. You cannot delete the CC-Super User group.
CHAPTER 8: ADDING AND MANAGING USERS AND USER GROUPS 91 Add User Groups Creating user groups first will help you organize users when they are added. When a user group is created, a set of privileges is assigned to the user group. Users that are assigned to that group will inherit those privileges. For example, if you create a group and assign it the User Management privilege, all users assigned to the group will be able to see and execute the commands on the User Manager menu.
92 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 7. Click the Device/Node Policies tab. A table of policies appears. Figure 78 The Policies Tab on the Add User Group Screen The All Policies table lists all the policies available on CC-SG. Each policy represents a rule allowing or denying access to a group of nodes. Please refer to Chapter 9: Policies for more information on policies and how they are created. 8.
CHAPTER 8: ADDING AND MANAGING USERS AND USER GROUPS 93 Edit A User Group Edit a User Group to change the existing privileges and policies for that group. Note: You cannot edit the Privileges or Policies of the CC-Super User group and the Users not in Group group. To edit a group: 1. Click the Users tab to the left. 2. Click the user group in the Users tab. The User Group Profile appears. 3. (Optional) Type a new name for the user group in the User Group Name field. 4.
94 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Delete User Group Deleting a User Group removes that group from CC-SG. Users in the deleted group will remain in any other groups to which they have been assigned. If the users in the deleted group were not in any other groups, they will be assigned to the Users Not in Group group, which does not have any privileges assigned to it. To delete a User Group: 1. Click the Users tab to the left. 2. Click the user group you want to delete in the Users tab. 3.
CHAPTER 8: ADDING AND MANAGING USERS AND USER GROUPS 95 6. Check Remote Authentication only if you want the user to be authenticated by an external server, such as TACACS+, RADIUS, LDAP, or AD. If you are using remote authentication, a password is not required and the New Password and Retype New Password fields will be disabled. 7. In the New Password and Retype New Password fields, type the password that the user will use to log in to CC-SG.
96 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4. Uncheck Login enabled if you want to prevent this user from logging in to CC-SG. Check Login enabled if you want to allow this user to log into CC-SG. 5. Check Remote Authentication only if you want the user to be authenticated by an external server, such as TACACS+, RADIUS, LDAP, or AD. If you are using remote authentication, a password is not required and the New Password and Retype New Password fields will be disabled. 6.
CHAPTER 8: ADDING AND MANAGING USERS AND USER GROUPS 97 Assign Users To Group Use this command to assign an existing users to a group they currently do not belong to. Users assigned in this way will be added to their new group while still existing in any group they were previously assigned to. To move a user, use this command in conjunction with Delete User From Group described below. To assign a user to a group: 1. Click the Users tab to the left. 2. Click the User Group you want to assign users to. 3.
98 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4. On the Users menu, click User Manager, then Delete User From Group. The Delete User appears displaying the user and the group they will be removed from. Figure 84 Deleting a User From A Group 5. Click OK to delete the user from the group or click Cancel to exit without removing the user. Note: If you delete a user from a group and they do not belong to any other groups, the user will be added to Users Not In Group group.
CHAPTER 8: ADDING AND MANAGING USERS AND USER GROUPS 99 a. Type your current password in the Old Password field. b. Type your new password in the New Password field. A notice will appear if Strong Passwords are required. c. Type your new password again in the Retype New Password field. 4. Type a new address in the Email address field to add or change the address CC-SG will use to send you notifications. 5. Click the Font Size drop-down menu to adjust the font size the standard CC-SG client displays at. 6.
100 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Bulk Copy for Users To save time, Bulk Copy can be used to clone one user’s privileges and policies to a number of other existing users by moving them to the same User Groups as the selected user. To perform a Bulk Copy: 1. Click the Users tab to the left. 2. Click the + symbol next to a User Group with the user you want to copy. 3. Click the user you want to copy. 4. On the Users menu, select User Manager, then Bulk Copy.
CHAPTER 9: POLICIES 101 Chapter 9: Policies and Node Groups Controlling Access Using Policies Configuring policies to provide user access to nodes is optional, but central to making effective use of CC-SG’s ability to control access. If you want to give all users access to all nodes, simply assign the Full Access Policy to all user groups. If you want to have more control over user access to nodes you will need to create policies to define rules for access.
102 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Node Groups Node groups are used to organize nodes into a set. This group will then become the basis for a policy either allowing or denying access to this particular set of nodes. Nodes can be grouped arbitrarily or by a set of common attributes. If you used Guided Setup to create categories and elements for nodes, some means to organize nodes along common attributes have already been created.
CHAPTER 9: POLICIES 103 3. If viewing a group based on attributes, click View Nodes to display a list of nodes currently in the Node Group. A Nodes In Node Group window will appear displaying the nodes and all their attributes. Figure 89 Nodes in a Group Based on Attributes Add Node Groups To add a new Node Group: 1. On the Associations menu, click Node Group. The Node Groups Manager window displays. 2. On the Groups menu, select Add. A template for a node group will appear. 3.
104 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Select Nodes Figure 90 Adding Nodes Using Select Nodes 1. Click the Select Nodes tab. 2. Click the Device Name drop-down menu and select a device if you want to filter the Available list to only display nodes with interfaces from that device. 3. In the Available list, select the nodes you want to add to the group, and then click Add to move the node into the Selected list. Nodes in the Selected list will be added to the group. 4.
CHAPTER 9: POLICIES 105 Describe Nodes Figure 91 Describing a Node Group With Multiple Rules 1. Click the Select Nodes tab. 2. Click Add New Row to add a row in the table for a new rule. Rules take the form of an expression which can be compared against nodes. 3. Double-click each column in the row to turn the appropriate cell into a drop-down menu, then select the appropriate value for each component: • Prefix – Leave this blank or select NOT.
106 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4. If you want to add another rule, click Add New Row again, and make the necessary configurations. Configuring multiple rules will allow more precise descriptions by providing multiple criteria for evaluating nodes. 5. If you want to remove a rule, highlight the rule in the table, and then click Remove Row. 6. The table of rules only makes available criteria for evaluating nodes.
CHAPTER 9: POLICIES 107 Edit Node Group Edit a node group to change the membership or description of the group. To edit a node group: 1. On the Associations menu, click Node Group. The Node Groups Manager window displays. 2. Click the node you want to edit in the Node Group List to the left. The details of that node will appear in the Node Groups window. 3. Refer to the instructions in the Select Nodes or Describe Nodes sections above for details on how to configure the node group. 4.
108 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Device Groups Device groups operate in a similar fashion to Node Groups, except that Device Groups are used to organize Raritan devices into sets for management by policies. Please refer to Chapter 5: Adding Devices and Device Groups, Device Group Manager for additional information.
CHAPTER 9: POLICIES 109 3. Type a name for the new policy in the Enter policy name field. 4. Click OK. The new policy will be added to the Policy Name list in the Policy Manager screen. 5. Click the Device Group drop-down arrow, and select the Device Group this policy governs access to. Click the Node Group drop-down arrow and select the Node Group this policy governs access to. If the policy will cover only one type of group, only select a value for that group. 6.
110 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4. Click the Device Group drop-down arrow, and select the Device Group this policy governs access to. Click the Node Group drop-down arrow and select the Node Group this policy governs access to. If the policy will cover only one type of group, only select a value for that type. 5.
CHAPTER 9: POLICIES 111 Virtual Media provides the ability to perform most tasks remotely including: transferring files, running diagnostics, installing or patching applications, rebooting the target server across the network using a boot file accessed from the client, or even complete installation of the operating system. This expanded KVM control eliminates most trips into the data center, saves time and money, thus making Virtual Media a very powerful feature.
112 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank.
CHAPTER 10: CONFIGURING REMOTE AUTHENTICATION 113 Chapter 10: Configuring Remote Authentication Authentication and Authorization (AA) Users of CC-SG can be locally authenticated and authorized on the CC-SG or remotely authenticated using the following supported directory servers: • Microsoft Active Directory (AD) • Netscape’s Lightweight Directory Access Protocol (LDAP) • TACACS+ • RADIUS Any number of remote RADIUS, TACACS+, and LDAP servers can be used for external authentication.
114 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Distinguished Names for LDAP and AD Configuration of remotely authenticated users on LDAP or AD servers requires entering user names and searches in Distinguished Name format. The full DN format is described in RFC2253. For the purposes of this document, you need to know how to enter Distinguished Names and in what order each component of the name should be listed.
CHAPTER 10: CONFIGURING REMOTE AUTHENTICATION 115 Establish Order of External AA Servers In the General tab, you can set the order in which CC-SG will query the configured external AA servers. If the first checked option is unavailable, CC-SG will try the second, then the third, and so on, until it is successful. 1. On the Administration menu, click Security. When the Security Manager screen appears, click the General tab. Figure 94 Security Manager General tab 2.
116 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Figure 95 Add Module 3. Click the Module Type drop-down menu and select AD from the list. 4. Type a name for the AD server in the Module name field. The maximum number of characters is 31. All printable characters may be used. The module name is optional and is specified only to distinguish this AD server module from any others that you configure in CC-SG. The name is not connected to the actual AD server name. 5. Click Next to proceed.
CHAPTER 10: CONFIGURING REMOTE AUTHENTICATION 117 Figure 96 AD General Settings 1. Type the AD domain you want to query in the Domain field. For example, if the AD domain is installed in the xyz.com domain, type xyz.com in the Domain field. CC-SG and the AD server you want to query must be configured either on the same domain or on different domains that trust each other. Note: CC-SG will query all known domain controllers for the domain specified. 2.
118 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Note: The user specified must have permission to execute search queries in the AD domain. For example, the user may belong to a group within AD that has Group scope set to Global, and Group type set to Security. 5. Type the password for the user account you want to use to query the AD server in the Password and Confirm Password fields. 6. Click Test Connection to test the connection to the AD server using the given parameters.
CHAPTER 10: CONFIGURING REMOTE AUTHENTICATION 119 structure. cn=Administrators,cn=Users,dc=raritan,dc=com The search query for the user entry will be performed only in the Administrators sub-directory (entry). 5. Type a user’s attributes in Filter so the search query will be restricted to only those entries that meet this criterion. The default filter is objectclass=user, which means that only entries of the type user are searched. 6.
120 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Figure 98 AD Group Settings 2. Specify a Base DN (directory level/entry) under which the groups, containing the user to be authorized, will be searched. EXAMPLE dc=raritan,dc=com DESCRIPTION The search query for the user in the group will be made over the whole directory structure. cn=Administrators,cn=Users,dc=raritan,dc=com The search query for the user in the group will be performed only in the Administrators sub-directory (entry). 3.
CHAPTER 10: CONFIGURING REMOTE AUTHENTICATION Figure 99 AD Trust Settings 121
122 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. For each domain in the Trust Partner column, click the Trust Direction drop-down menu, and then select the direction of trust you want to establish between the domains. Trust directions are updated in all AD modules when you make changes to one AD module. • Incoming: information will be trusted coming in from the domain.
CHAPTER 10: CONFIGURING REMOTE AUTHENTICATION 123 3. Click Import Groups… to retrieve a list of user group values stored on the AD server. If any of the user groups are not already on the CC-SG, you can import them here and assign them an access policy. Figure 100 Importing Groups from AD Server 4. Check the checkboxes next to the groups you want to import to CC-SG. Click a column header to sort the list of user groups by the information in that column.
124 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Synchronize AD User Groups When you synchronize AD user groups, CC-SG retrieves the groups for the selected AD module, compares their names with the user groups that have already been imported from AD, and identifies the matches. CC-SG will present the matches and allow you to select which groups in AD you want to associate with CC-SG. This does not update user access information in CC-SG— it only maps the group names from AD to CC-SG.
CHAPTER 10: CONFIGURING REMOTE AUTHENTICATION 125 Figure 102 Synchronization of All AD Modules 7. A confirmation message will appear when all AD modules have been successfully synchronized. 8. To exit Maintenance Mode, on the System Maintenance menu, click Maintenance Mode, and then click Exit Maintenance Mode. 9. In the screen that appears, click OK. A second confirmation message will display when CCSG exits maintenance mode. Click OK.
126 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 7. Repeat these steps to reconfigure all AD modules. 8. Once you have reconfigured all AD modules, you can synchronize your imported AD user groups with the AD servers. Please refer to Synchronize AD User Groups for additional information. 9. After you have synchronized each modules AD user groups, you should synchronize all AD modules. Please refer to Synchronize All AD Modules for additional information.
CHAPTER 10: CONFIGURING REMOTE AUTHENTICATION 127 LDAP General Settings 1. Click the General tab. Figure 105 LDAP General Settings 2. Type the IP address or hostname of the LDAP server in the IP Address/Hostname field. For hostname rules, please refer to Terminology/Acronyms in Chapter 1: Introduction. 3. Type the port value in the Port field. The default port is 389. 4. Check Secure Connection for LDAP if using a secure LDAP server. 5. Check Anonymous Bind if your LDAP server allows anonymous queries.
128 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 10. Click Test Connection to test the LDAP server using the given parameters. You should receive a confirmation of a successful connection. If not, review the settings carefully for errors and try again. 11. Click Next to proceed to the Advanced tab to set advanced configuration options for the LDAP server. LDAP Advanced Settings 1. Click the Advanced tab. Figure 106 LDAP Advanced Settings 2.
CHAPTER 10: CONFIGURING REMOTE AUTHENTICATION 129 9. The new LDAP module appears in the Security Manager screen, under External AA Servers. Check the Authentication checkbox if you want CC-SG to use the LDAP module for authentication of users. 10. Click Update to save your changes.
130 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Add a TACACS+ Module CC-SG users who are remotely authenticated by a TACACS+ server need to be created on the TACACS+ server and on CC-SG. The user name on the TACACS+ server and on CC-SG must be the same, although the passwords may be different. Please refer to Chapter 8: Adding and Managing Users and User Groups for additional information on adding users who will be remotely authenticated. 1. On the Administration menu, click Security.
CHAPTER 10: CONFIGURING REMOTE AUTHENTICATION 131 TACACS+ General Settings 1. Type the IP address or hostname of the TACACS+ server in the IP Address/Hostname Name field. For hostname rules, please refer to Terminology/Acronyms in Chapter 1: Introduction Figure 108 TACACS+ General Settings 2. Type the port number on which the TACACS+ server is listening in the Port Number field. The default port number is 49. 3. Type the authentication port in the Authentication Port field. 4.
132 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Add a RADIUS Module CC-SG users who are remotely authenticated by a RADIUS server need to be created on the RADIUS server and on CC-SG. The user name on the RADIUS server and on CC-SG must be the same, although the passwords may be different. Please refer to Chapter 8: Adding and Managing Users and User Groups for additional information on adding users who will be remotely authenticated. 1. On the Administration menu, click Security.
CHAPTER 10: CONFIGURING REMOTE AUTHENTICATION 133 RADIUS General Settings 1. Click the General tab. Figure 110 Specifying a RADIUS Server 2. Type the IP address or hostname of the RADIUS server in the IP Address/Hostname field. For hostname rules, please refer to Terminology/Acronyms in Chapter 1: Introduction. 3. Type the port number in the Port Number field. The default port number is 1812. 4. Type the authentication port in the Authentication Port field. 5.
134 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank.
CHAPTER 11: GENERATING REPORTS 135 Chapter 11: Generating Reports Reports can be sorted by clicking on the column headers. Click a column header to sort report data by the values in that column. The data will refresh in ascending order alphabetically, numerically, or chronologically. Click the column header again to sort in descending order. You can resize the column width in all reports. Hold your mouse pointer on the column divider in the header row until the pointer becomes a double-headed arrow.
136 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4. Click OK to run the report. The report is generated, displaying data about activities that occurred during the designated time period that also comply with any additional parameters specified. Figure 112 Audit Trail Report • • • • Click Next or Previous to navigate through the pages of the report. Click Manage Report Data… to save or print the report.
CHAPTER 11: GENERATING REPORTS 137 • If you want to limit the report to a particular IP address’s activities, type the user’s IP address in the User IP address field. 4. Click OK to run the report. The report is generated, displaying data about activities that occurred during the designated time period that also comply with any additional parameters specified. Figure 114 Error Log Report • • • • Click Next or Previous to navigate through the pages of the report.
138 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 3. You can limit the data that the report will contain by entering additional parameters in the Message, Device name, Port name, Username, and User IP address fields. • If you want to limit the report by the message text associated with an activity, type the text in the Message field. • If you want to limit the report to a particular device, type the device name in the Device name field.
CHAPTER 11: GENERATING REPORTS 139 Availability Report The Availability Report displays the status of all connections, showing devices by name and IP address. This report gives you the full accessibility picture for all devices on your system, and supplies information that could be useful for troubleshooting. 1. On the Reports menu, click Availability Report. The Availability Report is generated. Figure 117 Availability Report • • Click Manage Report Data… to save or print the report.
140 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Active Users Report The Active Users report displays current users and user sessions. You can select active users from the report and disconnect them from CC-SG. 1. On the Reports menu, click Users, and then click Active Users. The Active Users report is generated. Figure 118 Active Users Report • • • To disconnect a user from an active session in CC-SG, select the user name you want to disconnect, and then click Logout.
CHAPTER 11: GENERATING REPORTS 141 Locked Out Users Report The Locked Out Users report displays users who are currently locked out of CC-SG because they made too many unsuccessful login attempts. You can unlock users from this report. Please refer to Chapter 13: Advanced Administration, Lockout Settings for additional information on lockout settings. 1. On the Reports menu, click Users, and then click Locked Out Users.
142 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE User Data Report The User Data report displays certain data on all users in the CC-SG database. 1. On the Reports menu, click Users, and then click User Data. The All Users’ Data report is generated. Figure 120 All Users’ Data Report • • • • • • • • • • The User Name field displays the user names of all CC-SG users.
CHAPTER 11: GENERATING REPORTS 143 Users in Groups Report The Users In Group report displays data on users and the groups with which they are associated. 1. On the Reports menu, click Users, and then click Users In Groups. The Users In Groups report is generated. Figure 121 Users In Groups Report • • Click Manage Report Data… to save or print the report. Click Save to save the records that are displayed in the current report page to a CSV file or click Save All to save all records.
144 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Group Data Report The Group Data report displays user group, node group, and device group information. View user groups by name and description, view node groups by name, and view device groups by name, all in one screen. 1. On the Reports menu, click Users, and then click Group Data. The Groups report is generated. Figure 122 Groups Report • • • Click Manage Report Data… to save or print the report section.
CHAPTER 11: GENERATING REPORTS 145 4. Click Apply. The AD User Group report is generated. Figure 123 AD User Group Report • • Click Manage Report Data… to save or print the report section. Click Save to save the records that are displayed in the current report page to a CSV file or click Save All to save all records. Click Print to print the records that are displayed in the current report page or Print All to print all records. Click Close to close the report.
146 • • COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE records. Click Print to print the records that are displayed in the current report page or Print All to print all records. Click Refresh to generate a new report. The report may take several minutes to generate, based on the size of your system configuration. Click Close to close the report.
CHAPTER 11: GENERATING REPORTS 147 3. Click Apply to generate the report. The Node Asset Report generates. Figure 126 Node Asset Report • • Click Manage Report Data… to save or print the report. Click Save to save the records that are displayed in the current report page to a CSV file or click Save All to save all records. Click Print to print the records that are displayed in the current report page or Print All to print all records. Click Close to close the report.
148 • COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Click Print to print the records that are displayed in the current report page or Print All to print all records. Click Close to close the report. Node Creation Report The Node Creation report lists all node creation attempts, both successful and unsuccessful, within a specified timeframe. You can specify whether you want to see all node creation attempts, or only those that are potential duplicate nodes. 1.
CHAPTER 11: GENERATING REPORTS 149 Query Port Report The Query Port Report displays all ports according to port status. 1. On the Reports menu, click Ports, and then click Query Port. Figure 130 Query Port Screen 2. In the Select port status section, check the checkboxes that correspond to the port statuses you want to include in the report. Checking more than one checkbox and clicking Apply will display ports with all statuses that are selected. PORT STATUS DEFINITION All All port statuses.
150 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4. Click Apply to generate the report. Figure 131 Query Port Report • • • Click the arrow icons at the bottom right of the report to navigate through multiple page reports. Click Configure next to a New or Unused port in the report to configure it. Click Close to close the report. Active Ports Report The Active Ports report displays out-of-band ports that are currently in use. You can view the active ports list and disconnect ports from this report.
CHAPTER 11: GENERATING REPORTS • • • 151 To disconnect a port from a current session, select the port you want to disconnect, and then click Disconnect. Click Manage Report Data… to save or print the report. Click Save to save the records that are displayed in the current report page to a CSV file or click Save All to save all records. Click Print to print the records that are displayed in the current report page or Print All to print all records. Click Close to close the report.
152 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. Select a Last Discovered Date, and then click Get Targets. The targets that were discovered on or earlier than the Last Discovered Date are displayed under Targets Discovered. • If you want to purge a target from the CC-SG database, select the target you want to purge, and then click Purge. • If you want to purge the entire list of targets from the CC-SG database, click Purge All. • Click Manage Report Data… to save or print the report.
CHAPTER 12: SYSTEM MAINTENANCE 153 Chapter 12: System Maintenance About Maintenance Mode Maintenance mode restricts access to CC-SG so that an administrator can perform various operations without disruption. Operations can be performed from the GUI or from an SSH command line interface via clients, such as Putty or OpenSSH Client. Please refer to Chapter 13: Advanced Administration, SSH Access for additional information.
154 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Backup CC-SG Best practice is to enter Maintenance Mode before backing up CC-SG. 1. On the System Maintenance menu, click Backup. Figure 135 Backup CommandCenter Screen 2. Type a name for this backup in the Backup Name field. 3. (Optional) Type a short description for the backup in the Description field. 4. Select a Backup Type. • Custom – Allows you to specify which components to add to the backup by checking them in the Backup Options area below.
CHAPTER 12: SYSTEM MAINTENANCE 155 c. If you are not using the default port for the selected protocol (FTP: 21, SFTP: 22) type the communications port used in the Port Number field. d. Type a username for the remote server in the Username field. e. Type a password for the remote server in the Password field. f. In the Directory field, specify the directory used to store the backup on the remote server. You must specify the absolute path to the directory. 6. Click OK.
156 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE • Custom – Allows you to specify which components of the backup to restore to CC-SG by checking them in the Restore Options area below. Check each of the following to include them in the restore: a. Data – CC-SG configuration, Device and Node configuration and User Data. b. Logs – Error logs and event reports stored on CC-SG c. CC firmware files – Stored firmware files used for updating the CC-SG server itself. d.
CHAPTER 12: SYSTEM MAINTENANCE 157 To Delete a backup 1. From the Available Backups table, select the backup you want to delete. 2. Click Delete. A confirmation dialog appears. 3. Click OK to delete the backup from the CC-SG system or Cancel to exit without deleting. Once deleted, the file backup file will be removed from the CC-SG. Note: Saving and restoring can be used to move a backup from one CC-SG unit to another.
158 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. Type your password in the Password field. 3. Accept the default message or type a warning message to display to any users currently online in the Broadcast message field (for example, you might give users a brief time period to finish their tasks in CC-SG or tell them why you are restarting the system). All users will be disconnected when you restart CC-SG. 4.
CHAPTER 12: SYSTEM MAINTENANCE 159 Shut Down CC-SG These are the recommended methods for Administrators to shut down CC-SG. Shutting down CC-SG shuts down the CC-SG software, but it does not power off the CC-SG unit. 1. On the System Maintenance menu, click Shutdown CommandCenter. Figure 141 Shutdown CC-SG Screen 2. Type your password in the Password field. 3.
160 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank.
CHAPTER 13: ADVANCED ADMINISTRATION 161 Chapter 13: Advanced Administration Guided Setup Guided Setup steps an administrator through some of the most common tasks on CC-SG: creating associations, setting up Raritan devices, creating user groups and creating users. For information on running Guided Setup, please refer to Chapter 3: Configuring CC-SG With Guided Setup.
162 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Application Manager The Application Manager provides an interface for administrators to add access applications to CC-SG and set the default application for accessing nodes on Raritan devices. 1. On the Administration menu, click Applications. Figure 143 Applications Tab of the Application Manager Adding and Deleting Applications Click the Applications tab of the Application Manager to add or delete an application. Adding an Application: 1.
CHAPTER 13: ADVANCED ADMINISTRATION 163 5. Click OK when the necessary devices have been selected to work with the application. An Open dialog window will appear. 6. In the Open dialog window, browse for the location of your application file (usually a .jar or .cab file), select the file, and then click Open. The selected application will then be loaded on to CC-SG. Deleting an Application: 1.
164 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Firmware Manager CC-SG stores firmware for Raritan devices in order to update the devices under its control. The firmware manager is used to upload and delete device firmware files to and from CC-SG. Upload Firmware This command allows you to upload different versions of firmware to your system. When new firmware versions become available, they are posted on the Raritan website. 1. On the Administration menu, click Firmware.
CHAPTER 13: ADVANCED ADMINISTRATION 165 Delete Firmware 1. 2. 3. 4. On the Administration menu, click Firmware. Click the Firmware Name drop-down arrow and select the firmware to be deleted. Click Delete. The Delete Firmware window appears. Click Yes to delete the firmware or No to close the window. Configuration Manager The Configuration Manager contains many of the CC-SG core settings: • Network Setup • Logs • Inactivity Timer • Time/Date • Connection Mode • Device Settings • SNMP Configuration.
166 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE What is Primary/Backup mode? Primary/Backup mode allows you to use two CC-SG LAN ports to implement network failover and redundancy. In this mode, only one LAN port is active at a time. Please refer to About CC-SG LAN Ports for the locations of the Primary LAN and Secondary LAN ports on each CC-SG model.
CHAPTER 13: ADVANCED ADMINISTRATION 167 To configure Primary/Backup mode in CC-SG 1. On the Administration menu, click Configuration. 2. Click the Network Setup tab. Figure 149 Network Setup Panel—Primary/Backup 3. Select Primary/Backup mode. 4. Type the CC-SG hostname in the Host name field. Please refer to Chapter 1 Terminology/Acronyms for hostname rules.
168 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE What is Active/Active mode? Active/Active mode allows you to use CC-SG to manage devices and nodes that are on two separate networks. In this mode, CC-SG manages traffic between the two separate IP domains. Active/Active mode does not offer failover. If either LAN connection fails, users won’t have access. Please refer to About CC-SG LAN Ports for the locations of the Primary LAN and Secondary LAN ports on each CC-SG model.
CHAPTER 13: ADVANCED ADMINISTRATION 169 Figure 151 Network Setup Panel—Active/Active 3. Select Active/Active mode. 4. Type the CC-SG hostname in the Host name field. Please refer to Chapter 1 Terminology/Acronyms for hostname rules. When you click Update Configuration to save the configuration, the Host name field will be updated to reflect the Fully-Qualified Domain Name (FQDN) if a DNS and domain suffix have been configured. 5.
170 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Log Configuration From the Logs tab you can configure CC-SG to report to external logging servers. You can configure what level of messages is reported in each of the logs. Configuring Logging Activity: 1. On the Administration menu, click Configuration. 2. Click the Logs tab. Figure 152 Configuration Manager Logs Screen 3. To assign an external log server for CC-SG to use, type the IP address into the Server Address field under Primary Server. 4.
CHAPTER 13: ADVANCED ADMINISTRATION 171 Purging CC-SG’s Internal Log: The Logs tab can also be used to clear CC-SG’s log of events. This command only clears CCSG’s log of events, it will not purge events recorded by external logging servers. 1. On the Administration menu, click Configuration. 2. Click the Logs tab. 3. Click Purge at the bottom of the screen. A dialog window will appear asking for confirmation. 4. Click Yes to clear CC-SG’s log of events.
172 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Time/Date Configuration CC-SG’s Time and Date must be accurately maintained to provide credibility for its devicemanagement capabilities. Important! The Time/Date configuration is used when scheduling tasks in Task Manager. Please refer to Chapter 13: Advanced Administration, Task Manager for additional information. The time set on the client may be different than the time set on CC-SG.
CHAPTER 13: ADVANCED ADMINISTRATION 173 Note: Changing the time zone is disabled in a cluster configuration. Modem Configuration Use this screen to access a CC-SG G1 from a client machine over a dial-up connection. This method of accessing CC-SG can be used in emergency situations. Note: A modem is not available and cannot be configured on the V1 or E1 platforms. Configure CC-SG 1. On the Administration menu, click Configuration. When the Configuration Manager screen appears, click the Modem tab.
174 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. Click the Modems tab. Figure 156 Modems Tab 3. Click Properties. 4. Click the Advanced tab. Figure 157 Extra Initialization Commands 5. Type an initialization command in Extra initialization commands that will be used by your modem to set the “Carrier detection” flag. For example, type at&c for a SoftK56 Data Fax modem.
CHAPTER 13: ADVANCED ADMINISTRATION 175 3. Under Network Tasks in the Network Connections window, click Create a new connection. Figure 158 Create a New Connection 4. Click Next, Connect to the network at my workplace, Dial-up connection. 5. Type a name for CC-SG, for example CommandCenter. Figure 159 Connection Name 6. Type the phone number used to connect to CC-SG, and then click Next.
176 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Configure the Call-back Connection If the CC-SG uses a call-back connection, you need to use a script file that is described below. To supply the script file for call-back: 1. On the Start menu, click My Network Places. 2. Click view network connections under Network Tasks. 3. Right-click the CommandCenter connection, and then click Properties. 4. Click the Security tab. Figure 161 Specify Dial-up Script 5. Click the Show terminal window. 6.
CHAPTER 13: ADVANCED ADMINISTRATION 177 Connect to CC-SG with Modem To connect to CC-SG: 1. On the start menu, click My Network Places. 2. Click view network connections under Network Tasks. 3. Double-click the CommandCenter connection. Figure 162 Connecting to CC-SG 4. Type a username of ccclient and password of cbupass. Figure 163 Entering username and password 5. If not filled in already, enter the phone number used to connect to CC-SG. This is NOT the dial-back number. 6. Click Dial.
178 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 7. If Show terminal window was checked as described in section Configure the Call-back Connection earlier in this chapter, then a window similar to the one below will be displayed: Figure 164 After Dial Terminal 8. Wait 1 or 2 minutes and in a supported browser, enter the IP address of CC-SG that was configured as the Server address under the Modem tab in Configuration Manager on CCSG and login to CC-SG.
CHAPTER 13: ADVANCED ADMINISTRATION 179 Connection Modes: Direct and Proxy About Connection Modes CC-SG offers three connection modes: Direct, Proxy, and Both, which is a combination of Direct and Proxy. Direct mode allows you to connect to a node or port directly, without passing data through CCSG. Direct mode generally provides faster connections. Proxy mode allows you to connect to a node or port by passing all data through CC-SG.
180 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE To Configure a Combination of Direct Mode and Proxy Mode When you configure CC-SG to use a combination of Direct mode and Proxy mode, Proxy mode will be the default connection mode, and Direct mode will be used for the client IP addresses you specify. 1. On the Administration menu, click Configuration. 2. Click the Connection Mode tab. Figure 166 Configuration Manager Connection Screen – Direct Mode 3. Click the Both radio button. 4.
CHAPTER 13: ADVANCED ADMINISTRATION 181 Device Settings 1. On the Administration menu, click Configuration. 2. Click the Device Settings tab. Figure 167 Configuration Settings Device Settings Screen 3. To update device Default Port, select a Device Type in the table and double-click the Default Port value. Type the new Default Port value and press the Enter key. 4. To update device timeout duration, double-click the Heartbeat (sec) value at the bottom of the screen.
182 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Figure 168 Configuration Settings Device Settings Screen 3. To identify the SNMP agent running on CC-SG to a third-party enterprise Management Solutions, provide agent information under Agent Configuration. Type a Port for the agent (default is 161). Type a Read-Only Community string (default is public), and Read-Write Community string, (default is private). Multiple community strings are allowed; separate them with a comma.
CHAPTER 13: ADVANCED ADMINISTRATION 183 and active connections, and all status data is replicated between the two nodes. The primary and secondary nodes in a cluster must be running the same version of software, on the same version of hardware (G1, V1, or E1). Unless defined by the user, CC-SG will assign a default name to each cluster node. Devices in a CC-SG cluster must be aware of the IP of the Primary CC-SG node in order to be able to notify the Primary node of status change events.
184 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. Click Discover CommandCenters to scan and display all CC-SG appliances on the same subset as the one you are currently using. Alternatively, you can add a CC-SG, perhaps from a different subnet, by specifying an IP address in CommandCenter address in the bottom of the window, and then clicking Add CommandCenter. Figure 169 Cluster Configuration Screen 3. Type a name for this cluster in Cluster Name.
CHAPTER 13: ADVANCED ADMINISTRATION 185 Set Secondary CC-SG Node 1. Click Discover CommandCenters to scan and display all CC-SG appliances on the same subset as your one you are currently using. Alternatively, you can add a CC-SG, perhaps from a different subnet, by specifying an IP address in CommandCenter address in the bottom of the window. Click Add CommandCenter. Note: Adding a backup CC-SG from a different subnet or network may avoid issues affecting a single network or physical location. 2.
186 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Note: Clicking Remove Cluster does not delete the Primary CC-SG unit from your configuration; it simply removes the designation of Primary Node. Remove Cluster is only available when no backup nodes exist. Recover a Failed CC-SG Node When a node fails and failover occurs, the failed node will recover in Waiting status. 1. Select the Waiting node in the Cluster Configuration table. 2. Add it as a backup node by clicking Join “Waiting” Node. 3.
CHAPTER 13: ADVANCED ADMINISTRATION 187 Configure Security The Security Manager is used to manage how CC-SG provides access to users. Within Security Manager you can configure authentication methods, SSL access, AES Encryption, strong password rules, lockout rules, the login portal, certificates, and access control lists. Remote Authentication Please refer to Chapter 10: Configuring Remote Authentication for detailed instructions on configuring remote authentication servers.
188 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Configuring Browser Connection Protocol: HTTP or HTTPS/SSL In Security Manager, you can configure CC-SG to use either regular HTTP connections from clients, or to require HTTPS/SSL connections. You must restart CC-SG for changes to this setting to take effect. 1. On the Administration menu, click Security. 2.
CHAPTER 13: ADVANCED ADMINISTRATION 189 Strong Password Settings Strong password rules require users to observe strict guidelines when creating passwords, which makes the passwords more difficult to guess and, in theory, more secure. Strong passwords are not enabled in CC-SG by default. In order to use strong passwords, administrators must first check Strong Passwords Required For All Users. Note: A strong password that includes all strong password requirements is always required for the CC Super-User.
190 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Lockout Settings Administrators can lock out CC-SG, CC-NOC users, and SSH users after a specified number of failed login attempts. This feature applies to users who are authenticated and authorized locally by CC-SG and does not apply to users who are remotely authenticated by external servers. Please refer to Chapter 10: Configuring Remote Authentication for additional information.
CHAPTER 13: ADVANCED ADMINISTRATION 191 Portal Portal settings allow administrators to configure a logo and an access agreement to greet users when they access a client. To access the Portal settings: 1. On the Administration menu, click Security. 2. Click the Portal tab. Figure 174 Portal Settings Logo A small graphic file can be uploaded to CC-SG to act as a banner on the login page. The maximum size of the logo is 998 by 170 pixels. To upload logo: 1. Click Browse in the Logo area of the Portal tab.
192 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE a. Click Browse. A dialog window appears. b. In the dialog window, select the text file with the message you want to use, and then click Open. The maximum length of the text message is 10,000 characters. c. Click Preview if you want to preview the text contained in the file. It will appear in the banner message field above. 3. Click Update to save your Restricted Service Banner changes to CC-SG.
CHAPTER 13: ADVANCED ADMINISTRATION 193 2. Click the Certificate tab. Figure 176 Security Manager Certificate Screen Export Current Certificate and Private Key Click Export current certificate and private key. The certificate appears in the Certificate panel and the private key appears in Private Key panel. Copy the text of the Certificate and Private Key and submit it by clicking Export. Generate Certificate Signing Request The following explains how to generate a CSR and a private key on CC-SG.
194 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. Type the requested data for the CSR into the fields. Figure 177 Generate Certificate Signing Request Screen 3. Click OK to generate the CSR or Cancel to exit the window. The CSR and Private Key appear in the corresponding fields of the Certificate screen. Figure 178 Certificate Request Generated 4. Using an ASCII editor such as Notepad, copy and paste the CSR into a file and save it with a .cer extension. 5.
CHAPTER 13: ADVANCED ADMINISTRATION 195 9. Copy and paste the signed certificate into the Certificate Request field. Paste the Private Key that was saved previously into the Private Key field. 10. Click Browse next to CA file: and select the root certificate file that was saved in Step 6. 11. Type raritan in the Password field if the CSR was generated by CC-SG. If a different application generated the CSR, use the password for that application.
196 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. Click the IP-ACL tab. Figure 180 Security Manager IP-ACL Screen 3. To change the order of the line items in the Access Control List, select the line item, and then click Up or Down. Connecting users will be allowed or denied according to the first rule that applies (from top to bottom). 4.
CHAPTER 13: ADVANCED ADMINISTRATION 197 Notification Manager Use Notification Manager to configure an external SMTP server so notifications can be sent from CC-SG. Notifications are used to email reports that have been scheduled, email reports if users are locked out, and to email status of failed or successful scheduled tasks. Please refer to Task Manager, later in this chapter for additional information.
198 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Task Manager Use Task Manager to schedule CC-SG tasks on a daily, weekly, monthly, or yearly basis. A task can be scheduled to run only once or periodically on a specified day of the week and at a specified interval. For example, you could schedule device backups to occur every three weeks on Fridays, or schedule a particular report to be emailed to one or more recipients every Monday.
CHAPTER 13: ADVANCED ADMINISTRATION 199 Schedule a New Task To schedule a new task: 1. On the Administration menu, click Tasks. The Task Manager screen appears Figure 182 Task Manager 2. Click New. 3. In the Main tab, type a name (1-32 characters, alphanumeric characters or underscores, no spaces) and description for the task. 4. Click the Task Data tab. 5. Click the Task Operation drop-down menu and select the task to be scheduled, such as Upgrade Device Firmware, from the list.
200 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE • Periodic: Use the up and down arrows to select the Start time at which the task should begin. Type the number of times the task should be executed in the Repeat Count field. Type the time that should elapse between repetitions in the Repeat Interval field. Click the drop-down menu and select the unit of time from the list. • Daily: Click the radio button next to Every day if you want the task to repeat 7 days per week.
CHAPTER 13: ADVANCED ADMINISTRATION • • • • 201 To view the history of a task, select the task, and then click Task History. To view details of a task, double-click a task. To change a scheduled task, select the task, and then click Edit to open the Edit Task window. Change the task specification as needed, and then click Update. Please refer to Create a New Task, earlier in this chapter, for tab descriptions.
202 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 3. Select a software version of CC-NOC you want to add, and then click Next. Version 5.1 has fewer integration features than 5.2 and later, and only requires adding a name and an IP address. For additional information on CC-NOC 5.1, please refer to www.raritan.com/support. Click Product Documentation, and then click CommandCenter NOC. Figure 183 Add CC-NOC Configuration Screen 4. Type a descriptive name for the CC-NOC in the Name field.
CHAPTER 13: ADVANCED ADMINISTRATION 203 To stop CC-NOC from monitoring a device, it can be unmanaged. Please refer to the CommandCenter NOC Administrator Guide for additional information. Note: Use the CC-NOC Synchronization Report to view targets that the CC-SG is subscribing to. The report also displays any new targets that have been discovered by CC-NOC. Please refer to Chapter 11: Generating Reports, CC-NOC Synchronization Report for additional information. 7.
204 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Delete a CC-NOC To remove and unregister a CC-NOC in CC-SG, do the following. 1. On the Access menu, click CC-NOC Configuration. 2. Select the CC-NOC you want to delete from CC-SG, and then click Delete. You are prompted to confirm the deletion. 3. Click Yes to delete the CC-NOC. A CC-NOC Deleted Successfully message confirms that CC-NOC has been deleted.
CHAPTER 13: ADVANCED ADMINISTRATION 205 SSH Access to CC-SG Use Secure Shell (SSH) clients, such as Putty or OpenSHH Client, to access a command line interface to SSH (v2) server on CC-SG. Only a subset of CC-SG commands is provided via SSH to administer devices and CC-SG itself. The SSH client user is authenticated by the CC-SG in which existing authentication and authorization policies are applied to the SSH client.
206 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE SSH Commands The following table describes all commands available in SSH. You must be assigned the appropriate privileges in CC-SG to access each command. COMMAND DESCRIPTION activeports List active ports. activeusers List active users. backup device <[-host ] | [-id ]> backup_name [description] Backup device configuration. clear Clear screen.
CHAPTER 13: ADVANCED ADMINISTRATION 207 more [-p ] Make paging pingdevice <[-id ] | [host]> Ping device restartcc minutes [message] Restart CC-SG restartdevice <[-id ] | [host]> Restart device restoredevice <[-host ] | [-id ]> [backup_id] Restore device configuration shutdowncc minutes [message] Shutdown CC-SG. ssh [-e ] <[-id ] | [host]> Open SSH connection to an SX device su [-u ] Change a user.
208 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Create an SSH Connection to an SX Device You can create an SSH connection to an SX device to perform administrative operations on the device. Once connected, the administrative commands supported by the SX device are available. Note: Before you connect, ensure that the SX device has been added to the CC-SG. 1. Type listdevices to ensure the SX has been added to CC-SG. Figure 185 Listing Devices on CC-SG 2.
CHAPTER 13: ADVANCED ADMINISTRATION 209 Use SSH to Connect to a Node via a Serial Out of Band Interface You can use SSH to connect to a node through its associated serial out-of-band interface. The SSH connection is in proxy mode. 1. Type listinterfaces to view the node ids and associated interfaces. Figure 187 Listinterfaces in SSH 2. Type connect –i to connect to the node associated with the interface. Figure 188 Connecting to a Node via a Serial Out-of-Band Interface 3.
210 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Diagnostic Console The Diagnostic Console is a standard, non-graphical interface that provides local access to CCSG. It can be accessed from a serial or KVM port, or from Secure Shell (SSH) clients, such as PuTTY or OpenSSH Client. Two logins are provided⎯one is status, which gives access to the Status Console, and the other is admin, which gives access to the Administrator Console. All login usernames and passwords are case-sensitive.
CHAPTER 13: ADVANCED ADMINISTRATION 211 Accessing Status Console A password is not required to access the Status Console, but password usage can be enforced. 1. At the login prompt, type status. The read-only Status Console appears. Figure 190 Status Console • This screen dynamically displays information about the health of the system and whether CCSG and its sub-components are working. • The time in the upper-right corner of the screen is the last time at which the CC-SG data was polled.
212 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Accessing Administrator Console Note: All information displayed in the Administrator Console is static. If the configuration changes through the CC-SG GUI or the Diagnostic Console, you must re-login to Administrator Console after the changes have taken effect to view them in Administrator Console 1. At the login prompt, type admin. 2. Type the CC-SG password. The default password is raritan.
CHAPTER 13: ADVANCED ADMINISTRATION 213 Editing Diagnostic Console Configuration The Diagnostic Console can be accessed via the serial port (COM1), VGA/Keyboard/Mouse (KVM) port, or from Secure Shell (SSH) clients. For each port type, you can configure whether or not status or admin logins are allowed, and whether field support can also access Diagnostic Console from the port.
214 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. If the network interfaces have already been configured, you will see a Warning message stating that you should use the CC-SG GUI (administrator’s Director Client) to configure the interfaces. If you want to continue, click YES. Figure 193 Editing Network Interfaces 3. Type your hostname in the Host Name field. After you save, this field will be updated to reflect the Fully-Qualified Domain Name (FQDN), if known.
CHAPTER 13: ADVANCED ADMINISTRATION 215 Ping an IP Address (Network Interfaces) Use ping to check that the connection between CC-SG computer and a particular IP address is working correctly. Note: Some sites explicitly block ping requests. Verify that the target and intervening network allow pings before assuming that there is a problem. 1. Click Operation, Network Interfaces, and then click Ping. 2.
216 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 3. (Optional) Select: OPTION DESCRIPTION Verbose Verbose output, which lists received ICMP packets other than TIME_EXCEEDED and UNREACHABLEs. No DNS Resolution Does not resolve addresses to host names. Use ICMP (vs. normal UDP) Use ICMP ECHO instead of UDP datagrams. 4.
CHAPTER 13: ADVANCED ADMINISTRATION 217 Viewing Log Files (Admin) You can view one or more log files simultaneously via LogViewer, which allows browsing through several files at once, to examine system activity. To view log files: 1. Click Operation, Admin, then System Logfile Viewer. 2. The Logviewer screen is divided into 4 main areas (see screen below): • List of Logfiles currently available on the system. If list is longer than the display window, the list can be scrolled using the arrow keys.
218 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE The “Sort Logfile list by:” window is a set of radio-button (e.g., mutually exclusive) and controls the order of how logfiles are displayed in the “Logfile to View” window. OPTION DESCRIPTION Individual Windows Display the selected logs in separate sub-windows. Merged Windows Merge the selected logs into one display window. Initial Buffer Sets initial buffer or history size. 5000 is default.
CHAPTER 13: ADVANCED ADMINISTRATION 219 5. If desired, you can change colors in a log file to highlight what is important. Type c to change colors of a log file and select a log from the list if you have chosen to view several. Figure 197 Changing Colors in Log Files 6. Type i for info to display system information. Note: System load is static as of the start of this Admin Console session – use the TOP utility to dynamically monitor system resources. Figure 198 Displaying Information 7.
220 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 8. Type a to add a regular expression. For example, if you want to display information on the WARN messages in sg/jboss/console.log log file, enter WARN and select match. Note: This screen also shows the Default Filter Scheme for console.log, which removes most of the Java heap messages. Figure 200 Specifying a Regular Expression for a Log File 9. Select F1 to get help on all LogViewer options.
CHAPTER 13: ADVANCED ADMINISTRATION 221 Restarting CC-SG (Admin) You can restart CC-SG, which will log off all current CC-SG users and terminate their sessions to remote target servers. Important: It is HIGHLY recommended to restart CC-SG in the CC-SG GUI instead, unless it is absolutely necessary to restart it here. Please refer to Restart CC-SG in Chapter 12: System Maintenance for additional information. Restarting CC-SG in Diagnostic Console will NOT notify CC-SG GUI users that it is being restarted.
222 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Rebooting CC-SG (Admin) This option will reboot the entire CC-SG, which simulates a power cycle. Users will not receive a notification. CC-SG, SSH, and Diagnostic Console users (including this session) will be logged off. Any connections to remote target servers will also be terminated. To reboot CC-SG, 1. Click Operation, Admin, and then click CC-SG System Reboot. 2. Either click REBOOT System or press ENTER to reboot CC-SG.
CHAPTER 13: ADVANCED ADMINISTRATION 223 Powering Off the CC-SG System (Admin) This option will power down the entire CC-SG. Users will not receive a notification. CC-SG, SSH, and Diagnostic Console users (including this session) will be logged off. Any connections to remote target servers will also be terminated. The only way to power the CC-SG unit back on is to press the power button on the front panel of the unit. To power off the CC-SG: 1. Click Operation, Admin, and then click CC-SG System Power OFF.
224 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE To reset the CC-SG GUI admin password: 1. Click Operation, Admin, and then click CC-SG ADMIN Password Reset. 2. Either click Reset CC-SG GUI Admin Password or press ENTER to change the admin password back to factory default. Confirm the password reset in the next screen to proceed.
CHAPTER 13: ADVANCED ADMINISTRATION OPTION 225 DESCRIPTION Full CC-SG Database Reset Selecting this option completes removes the existing CC-SG Database and builds a new version from scratch loading it with all the Factory Default values. Preserve CC-SG Personality during Reset This option is only valid and effective if the previous option is also selected.
226 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Diagnostic Console Passwords (Admin) This option provides the ability to configure the strength of passwords (status and admin) and allows you to configure password attributes, such as, the setting maximum number of days that must lapse before you need to change the password, which should be done via the Account Configuration menu.
CHAPTER 13: ADVANCED ADMINISTRATION 227 3. Select either Regular, Random, or Strong for the admin and status (if enabled) passwords. PASSWORD SETTING DESCRIPTION Regular These are standard. Passwords must be longer than 4 characters with few restrictions. This is the system default password configuration. Random Provides randomly generated passwords.
228 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This screen is split into three main areas: • The top displays read-only information about the accounts on the system. • The middle section displays the various parameters related and pertinent to each ID, along with a set of buttons, to allow the parameters to be updated or new passwords provided for the accounts. • The final area restores the password configuration to Factory Defaults (or how the system was initially shipped). 3.
CHAPTER 13: ADVANCED ADMINISTRATION 229 2. Either click Refresh or press Enter to refresh the display. Refreshing the display is especially useful when upgrading or installing, and you want to see the progress of the RAID disks as they are being rebuilt and synchronized. Figure 208 Displaying Disk Status of CC-SG in Diagnostic Console Note: The disk drives are fully synchronized and full RAID-1 protection is available when you see a screen as shown above. The status of both md0 and md1 arrays are [UU]).
230 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 3. Type h to bring up an extensive help screen for the top command. The standard F1 help key is not operational here. To return to the Admin Console, type CTL+Q or CTL+C. Displaying NTP (Network Time Protocol) Status (Utilities) This option displays the status of the NTP time daemon if it is configured and running on CC-SG. To display status of the NTP daemon on the CC-SG: 1. Click Operation, Utilities, and then click NTP Status Display. 2.
CHAPTER 13: ADVANCED ADMINISTRATION 231 Serial Admin Port The serial admin port on CC-SG can be connected directly to a Raritan serial device, such as Dominion SX or KSX. You can connect to the SX or KSX via the IP address using a terminal emulation program, such as HyperTerminal or PuTTY. Set the baud rate in the terminal emulation program to match the SX or KSX baud rate.
232 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank.
APPENDIX A: SPECIFICATIONS 233 Appendix A: Specifications (G1, V1, and E1) G1 Platform General Specifications 1U Form Factor 22.1”x 17.32” x 1.75” 563mm x 440mm x 44mm Dimensions (DxWxH) Weight 24.07lb (10.92kg) Power Redundant, hot-swappable power supplies, autosensing 110/220 V – 2.
234 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE V1 Platform General Specifications 1U Form Factor 24.21”x 19.09” x 1.75” 615mm x 485mm x 44mm Dimensions (DxWxH) Weight 23.80lb (10.80kg) Power Single Supply (1 x 300 watt) 10 - 35 Operating Temperature Mean Time (MTBF) Between (50 - 95 ) 36,354 hours Failure KVM Admin Port (DB15 + PS2 or USB Keyboard/Mouse) Serial Admin Port DB9 (2) USB 2.
APPENDIX A: SPECIFICATIONS 235 E1 Platform General Specifications 2U Form Factor 27.05”x 18.7” x 3.46”—687 mm x 475 mm x 88 mm Dimensions (DxWxH) Weight 44.09 lbs—20 kg Power SP502-2S Hot-Swappable 500W 2U power supply 0~50 degree C Operating Temperature Mean Time (MTBF) Between 53,564 hours Failure KVM Admin Port PS/2 keyboard and mouse ports, 1 VGA port Serial Admin Port Fast UART 16550 serial port (2) USB 2.0 Ports Console Port Hardware Specifications Processor (2) AMD Opteron 250 2.
236 Shock COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 30 g for 11 ms with a ½ sine wave for each of the perpendicular axes X, Y, and Z
APPENDIX B: CC-SG AND NETWORK CONFIGURATION 237 Appendix B: CC-SG and Network Configuration Introduction This appendix discloses network requirements (addresses, protocols and ports) of a typical CCSG (CC-SG) deployment. It includes information about how to configure your network for both external access (if desired) and internal security and routing policy enforcement (if used).
238 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE CC Clients Internet (Unsecured Network) CC-NOC CC Clients CC-SG Cluster Peer Firewall Internal Network VPN CC-SG Raritan Device KVM Serial Out-of-Band Node Access Internal Network Raritan Device Figure 215 CC-SG Deployment Elements In-Band Access
APPENDIX B: CC-SG AND NETWORK CONFIGURATION 239 CC-SG Communication Channels The communication channels are partitioned as follows: • CC-SG ↔ Raritan Devices • CC-SG ↔ CC-SG Clustering (optional) • CC-SG ↔ Infrastructure Services • Clients ↔ CC-SG • Clients ↔ Targets (Direct Mode) • Clients ↔ Targets (Proxy Mode) • Clients ↔ Targets (In-Band) • CC-SG ↔ CC-NOC For each communication channel, the tables in the sections that follow: • Represents the symbolic IP Addresses used by the communicating parties.
240 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Each CC-SG in the cluster may be on a separate LAN. However, the inter-connection between the units should be very reliable and not prone to periods of congestion.
APPENDIX B: CC-SG AND NETWORK CONFIGURATION 241 PC Clients to Nodes Another significant role of CC-SG is to connect PC clients to various nodes. These nodes can be serial or KVM console connections to Raritan devices (called Out-of-Band connections). Another mode is to use In-Band access (IBA) methods, for example, Virtual Network Computer (VNC), Windows Remote Desktop (RDP), or Secure Shell (SSH).
242 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE CC-SG & CC-NOC CC-NOC can optional appliance that can be deployed in conjunction with CC-SG. CC-NOC is a Raritan network-monitoring appliance that audits and monitors the status of servers, equipment, and Raritan devices that CC-SG manages.
APPENDIX B: CC-SG AND NETWORK CONFIGURATION 243 Security and Open Port Scans As part of the CC-SG Quality Assurance process, several open port scanners are applied to the product and Raritan makes certain that its product is not vulnerable to these known attacks. All the open or filtered/blocked ports are listed in the above sections.
244 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank.
APPENDIX C: USER GROUP PRIVILEGES 245 Appendix C: User Group Privileges MENU > SUB-MENU Secure Gateway MENU ITEM REQUIRED PRIVILEGE DESCRIPTION This menu is available for all users. My Profile None* Message of the Day None* Print None* Logout None* Exit None* Users This menu and the User tree are available only for users with the User Management privilege.
246 MENU > SUB-MENU >> Configuration COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE MENU ITEM REQUIRED PRIVILEGE > Bulk Copy Device, Port and Node Management > Upgrade Device Device Configuration and Upgrade Management >> Backup Device Configuration and Upgrade Management >> Restore Device Configuration and Upgrade Management >> Copy Configuration Device Configuration and Upgrade Management > Restart Device Device, Port and Node Management or Device Configuration and Upgrade Management >
APPENDIX C: USER GROUP PRIVILEGES MENU > SUB-MENU MENU ITEM 247 REQUIRED PRIVILEGE Upgrade Management > Launch User Station Admin > Change View > Port Manager > Port Sorting > Disconnect Users Device, Port and Node Management or Device Configuration and Upgrade Management > Topological View Device, Port and Node Management > Create Custom View Device, Port and Node Management or Device Configuration and Upgrade Management > Tree View Device, Port and Node Management or Device Configuration a
248 MENU > SUB-MENU COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE MENU ITEM Options > By Port Status Nodes > Node Sorting Options REQUIRED PRIVILEGE Node Management or Device Configuration and Upgrade Management DESCRIPTION Device, Port and Node Management or Device Configuration and Upgrade Management This menu and the Nodes tree is available only for users with any one of the following privileges: Device, Port and Node Management Node In-Band Access Node Out-of-Band Access Node Power Control
APPENDIX C: USER GROUP PRIVILEGES MENU > SUB-MENU > Chat > Change View MENU ITEM 249 REQUIRED PRIVILEGE > By Node Status Any of the following: Device, Port and Node Management or Node In-Band Access or Node Out-of-Band Access or Node Power Control > Start Chat Node In-Band Access or Node Out-of-Band Access or Node Power Control > Show Chat Session Node In-Band Access or Node Out-of-Band Access or Node Power Control > End Chat Session Node In-Band Access or Node Out-of-Band Access or Node Power
250 MENU > SUB-MENU Associations Reports > Users COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE MENU ITEM REQUIRED PRIVILEGE Access or Node Out-of-Band Access or Node Power Control DESCRIPTION This menu is available only for users with the User Security Management privilege > Associations User Security Management Includes ability to add, modify and delete. > Device Group User Security Management Includes ability to add, modify and delete.
APPENDIX C: USER GROUP PRIVILEGES MENU > SUB-MENU MENU ITEM 251 REQUIRED PRIVILEGE > Devices Asset Management Device, Port and Node Management > Nodes > Node Asset Report Device, Port and Node Management > Active Nodes Device, Port and Node Management > Node Creation Device, Port and Node Management > Query Port Device, Port and Node Management > Active Ports Device, Port and Node Management Scheduled Reports CC Setup and Control CC-NOC Synchronization CC Setup and Control CC-NOC Conf
252 MENU > SUB-MENU COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE MENU ITEM REQUIRED PRIVILEGE Notifications CC Setup and Control Tasks CC Setup and Control Compatibility Matrix Device Configuration and Upgrade Management Backup CC Setup and Control Restore CC Setup and Control Reset CC Setup and Control Restart CC Setup and Control Upgrade CC Setup and Control Shutdown CC Setup and Control > Enter Maintenance Mode CC Setup and Control > Exit Maintenance Mode CC Setup and Contro
APPENDIX D: SNMP TRAPS 253 Appendix D: SNMP Traps CC-SG provides the following traps: SNMP TRAP DESCRIPTION ccUnavailable CC-SG application is unavailable ccAvailable CC-SG application is available ccUserLogin CC-SG user logged in ccUserLogout CC-SG user logged out ccPortConnectionStarted CC-SG session started ccPortConnectionStopped CC-SG session stopped ccPortConnectionTerminated CC-SG session terminated ccImageUpgradeStarted CC-SG image upgrade started ccImageUpgradeResults CC-SG ima
254 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE ccUserGroupModified CC-SG user group has been modified ccSuperuserNameChanged CC-SG Superuser password has changed ccSuperuserPasswordChanged CC-SG Superuser password has changed ccLoginBannerChanged CC-SG login banner has changed ccMOTDChanged CC-SG Messsage of the Day (MOTD) has changed
APPENDIX E: TROUBLESHOOTING 255 Appendix E: Troubleshooting • • To launch CC-SG from your web browser, it requires a Java plug-in. If your machine has an incorrect version, CC-SG will guide you through the installation steps. If your machine does not have a Java plug-in, CC-SG cannot automatically launch. In this case, you must uninstall or disable your old Java version and provide serial port connectivity to CC-SG to ensure proper operation.
256 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank.
APPENDIX F: TWO-FACTOR AUTHENTICATION 257 Appendix F: Two-Factor Authentication As part of CC-SG RADIUS based remote authentication, CC-SG can be configured to point to a RSA RADIUS Server which supports two-factor authentication via an associated RSA Authentication Manager. CC-SG acts as a RADIUS client and sends user authentication requests to RSA RADIUS Server. The authentication request includes user id, a fixed password, and a dynamic token code.
258 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank.
APPENDIX G: FAQS 259 Appendix G: FAQs QUESTION ANSWER General What is CC-SG? CC-SG is a network management device for aggregating and integrating multiple servers and network equipment typically deployed in a datacenter and which are connected to a Raritan IP-enabled product. Why would I need CC-SG? As you deploy more and more datacenter servers and devices, their management becomes exponentially complex.
260 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE QUESTION ANSWER sure that they are not checked. What do I do if I am unable to add a console/serial port to CC-SG? Assuming the console/serial device is a Dominion, ensure that the following conditions are met: - The Dominion unit is active. - The Dominion unit has not reached the maximum number of configured user accounts.
APPENDIX G: FAQS 261 QUESTION access to a specific user? ANSWER have the ability to assign specific nodes per user. If we had more than 1,000 users, how would this be managed? Do you support Active Directory? CC-SG works with Microsoft Active Directory, Sun iPlanet or Novell eDirectory. If a user account already exists in an authentication server, then CC-SG supports remote authentication using AD/TACACS+ /RADIUS/LDAP authentication.
262 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Accounting The event times in the Audit Trail report seem incorrect. Why? Log event times are logged according to the time settings of the client computer. You can adjust the computer’s time and date settings. Can audit/logging abilities track down who switched on or off a power plug? Direct power switch-off is not logged, but power control through CC-SG can be logged to audit logs.
APPENDIX G: FAQS 263 Interoperability How does CC-SG integrate with Blade Chassis products? CC-SG can support any device with a KVM or serial interface as a transparent pass-through. To what level is CC-SG able to integrate with 3rd party KVM tools, down to 3rd party KVM port level or simply box level? 3rd party KVM switch integration is typically done through keyboard macros when the 3rd party KVM vendors do not publicize the communications protocols for the 3rd party KVM switches.
264 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank.
APPENDIX H: KEYBOARD SHORTCUTS 265 Appendix H: Keyboard Shortcuts The following keyboard shortcuts can be used in the Director Client.
North American Headquarters Raritan U.K. Raritan Beijing Raritan 400 Cottontail Lane Somerset, NJ 08873 U.S.A. Tel. (732) 764-8886 36 Great St. Helen's London EC3A 6AP,United Kingdom Tel. (44) 20-7614-7700 Fax (44) 20-7614-7701 Email: sales.uk@raritan.com Website: Raritan.co.uk Unit 1310, Air China Plaza No.36 XiaoYun Road Chaoyang District Beijing 100027, China Tel. (86) 10 8447-5706 Fax (86) 10 8447-5700 Email: sales.china@raritan.com Website: Raritan.com.
