Dominion SX User Guide Release 3.1.5 Copyright © 2008 Raritan, Inc.
This document contains proprietary information that is protected by copyright. All rights reserved. No part of this document may be photocopied, reproduced, or translated into another language without express prior written consent of Raritan, Inc. © Copyright 2008 Raritan, Inc., CommandCenter®, Dominion®, Paragon® and the Raritan company logo are trademarks or registered trademarks of Raritan, Inc. All rights reserved. Java® is a registered trademark of Sun Microsystems, Inc.
Safety Guidelines To avoid potentially fatal shock hazard and possible damage to Raritan equipment: • Do not use a 2‐wire power cord in any product configuration. • Test AC outlets at your computer and monitor for proper polarity and grounding. • Use only with grounded outlets at both the computer and monitor. • When using a backup UPS, power the computer, monitor and appliance off the supply.
Rack Mount Safety Guidelines In Raritan products that require rack mounting, follow these precautions: Operation temperature in a closed rack environment may be greater than room temperature. Do not exceed the rated maximum ambient temperature of the appliances (See Appendix A: Specifications (see ʺSpecificationsʺ on page 245)). • Ensure sufficient airflow through the rack environment. • Mount equipment in the rack carefully to avoid uneven mechanical loading.
Contents Safety Guidelines 3 Rack Mount Safety Guidelines 4 How to - Dominion SX Essentials xv Case 1. Upgrading DSX Firmware via Web Browser .........................................................................xv Case 2. Configuring and Using Direct Port Access via SSH.............................................................xvi Case 3. Using Exclusive Write Access via RSC ..................................................................................xvi Case 4. Configuring LDAP............
Contents Package Contents ...................................................................................................................................... 7 Chapter 3 Installation 8 Pre‐Installation........................................................................................................................................... 9 Client Configuration ......................................................................................................................
Contents Modify a User Group................................................................................................................... 40 Delete a User Group .................................................................................................................... 40 Chapter 7 Remote Authentication 42 Configuring RADIUS.............................................................................................................................. 42 Configuring LDAP .....................
Contents Install a User Key ......................................................................................................................... 88 Install a User Certificate .............................................................................................................. 88 SSL Client Certificate .............................................................................................................................. 90 Enabling Client Certificate Authentication:.....................
Contents Displaying a Configuration Report..................................................................................................... 114 Backing Up and Restoring the DSX .................................................................................................... 114 Backing Up the DSX................................................................................................................... 114 Restoring the DSX .....................................................................
Contents CLI Prompts ........................................................................................................................................... 138 CLI Commands...................................................................................................................................... 138 Security Issues ............................................................................................................................ 140 Configuring Users and Groups .....................
Contents Configuring Services............................................................................................................................. 168 dpa Command ............................................................................................................................ 169 Encryption Command ............................................................................................................... 172 HTTP Command ...............................................................
Contents Vieweventlog Command .......................................................................................................... 199 Security Commands .............................................................................................................................. 199 Banner Command ...................................................................................................................... 200 ftpgetbanner Command ..............................................................
Contents Appendix A Specifications 245 Dominion SX Models and Specifications ........................................................................................... 245 Requirements ......................................................................................................................................... 248 Browser Requirements ‐ Supported.................................................................................................... 249 Connectivity ...............................
Contents Create an IAS Policy .................................................................................................................. 276 Cisco ACS RADIUS Server................................................................................................................... 278 Configure the Dominion SX to use a Cisco ACS Server ....................................................... 278 Configure the Cisco ACS Server ............................................................................
How to - Dominion SX Essentials This chapter includes 10 of the mostly common cases to help familiarize users quickly with practical operation on Dominion SX units. Please note that data entered in the case are created as examples, and could vary upon different situations. Case 1. Upgrading DSX Firmware via Web Browser 1. Purpose: To upgrade DSX firmware version for enhanced features or service patches. 2. Check Raritan support website for availability of latest firmware version: (http://www.raritan.
Case 2. Configuring and Using Direct Port Access via SSH 5. After firmware upgrade is completed, log in SX and check the firmware version again from: Maintenance > Firmware Version. You can also check firmware upgrade history to make sure: Maintenance > Firmware Upgrade History. 6. Refer to: Upgrade the Firmware (on page 116) section for details. Case 2. Configuring and Using Direct Port Access via SSH 1. Purpose: To allow users to directly SSH into the serial target without using DSX GUI. 2.
How to - Dominion SX Essentials 5. In the RSC window, choose Emulator > Get Write Lock (If some other user has previously obtained Write Access, please perform ʺGet Write Accessʺ first from the Emulator menu of RSC). The icon on status line will display Write Access (Lock) now, meaning now all users can only view the port connection. 6. Log in the device connected to the port, and try interacting with the device using the RSC panel. 7. Refer to: Get Write Access section for details. 8.
Case 6. Performing Factory Reset on DSX 4. Select the Power Strip and outlet from the drop‐down menu to match how the device is connected to power. Then click Add and the information will appear in the text box as ʺ[Power Strip Name] \ [outlet 1]ʺ. Select the same power strip and another outlet, then press Add button to add it. Another line will display in the text box as ʺ[Power Strip Name] \ [outlet 2]ʺ. Click OK to commit the changes. 5.
How to - Dominion SX Essentials Case 7. Managing User Profiles on DSX 1. Purpose: To create, update or delete a DSX user. 2. Log in SX via a web browser with your login username and password, such as (admin/raritan). 3. Choose User Management > User List, and the page will display a list of user profiles created. 4. To create a user profile, click Add New User button. 5. To modify an existing user profile, see Modify a User Profile (on page 34) section for details. 6.
Case 9. Port Configuration Case 9. Port Configuration 1. Purpose: To configure DSX serial ports to set up correct serial communications parameters (e.g. baud rate, data bits, stop bit, flow control) and terminal emulation mode to match the serial targets connected to the ports, and name the ports to more easily identify the targets. 2. Log in SX via a web browser with your login username and password, such as (admin/raritan). 3.
How to - Dominion SX Essentials a. Enter the following command to log in: ssh -l admin 192.168.0.192 b. Enter the admin username and password: login as: admin The password prompt appears. Enter the default password: raritan c. The console will display all the ports on SX unit with port numbers. d. Enter a port number at the prompt, for example: admin> 1 4. e. To return back to the SX console, enter the escape sequence characters.
Chapter 1 Preface The Dominion SX User Guide provides the information needed to install, set up and configure, access devices such as routers, servers, switches, VPNs, and power strips, manage users and security, and maintain and diagnose the Dominion SX secure console server. In This Chapter Audience .............................................................................................................1 Conventions.....................................................................................
Notices Acronym Meaning CLI Command Line Interface CSC Common Socket Connection DPA Direct Port Access HTTP Hypertext Transfer protocol HTTPS HTTP Secure (over SSL) LAN Local Area Network LDAP Lightweight Directory Access Protocol LDAP/S Lightweight Directory Access Protocol/Secure NFS Network File System NTP Network Time Protocol PPP Point to Point Protocol RADIUS Remote Authentication Dial In User Service RSC Raritan Serial Console SMTP Simple Mail Transfer Protocol SSH Sec
Chapter 1: Preface Note: general information that is supplemental to the text.
Introduction Chapter 2 In This Chapter Dominion SX Overview ....................................................................................4 Product Features ................................................................................................5 Package Contents...............................................................................................
Chapter 2: Introduction Product Features Comprehensive Console Management • Remote Management: Access, monitor, administer, and troubleshoot up to 48 target devices (depending on the model) via Secure Socket Shell (SSH), Telnet, Local Port or Web browser with only one IP address. • Direct Port Access via TCP/IP address per port; or one IP address and TCP Port numbers. • Notification: Create notification messages by email alerts.
Product Features Strong Security and User-Authentication • SSHv2 Support • Encryption Security: 128‐bit SSL handshake protocol and RC4 encryption. • User Authentication Security: local database, remote authentication • Supports RADIUS, TACACS+, LDAP, LDAP(S), Microsoft Active Directory, and NTP. • Supports user‐defined and installable security Certificates. Reliable Connectivity • Optional Modem Connectivity: For emergency remote access if the network has failed.
Chapter 2: Introduction Package Contents Each Dominion SX ships with the following: • (1) Dominion SX unit with mounting kit (Rack‐mount kit is optional on some units) • (1) Raritan Dominion SX User Guide CD‐ROM, which contains the installation and operations information for the Dominion SX • (1) Printed Dominion SX Quick Setup Guide • (1) Power cord • (1) Release Notes • (1) Packing List page • (1) RJ45 serial loop‐back plug • A DB9 Factory Reset Adapter for some units (Other units have a r
Installation Chapter 3 There are two ways of completing the initial network installation of the Dominion SX: • Using a serial cable with a VT100/equivalent, such as a PC with HyperTerminal. • Using Ethernet (with an installation computer). This section describes the steps necessary to configure Dominion SX for use on a local area network (LAN). The following table describes the factory default network settings that come with the Dominion SX.
Chapter 3: Installation Pre-Installation Ensure that you have the correct cabling ready to connect to the serial consoles of the target server(s) or other serially managed devices that provide a console port. The following sections describe information that you must supply to complete the configuration of the Dominion SX. Obtain all required configuration information prior to performing the configuration steps. If you are uncertain of any information, contact your system administrator for assistance.
Hardware Installation 4. Connect the other end of the network LAN cable to the network card in the installation computer. 5. Connect the female end of the external power cord to the back of the chassis. 6. Connect the male end of the external power cord to the power supply outlet. 7. Power ON the Dominion SX unit. Note: The unit will perform a hardware and firmware self‐test then start the software boot sequence, which takes a short time and is complete when the light turns on and remains on.
Chapter 3: Installation Windows 98/2000/NT system: route add 192.168.0.192 . [Example: route add 192.168.0.192 15.128.122.12 UNIX (including Sun Solaris) system: route add 192.168.0.192 -interface. [Example: route add 192.168.0.192 15.128.122.12 -interface] 3. Type ping 192.168.0.192. Go to step 4 if you receive a successful reply from the Dominion SX unit.
Hardware Installation See Security (on page 82) and Appendix C: Certificates (see ʺCertificatesʺ on page 259) for information about installing certificates. The login screen appears after you finish viewing the security alerts and the Certification Information screen.
Chapter 3: Installation Log in with the default username admin and password raritan. Use all lowercase letters. 7. After login, the Dominion SX prompts you to change the default password: 8. Type a new secure password then retype it (Remember the new password for next login.) 9. Click OK. The Dominion SX Port Access Screen appears. (See Initial Software Configuration (on page 17) chapter for details.
Hardware Installation Network Access 1. Ensure that the installation computer has the route for 192.168.0.192 and that it can communicate with IP address 192.168.0.192. 2. To check the route table in Windows, type the command route print in a Command window on the installation computer. If 192.168.0.192 is on the gateway list, proceed to step 3. Otherwise, add 192.168.0.192 to the gateway list using the appropriate DOS or UNIX CLI command: Windows 98/2000/NT system: route add 192.168.0.
Chapter 3: Installation In this example, 9 is the time zone code (Step 3) and ʺ2007‐02‐05 09:22:33ʺ the date/time string in the format ʺYYYY‐MM‐DD HH:MM:SSʺ (quotes required). Network Configuration 1. Type Configuration to change the unitʹs configuration. 2. Type Network to select the network configuration. 3. Type: admin > Config > Network > interface enable true if lan1 ip 192.16.151.12 mask 255.255.255 gw 192.168.51.
Hardware Installation To add a user 16 1. Type adduser user fullname group password info dialback active ...
Initial Software Configuration Chapter 4 After the hardware installation, perform the initial software configuration. Do this by logging onto the Dominion SX from either a browser or through a Command Line Interface (See Command Line Interface (on page 124) Chapter for CLI information.) In This Chapter Dominion SX Initial Software Configuration...............................................17 Deployment ......................................................................................................
Dominion SX Initial Software Configuration Important: After you complete each configuration task, you must return to the Setup tab to perform the next configuration task.
Chapter 4: Initial Software Configuration Date / Time Configuration 1. Choose Setup > Date / Time. The Date / Time Configuration screen appears. 2. Select the correct time zone from the UTC Offset drop‐down menu. 3. Select one of the following: User Specified Time ‐ Click this radio button and enter the date and time manually in the corresponding fields.
Dominion SX Initial Software Configuration 4. Synchronize with NTP Server ‐ Click this radio button and enter the IP address of a Network Time Protocol (NTP) server in the Primary Time Server. If you have a backup NTP server, enter its IP address in the Secondary Time Server field. Click OK. Note: Features such as certificate generation depend on the correct Timestamp, used to check the validity period of the certificate.
Chapter 4: Initial Software Configuration Note: Your network administrator usually assigns the values for the following parameters: 2. Type the data in the following fields: IP Auto Configuration: In the drop‐down menu, select either None or DHCP to be your network protocol. Default is None. IP Address: Network address for this unit Subnet Mask: Subnet mask for the network where this unit will reside Gateway IP Gateway: Default gateway for this unit 3.
Deployment 7. Click OK. Dominion SX displays either a confirmation or error screen. 1. Click OK when the confirmation window appears. After the confirmation screen, Dominion SX automatically disconnects to update the configuration then restarts. 2. Remove the crossover cable between the SX unit and your computer. 3. Connect one end of a straight‐through Cat 5 cable to the SX. 4. Connect the other end of the cable to the network. 5. Use the newly assigned IP Address to access your SX unit. 1.
Chapter 4: Initial Software Configuration Modem Connection (Optional) To configure the DSX for a modem connection: 1. Connect a phone line to the modem port. 2. Write down the phone number for this line because it will be needed when you configure a client for dialup networking. See Appendix E: Modem Configuration (see ʺModem Configurationʺ on page 285) for more information.
Chapter 5 Network Settings and Services This chapter explains how to configure the basic network settings for the DSX, and how to configure the various access protocols (SSH, telnet, etc.) It also explains how to configure the DSX for modem access, and how to enable IP forwarding and create static routes. In This Chapter Configuring the Basic Network Settings ......................................................24 Configuring the Network Service Settings...................................................
Chapter 5: Network Settings and Services Give the Dominion SX a Name To give the DSX unit a name to help identify it: 1. Type a name in the Unit Name field. 2. Click OK. Configure the DSX's Network Settings To configure the network settings: 1. Select either None or DHCP from the drop‐down menu to determine a method for IP Auto Configuration. The default is None. 2. Type an IP address for the Dominion SX in the IP Address field. 3. Type the subnet mask in the Subnet Mask field. 4.
Configuring the Network Service Settings Configuring the Network Service Settings The table below indicates the default settings for the various network access services: Service Default Setting HTTP Enabled. The default port is 80. This can be changed. HTTPS redirect is enabled by default. If HTTPS is also enabled, all HTTP requests are automatically redirected to the HTTPS port (see below). HTTPS Enabled. The default port is 443. This can be changed.
Chapter 5: Network Settings and Services To change any of these network service settings: 1. Choose Setup > Services. The Network Service Settings screen appears. 2. Make any necessary changes to the appropriate fields. 3. Click OK.
Configuring Modem Access Configuring Modem Access You can access the DSX via a modem. To set this up: 1. Choose Setup > Modem. The Modem Settings screen appears. 2. Click the checkbox labeled Enable Modem to enable modem access. 3. Type the IP addresses of the Point‐to‐Point (PPP) server in the PPP Server IP field. The default is 10.0.0.1 4. Type the IP address of the PPP client in the PPP Client IP field. The default is 10.0.0.2. 5.
Chapter 5: Network Settings and Services 2. Go to the IP Forwarding panel and click the checkbox labeled Enable IP Forwarding. 3. Click OK. IP forwarding is enabled. Add a New Static Route To add a new Static Route: 1. Choose Setup > Static Routes. The Static Routes screen appears. It consists of an Enable IP Forwarding panel and a Static Routes List.
Configuring IP Forwarding and Static Routes 2. Go to the Static Routes List and click Add New Route. The Static Route screen appears. 3. On a DSX with one LAN interface, LAN appears automatically in the Interface field. On a DSX with two LAN interfaces, select the one you want from the drop‐down menu In the Interface field. LAN1 = eth0 LAN2 = eth1 4. Type the IP address, subnet mask, and gateway of the destination host in the Destination, Mask and Gateway fields. 5.
Chapter 5: Network Settings and Services 9. Net means this route it for a subnet. Click OK. Delete a Static Route To delete a static route: 1. Choose Setup > Static Routes. The Static Routes screen appears. It consists of an Enable IP Forwarding panel and a Static Routes List. 2. Go the Static Routes List and click the checkbox next to the route you want to delete. 3. Click Delete. You are prompted to confirm the deletion. 4. Click OK. The route is deleted.
User Profiles and Groups Chapter 6 This chapter explains how to create and manage user profiles and user groups. In This Chapter Managing User Profiles...................................................................................32 Managing User Groups...................................................................................
Chapter 6: User Profiles and Groups 2. 3. The User List screen shows every user profile created to date, and for each one gives the: Username Full name Dialback number (if one has been defined) User group The User List screen also indicates whether the user profile is active or inactive. Create a User Profile To create a new user profile: 1. Choose User Management > User List. The User List screen appears (as shown in Display a List of User Profiles (on page 32) section). 2.
Managing User Profiles 3. Type a login name in the Username field. This is the name the user enters to log into the DSX. This field is required. You can enter any number of characters up to a maximum of 255. You can enter any printable character except “ > < The user name is case sensitive. 4. Type the userʹs full name in the Full Name field. This field is required. 5. Type the userʹs telephone number in the Dialback field. This field is optional. 6.
Chapter 6: User Profiles and Groups 2. Click the Username of the profile you want to edit. The Edit User screen appears. It looks exactly like the New User screen (as shown in Create a User Profile (on page 33)). 3. You can change any of the fields except the Username field. 4. For security reasons, the password is not displayed. To change the profileʹs password, type a new password in the Password and Confirm Password fields. If you leave these fields as is, the password is unchanged. 5.
Managing User Groups Display a List of User Groups To display a list of existing user groups, choose User Management > User Group List. The Group List screen appears (as shown below). The Group List screen shows every user group created to date, and for each one gives the groupʹs name and class. Create a User Group To create a new user group: 1. 36 Choose User Management > User Group List. The Group List screen appears (as shown in Display a List of User Groups (on page 36) section).
Chapter 6: User Profiles and Groups 2. Click Add New User Group. The New Group screen appears.
Managing User Groups 38
Chapter 6: User Profiles and Groups 3. 4. Type a group name in the Group Name field. You can enter any number of characters up to a maximum of 255. You can enter all letters and numbers, as well as the underscore character (_) The user name is case sensitive. Select the class from the drop‐down menu in the Class field.
Managing User Groups Operator This is the default. Users associated with the Operator class have read/write access to the console window, and cannot change any system configuration parameters except their own password. Observer Users associated with the Observer class have read‐only access to the console window, and cannot change any system configuration parameters except their own password. 5.
Chapter 6: User Profiles and Groups 3. Select Delete. You are prompted to confirm the deletion. 4. Click OK. The selected user groups are deleted.
Remote Authentication Chapter 7 This chapter explains how to configure RADIUS, LDAP, and TACACS+ authentication. Tip: If you are setting up remote authentication, it is a good idea to still keep local authentication enabled. When an authentication request reaches the DSX, it looks to authenticate the user remotely first, and then looks to authenticate the user locally.
Chapter 7: Remote Authentication 2. In the RADIUS panel, click the RADIUS button to enable RADIUS authentication. 3. Under Primary Radius, type the following information: IP address of the RADIUS server Port the RADIUS server is listening on (default is 1812) Shared secret 4. If you have a backup RADIUS server, enter the same information in the Secondary Radius fields. 5. Click OK. RADIUS authentication is enabled.
Configuring LDAP 3. Under Primary LDAP, type the IP address of the LDAP server and the port it is listening on (default is 389) in the IP Address and Port fields. 4. Type the root password to access the directory server/manager in the Secret field. The name for this field depends on the Directory Server. For example, Microsoft Windows Active Directory refers to the field as Password, while the SUN iPlanet directory server uses Secret. 5.
Chapter 7: Remote Authentication Configuring TACACS+ You can use the Terminal Access Controller Access‐Control System Plus (TACACS+) to authenticate DSX users instead of local authentication. To configure TACACS+: 1. Choose Setup > Remote Authentication. The Remote Authentication screen appears. It contains a TACACS+ panel. 2. In the TACACS+ panel, click the TACACS+ button to enable TACACS+ authentication. 3.
Chapter 8 Port Configuration and Port Access Application Port configuration allows Administrators to define the serial/console port settings in order to communicate with remote target devices. Note: You can access the Raritan Serial Console (RSC) from the Port screen. See the Raritan Serial Console (on page 52) section of this chapter for RSC information. In This Chapter Port Keywords .................................................................................................47 Port Configuration....
Chapter 8: Port Configuration and Port Access Application Port Keywords You can create port keywords and associate them with: • Events • Local/remote syslog messages • SNMP traps Port keywords work as a filter. If a keyword is detected, then and only then will a corresponding message be logged in a local/NFS port log. A corresponding event will be sent via SMTP (if configured) and corresponding trap will be sent via SNMP (if configured).
Port Configuration Port Configuration To configure one or more ports: 48 1. Choose Setup > Port Configuration. The Port Configuration screen appears. 2. Select the port(s) you want to configure. You can select one port or several ports, so long as the port configurations are all the same. To select specific ports, click the checkboxes to the left of the port numbers and then click Edit. To select all ports, click Select All.
Chapter 8: Port Configuration and Port Access Application The Edit Port screen appears. 3. Make sure the port values match the target systemʹs serial port configuration for the first three values. Select the value of Bits Per Second from the Bits Per Second drop‐down menu. Select the Parity Bits from the Parity Bits drop‐down menu. Select the Flow Control from the Flow Control drop‐down menu. 4.
Port Configuration 6. Select the escape mode. The default is None. The escape sequence only affects the CLI (Command Line Interface). When entering the escape mode, the user is given a menu of commands that can be performed (i.e. gethistory, power commands), a command to return to the port session, and a command to exit the port connection. Change as follows: Select Control from the drop‐down menu in the Escape Mode field. Type the Escape Character.
Chapter 8: Port Configuration and Port Access Application Note: Anonymous access should be enabled for DPA to succeed. 11. Click OK. Direct Port Access To configure direct port access: 1. Choose Setup > Services. The Network Service Settings screen appears. The Direct Port Access Mode field is at the bottom of the screen. 2. Go to the Direct Port Access Mode field. The default is Normal, which means CLI DPA access is disabled. To enable DPA, select either IP or TCP Port from the drop‐down menu. 3.
Anonymous Port Access Anonymous Port Access Anonymous port access allows users to access DPA configured ports without entering a password. To enable the feature: 1. Choose Security > Login Settings. The Login Settings screen appears (as shown in Login Settings (on page 84) section). 2. Make sure the Anonymous Port Access checkbox at the bottom of the screen is checked. 3. Click the User Management tab, and the click User Group List.
Chapter 8: Port Configuration and Port Access Application Note: A Security popup screen appears only if you used https to connect to the RSC. 3. Click Yes. A Warning ‐ Security popup screen appears. 4. Click Yes to access the Raritan Serial Client from the Port Screen. Note: If you click Always, you will not receive the security screen for future access. The Raritan Serial Console window appears.
Raritan Serial Client Requirements for Java Java Applets and Memory Considerations Usually, a browser based RSC does not need to make any changes to the Runtime parameters for Java Applets. Do the following if you notice any “Out of Memory” errors happening when executing RSC via a web browser: • Change the Runtime settings for Java Applets. • Use the following links to find out how to use Runtime settings in the Java Control Panel. http://java.sun.com/j2se/1.5.
Chapter 8: Port Configuration and Port Access Application Values Syntax Descriptio n Default/Comments ‐Xms in bytes Sets the initial size of the Java heap. 2097152 (2MB) ‐Xmn in bytes ‐Xmx in bytes The ‐server flag increases the default size to 32M. The values must be a multiple of, and greater than, 1024 bytes (1KB). Append the letter “m” or “M” to indicate megabytes and “k” or “K” to indicate kilobytes. Sets the initial Java heap size for the Eden generation.
Raritan Serial Console Interface Command Example: -Xms128M -Xmn128M -Xmx512M Refer to the following links for additional information and for all the non‐standard options: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/java.html (http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/java.html) http://java.sun.com/docs/hotspot/VMOptions.html (http://java.sun.com/docs/hotspot/vmoptions.
Chapter 8: Port Configuration and Port Access Application Emulator 1. Click the Emulator drop‐down menu to display a list of topics. IMPORTANT: RSC sessions are affected by the Idle Timeout which is set to 10 minutes by default for security purposes. If you have not changed the Idle Timeout setting from the default, keep in mind that your RSC session could be closed automatically if your RSC configuration time exceeds the Idle Timeout period.
Raritan Serial Console Interface Settings Note: Terminal emulation settings are set with the port by an Administrator using the Setup ‐> Port Configuration menu. 58 1. Choose Emulator > Settings. The Settings screen displays the General tab with the default settings. 2. Accept the Main Menu Shortcut: default of None or choose one of the following from the Main Menu Shortcut: drop‐down menu. F10 Alt 3. Accept the Show Confirmation Dialog on Exit default or uncheck it. 4.
Chapter 8: Port Configuration and Port Access Application 5. Accept the Backspace Sends: default of ASCII DEL or choose Control‐H from the Backspace Sends: drop‐down menu. 6. Accept the History Buffer Size: default of 200 or use the arrows to change the buffer size. 7. Accept the Cursor type: default of Block Cursor: or select Line Cursor. 8. Click OK.
Raritan Serial Console Interface Display Settings 60 1. Return to the Emulator menu, choose Settings and then click the Display tab. 2. Click Default to accept the Default settings. Then click Ok to close the Display Settings window; however, if you want to change the settings, perform the following steps: 3. Accept the Terminal Font Properties default of Arial or choose a font from the Terminal Font Properties scrolling list. 4. Accept the Antialiase Font default or uncheck it.
Chapter 8: Port Configuration and Port Access Application 5. If you want to change the size of the font, check the Lock Font Size box and choose a font size from the Font size: drop‐down menu. 6. Click the GUI Font Properties tab and accept the default of Monospaced or choose a font from the GUI Font Properties scrolling list. Note: For Simplified Chinese characters, Raritan Serial Console supports EUC‐CN encoding system. 7.
Raritan Serial Console Interface 8. 9. Background Color Choose one of the following from the Encoding drop‐down menu: US‐ASCII ISO‐8859‐1 ISO‐8859‐15 Choose one of the following from the Language drop‐down menu: English Japanese Korean Chinese 10. Click Ok to close the Display Settings window. If you changed the Language setting, the RSC changes to that language when the Display Settings window is closed.
Chapter 8: Port Configuration and Port Access Application Get Write Access Only Administrators and Operators can get write access. The user with Write Access can send commands to the target device. Write Access can be transferred among users working in the Raritan Serial Console via the Get Write Access command. To enable Write Access, click Get Write Access on the Emulator menu. • You now have Write Access to the target device.
Raritan Serial Console Interface Connected Users The Connected Users command allows you to view a list of other users who are currently connected on the same port. 1. Click Connected Users to view the connected users on the Emulator menu. 2. A check mark appears in the Write Access column after the name of the User who has Write Access to the console. 3. Click Close to close the Connected Users window. Exit 1. Click Exit on the Emulator menu to close the Raritan Serial Console.
Chapter 8: Port Configuration and Port Access Application Edit Use the Copy, Paste, and Select All text commands to relocate and/or re‐use important text. ¾ To copy and paste all text: 1. Click Select All on the Edit menu. 2. Click Copy on the Edit menu. 3. Position the cursor at the location where you want to paste the text. 4. Click once to make that location active. 5. Click Paste on the Edit menu. Note: The text copy limit in Raritan Serial Console is 9999 lines.
Raritan Serial Console Interface Tools Click the Tools drop‐down menu to display a list of topics. Start Logging The Start Logging function allows you to collect raw console data from the target device and save it to a file on your computer. When you start RSC, the Logging indicator on the status bar indicates whether logging is on or off. 66 1. On the Tools menu, click Start Logging. 2. Choose an existing file or provide a new file name in the Save RSC Log dialog.
Chapter 8: Port Configuration and Port Access Application 3. When an existing file is selected for logging, data gets appended to the contents. Providing a new file name results in new file being created. Click Save after selecting or creating a file. Stop Logging On the Tools menu, click Stop Logging. The logging stops. Send Keystroke 1. On the Tools menu, click Send Keystroke. A Send Keystroke screen appears: 2.
Raritan Serial Console Interface Send Text File 1. On the Tools menu, click Send Text File. A Send Text File screen appears. 2. Open the directory of the Text file. 3. Click on or enter the File Name of the Text file. 4. Click Open. As soon as you click the Open dialog, it sends whatever file you selected directly to the port. If there is a loopback plug inserted, you see the file displayed. If there is currently no target connected, then nothing will be visible on the screen.
Chapter 8: Port Configuration and Port Access Application Chat When using browser access over SSL, an interactive chat feature called Chat provides you and other users on the same port to communicate. You can conduct an online dialog for training or collaborative diagnostic activities. The maximum length of a chat message is 300 characters. Note: When a chat is initiated, a chat window appears on the monitors of all SSL users logged on to the port.
Standalone Raritan Serial Console Installation Help Help Topics include online assistance for operating the Raritan Serial Console and release information about Raritan Serial Console. Help Topics ¾ To access help topics: • Click Help Topics on the Help menu. About Raritan Serial Console The About Raritan Serial Console dialog displays the copyright and version information (name and revision number) of the console terminal emulation software.
Chapter 8: Port Configuration and Port Access Application Standalone Raritan Serial Client Requirements The following requirements must be met to support the Raritan Serial Console: • The RSC will function with JRE version 1.4.2_05 or later (except for JRE version 1.5.0_02) . However, for optimum performance, Raritan recommends using JRE 1.5.0 (except, of course for 1.5.0_02). • Your system may require configuration adjustments depending on the operating system and browser.
Standalone Raritan Serial Client Requirements 72 2. Go to Advanced and open Environment Variables. 3. In the System variables section, click New. 4. In the New System Variable dialog, add JAVA_HOME to the Variable name block and the path you wrote down earlier in the Variable value block.
Chapter 8: Port Configuration and Port Access Application 5. Click OK. 6. Select the PATH variable and click Edit. 7. Add %JAVA_HOME%\bin to the end of the current Variable value. Ensure a semicolon (;) separates the new value from the last value in the string.
Standalone Raritan Serial Client Requirements 8. Click OK. 9. Select the CLASSPATH variable and click Edit. 10. Ensure the CLASSPATH Variable value is configured properly; that is, its value must have a period (.) in it. If, for any reason, there is no CLASSPATH variable defined, create one.
Chapter 8: Port Configuration and Port Access Application Setting Linux OS Variables If you want to set Java for a specific user, open and edit the .profile file located in the /home/Username folder. If you want to set Java for all users, open the .profile file in your /etc folder: 1. Find the line where you set your path: export PATH=$PATH:/home/username/somefolder 2. Before that line you must set your JAVA_HOME and then modify your PATH to include it.
Installing Standalone RSC for Windows 3. These commands can either be typed at the terminal each time you log on, or you can add them to your .bashrc for bash shell or .cshrc for csh and tcsh so that each time you log on, the path is already set. See your shell documentation if you encounter problems. If the JRE is version 1.4.2_05 or later, proceed with the RSC installation. If the JRE is version 1.5.0_02 or is an older version than 1.4.2_05, go to the Sun website at (http://java.sun.
Chapter 8: Port Configuration and Port Access Application Note: The standalone version of Raritan Serial Console (RSC) is available from the Raritan Support website: http://www.raritan.com/support/sup_upgrades.aspx (http://www.raritan.com/support/sup_upgrades.
Installing Standalone RSC for Windows 7. Click Next. The Windows shortcut screen appears. 8. Specify the desired Program Group for the Shortcut. 9. Click Next. The installation finished screen appears. 10. Click Done.
Chapter 8: Port Configuration and Port Access Application Launching RSC on Windows Systems 1. Double‐click the shortcut or use Start Programs to launch the standalone RSC. The Raritan Serial Console Login connection properties window appears. 2. Enter the Dominion Dominion SX IP address, account information, and the desired target (port).
Installing RSC for Sun Solaris and Linux 3. Click Start. The RSC opens with a connection to the port. Note: In case of unrecognized characters or blurry screens that might appear in RSC window due to localization support, please try changing the font to Courier New. Go to: Emulator à Settings à Display, and select Courier New for Terminal Font Properties or GUI Font Properties. Installing RSC for Sun Solaris and Linux You must have administrative privileges to install RSC. 1.
Chapter 8: Port Configuration and Port Access Application c. Click Next when the installation is complete. d. Click Next again. The installation is complete. The final page indicates where you will find an uninstaller program and provides the option to generate an automatic installation script. 6. Click Done to close the Installation dialog. Launching RSC on Sun Solaris 1. Open a terminal window and change to the directory where you installed the RSC. 2. Type ./start.
Security Chapter 9 There are a number of elements to consider when addressing security for console servers. The following are some of the Security aspects: • Encrypting the data traffic sent between the operator console and the DSX unit. • Providing authentication and authorization for users. • Logging data relevant to the operation so it can later be viewed for auditing purposes. In some cases, this data is required for compliance with governmental or company regulations.
Chapter 9: Security Security Settings Choose the Security tab to bring up the security‐related tools. The Security Settings screen appears.
Login Settings Login Settings Choose Security > Login Settings. This panel includes Local Authentication, Login Handling, and Strong Password Settings. Local Authentication 1. Go to the Local Authentication panel and click the Enable Local Authentication checkbox. 2.
Chapter 9: Security 3. Invalid Login Retries: 3 Lockout Period on Invalid Login (minutes): 5 Accept the system defaults or type your own. Login Handling 1. Go to the Login Handling panel and enter a value in the User Idle Timeout (minutes) field. This is the length of inactive time, after which the user is timed out. Default is set to 10 (minutes). 2. To enable single login only, click the Single Login per User checkbox. Only one user can log in at a time using the same profile. 3.
Configure Kerberos Configure Kerberos 1. Click Enable Kerberos. 2. Type the name of the file you want for your Hosts File in the Hosts File field or click on the Browse drop‐down menu and select your file. 3. Type the name of the file you want for your Kerberos Configuration File in the Kerberos Configuration File field or click on the Browse drop‐down menu and select your file. 4.
Chapter 9: Security Generate a Certificate Signing Request To generate a Certificate Signing Request (CSR): 1. Choose Security > Certificate. The Certificate screen appears. 2. Click the checkbox labeled Generate a Certificate Signing Request. 3. Click on the drop‐down menu in the Bits field. Keep the 1024 default or change it to 512. 4.
Certificates Email address 5. To view the default certificate or the CSR, click the appropriate radio buttons. 6. Click OK. The CSR is generated. Install a User Key To install a user key on the DSX: 1. Choose Security > Certificate. The Certificate screen appears. 2. Click the checkbox labeled Install User Key. 3. Type the following information in the corresponding fields: 4.
Chapter 9: Security 1. Click the checkbox labeled Install User Certificate. 2. Type the following information in the corresponding fields: 3. The IP address of the host with the certificate A login and password on the host The path and name of the file containing the certificate Click OK.
SSL Client Certificate SSL Client Certificate SSL Security certificates are used in browser access to ensure that the device that you are attached to is the device that is authorized to be connected. See Appendix C: Certificates (see ʺCertificatesʺ on page 259) for details on SSL Certificates. This section describes only how to configure the certificates, but you can find additional SSL Certificate information at: http://www.microsoft.com/technet/prodtechnol/ie/reskit/6/part2/c06ie6r k.
Chapter 9: Security 91
SSL Client Certificate Enabling Client Certificate Authentication: To enable Client Certificate Authentication: 1. Click Enable SSL Client Certification. 2. Click OK to enable the Client Certificate authentication. Installing a New Trusted Certificate Authority To install a new trusted Certificate Authority (CA) to the DSX, the CA certificate must be on an accessible FTP server. 1. Click Install Certificate Authority. 2. Fill in the data needed to retrieve the certificate from the FTP server. 3.
Chapter 9: Security Adding a New Certificate Revocation List to the DSX To add a new CRL to the DSX, the CRL list must be on an accessible FTP server. 1. Click Add Certificate Revocation List. 2. Fill in the fields to access the FTP Server. 3. The CRL Name field should match the name that was used to add the CA. The URL field should be the numeric dot notation of the IP address of the HTTP server. Click OK to add the CRL.
Banner Banner Dominion SX optionally supports a customizable (maximum 5000 words, 8 words per row) welcome banner that is displayed after login. The banner identifies where the user has logged into. In addition, there is the ability to add a consent banner that forces the user to accept the stated conditions prior to advancing into operation of the console server. Note: When logged in to the DSX unit via GUI, a banner is displayed using a fixed width typeface and a common dimension like 80x25.
Chapter 9: Security 4. Locate and select the file that contains the Restricted Service Banner message you want to display on the DSX login screen. 5. Click OK. Security Profiles The DSX provides three security profiles that you can use. They simplify the assigning of permissions to users and groups by defining basic permissions that automatically apply to all users.
Firewall 3. Select the profile from the drop‐down menu in the Profile field. 4. Click OK. Edit the Custom Profile To edit the Custom profile: 1. Choose Security > Security Profiles. The Security Profiles screen appears. 2. Click the Edit Custom Profile link. The Edit Custom Security Profile screen appears. 3. Check one or all of the following fields. 4.
Chapter 9: Security Enable the Firewall To enable the firewall: 1. Choose Security > Firewall. The Firewall Screen appears. The Firewall screen displays the existing IPTables rules. 2. Click the check box labeled Enable Firewall. 3. Click OK. Note: When you enable IP forwarding for Dual LAN units, use IPTables rules to create policies for traffic being forwarded between LAN interfaces Add an IPTables Rule To add an IPTables rule: 1. Choose Security > Firewall. The Firewall Screen appears.
Firewall Note: Rules are added using the IPTables command to the kernel. These rules take effect immediately but persist permanently only after clicking the Save button. If there is a mistake in the rules and as a result, the unit becomes inaccessible, while the Save action allows you to recover from the mistake. Reboot the system. If you do not Save the rules, you lose them in the reboot.
Chapter 10 Logging This chapter explains how to enable and configure the various DSX logs. In This Chapter Configuring Local Event Logging .................................................................99 Configuring SMTP Logging .........................................................................105 Configuring NFS Logging ............................................................................107 Configuring SNMP Logging ........................................................................
Configuring Local Event Logging Enable System Logging This feature sends event log messages to a remote Syslog server. The messages from the Dominion SX unit are sent to the LOCAL0 channel of the Syslog server for more efficient parsing. To set this feature up: 100 1. Go to the System Logging panel and click the Enable System Logging checkbox. (To turn this feature off, clear this checkbox.) 2. Type the IP address of the remote Syslog server in the Primary IP Address field. 3.
Chapter 10: Logging Enable Port Logging You need to configure port logging after you have enabled NFS logging (see “Configuring NFS Logging” below). This feature enables port data to be logged to a Network File System (NFS) server. This allows you to save and access the log files over a network. NFS supports file sharing, which means you can store the files on the network that you want other people to access, while keeping your secure files on the DSX unit.
Configuring Local Event Logging 102 5. Type the time interval (in seconds) between two updates of the port log file in the NFS Update Frequency (seconds) field. Data is buffered until the internal buffer is full or this timestamp occurs. Then the data is written to the file. This prevents severe network traffic on port activity where every character would trigger a write to the NFS server. 6. Type the subdirectory on the configured NFS server to write the output port data to in the Out Directory field.
Chapter 10: Logging The following is an example of an output file.
Configuring Local Event Logging Configure Input Port Logging To enable input port logging: 1. Go to the Input Port Logging panel and click the Enable Input Port Logging checkbox. (To turn this feature off, clear this checkbox.) 2. Type a directory for input in the In Directory field. 3. Click OK. Configuring Encryption To configure encryption: 1. Go to the Encryption panel and click the Encryption checkbox. (To turn this feature off, clear this checkbox.) 2.
Chapter 10: Logging Configuring SMTP Logging To configure SMTP logging, choose Setup > Events. The SMTP Logging screen appears. This screen contains SMTP Settings panel and a New SMTP Event panel. Enable SMTP Logging To enable SMTP logging: 1. Go to the SMTP Settings panel and click the Enable SMTP Server checkbox to enable SMTP logging. 2. Type the IP address of the SMTP server in the SMTP Server IP Address field. 3. Type the username and password in the Username and Password fields.
Configuring SMTP Logging Select a New SMTP Event To select a new SMTP event: 1. Go to the New SMTP Event panel and select the new event in the Event field. Available events include: 106 event.amp.notice.port.connection event.amp.notice.user.logoff event.amp.notice.backup event.amp.notice.restore event.amp.notice.config.directaccesslockout event.amp.notice.reboot event.amp.notice.boot event.amp.notice.config.datacom event.amp.notice.config event.amp.notice.
Chapter 10: Logging 2. Type the email address to send the event in the Destination field. 3. Click OK. Test the SMTP Logging It is important that the SMTP server information be accurate so that the Dominion SX unit can send messages using that SMTP server. To verify that the information is correct and working: 1. Send a test email by selecting an event such as: event.amp.notice.port connection 2. Connect to a port and see if the message is received by the intended email target.
Configuring SNMP Logging You must also enable port logging. For more information on port logging, see “Enable Port Logging” above. Note: The NFS server must have the exported directory with write permission for the port logging to work. To configure NFS Logging: 1. Choose Setup > NFS. The NFS Settings screen appears. 2. Click the Enable NFS checkbox to enable NFS logging. 3.
Chapter 10: Logging 2. Go to the SNMP Setting panel and click the Enable SNMP checkbox to enable the SNMP feature. 3. Type an SNMP public community in the Public Community field. The default is Public. The public community determines which SNMP management stations receive SNMP alerts. 4. Click OK. Create a New SNMP Destination SNMP destinations determine which SNMP management stations receive SNMP traps. To create a new SNMP destination: 1.
Chapter 11 Maintenance The Dominion SX maintenance features presented in this chapter allow the administrator perform the following tasks: • Manage event logs. • View configuration report. • Backup and restore the Dominion SX unit settings. • Upgrade firmware and track upgrade history. • Reset to factory default settings. • Reboot the unit. In This Chapter Managing the Local Event Log ....................................................................110 Displaying a Configuration Report.......
Chapter 11: Maintenance Display the Local Event Log To display the contents of the local event log, choose Maintenance > View Event Log. The event log is displayed. The following figure shows a typical event log.
Managing the Local Event Log Note: If the number of events in the log exceeds the size of one screen, a Next link is added under “Event Log” at the top of the screen to display the next page. For each event, the log gives the date and time the event was logged and a brief description.
Chapter 11: Maintenance Send the Event Log To send the contents of the event log to a remote FTP server: 1. Choose Maintenance > Send Event Log. The Send Event Log screen appears. 2. Enter the IP address of the FTP server in the IP address field. 3. Enter a login name and password on the FTP server in the Login and Password fields. This is necessary to access the FTP server. 4. Enter the path to the location where the event log will be stored in the Remote Path field. 5.
Displaying a Configuration Report Displaying a Configuration Report The Configuration Report is a report that provides detailed information about the DSX unit. To display the report, choose Maintenance > Configuration Report.
Chapter 11: Maintenance 2. In the IP Address field, type the IP address of the target FTP server where the backup will be written. 3. In the Login field, type the login name of the account on the system where the backup will be stored. 4. In the Password field, type the password of the account on the system where the backup will be stored. 5. In the Remote Path field, type the path to the backup file. 6. In the Remote File field, type the name of the file in which the backup will be saved. 7.
Upgrading the DSX Firmware 6. In the Remote File field, type the name of the file in which the restore will be saved. 7. Click OK. Upgrading the DSX Firmware You can display the version of the firmware currently running on the DSX, upgrade the firmware to a later version, and display a history of firmware upgrades. Display the Current Firmware Version To display the current version of firmware running on a DSX unit, choose Maintenance > Firmware Version. The Firmware Version screen appears.
Chapter 11: Maintenance Interrupting the upgrade procedure can cause memory corruption and render the unit non‐functional. Such an action may void your warranty or service contract, and in such a case unit repair/replacement costs are solely the responsibility of the user. Note: Many upgrades can be performed ʺanonymouslyʺ from the FTP server. To perform the upgrade: 1. Choose Maintenance > Firmware Upgrade. The Firmware Upgrade screen appears. 2.
Performing a Factory Reset on the DSX Note: If the upgrade fails, the system will display an error message detailing the failure. Display a Firmware Upgrade History To display the firmware upgrade history for a DSX unit, choose Maintenance > Firmware Upgrade History. The Firmware Upgrade History screen appears. It gives the version of each past firmware upgrade and the date and time the upgrade was performed.
Chapter 12 Diagnostics The Diagnostics function provides the administrator with the tools to test the network and monitor processes. Click the Diagnostics tab to display the Diagnostics screen. It provides links to Network Infrastructure Tools and Administrator Tools. In This Chapter Network Infrastructure Tools ......................................................................119 Administrator Tools ‐ Process Status ..........................................................
Network Infrastructure Tools Status of Active Network Interfaces 120 1. Choose Diagnostics > Status of Active Network Interfaces. The system displays status information about the active network interfaces. 2. Click Refresh to update the information.
Chapter 12: Diagnostics Network Statistics 1. Choose Diagnostics > Network Statistics. The system displays network statistics. 2. By default, all statistics are shown. To show specific statistics, select an entry from the drop‐down menu in the Options field.
Network Infrastructure Tools 3. Interfaces Groups Statistics Program Click Refresh to update the information. Ping Host 1. Choose Diagnostics > Ping Host. The Ping Host screen appears. 2. Type the IP address of the host to be pinged in the IP Address field. 3. Click Ping. The screen displays the results of the ping. Trace Route to Host 122 1. Choose Diagnostics > Trace Route to Host. The Trace Route to Host screen appears. 2.
Chapter 12: Diagnostics Administrator Tools - Process Status 1. Choose Diagnostics > Process Status. The screen displays the results of your request. 2. Click Refresh to update the information.
Chapter 13 Command Line Interface In This Chapter Command Line Interface Overview............................................................125 Accessing the Dominion SX Using CLI ......................................................128 SSH Connection to the Dominion SX..........................................................128 Telnet Connection to the Dominion SX ......................................................129 Local Port Connection to the Dominion SX .........................................
Chapter 13: Command Line Interface Command Line Interface Overview The Dominion SX Serial Console supports all serial devices such as: • Servers, including Windows Server 2003 when using the Emergency Management Console (EMS‐) Special Administration Console, or SAC with BIOS redirection in the server BIOS. • Routers • Layer 2 switches • Firewalls • Power strips • Other user equipment. The Dominion SX allows an Administrator or User to access, control, and manage multiple serial devices.
Command Line Interface Overview 126
Chapter 13: Command Line Interface The following common commands can be used from all levels of the CLI to the preceding figure: top, history, logout, quit, show, and help.
Accessing the Dominion SX Using CLI Accessing the Dominion SX Using CLI Access the Dominion SX by using one of the following methods: • TELNET via IP connection • HTTP and HTTPS via IP connection • SSH (Secure Shell) via IP connection • Local Port‐via RS‐232 serial interface A number of SSH/TELNET clients are available and can be obtained from the following locations: • Putty ‐ http://www.chiark.greenend.org.uk/~sgtatham/putty/ http://www.chiark.greenend.org.
Chapter 13: Command Line Interface SSH Access from a UNIX/Linux Workstation ¾ To open an SSH session from a UNIX/Linux workstation and log on as the user admin, enter the following command: ssh -l admin 192.168.30.222 The Password prompt then appears. See the Login (on page 131) section for login information. Telnet Connection to the Dominion SX Due to the lack of security, user name, password and all traffic is in clear‐text on the wire, Telnet access is disabled by default.
Local Port Connection to the Dominion SX Accessing Telnet from a Windows PC ¾ To open a Telnet session from a Windows PC: 1. Choose Startup > Run. 2. Type Telnet in the Open text box. 3. Click OK. The Telnet window opens. 4. At the prompt enter the following command: Microsoft Telnet> open where is the Dominion SX IP address. 5. Press Enter. The following message appears: Connecting To ... The login as prompt then appears.
Chapter 13: Command Line Interface user name See the Login (on page 131) section for login information. To Change the Local Port Parameters: The local port is enabled by default and is enabled on both serial ports for units with two local ports at 9600 bps.
Navigation of the CLI The welcome message displays. You are now logged in as an Administrator. After reviewing the following Navigation of the CLI (on page 132) section, perform the initial configuration tasks. Navigation of the CLI Before using the CLI, it is important to understand CLI navigation and syntax. Additionally, there are combinations of keystrokes that simplify CLI use. Completion of Commands The CLI supports the completion of partially entered commands.
Chapter 13: Command Line Interface CLI Syntax -Tips and Shortcuts Tips • Commands are listed in alphabetical order. • Commands are not case sensitive. • Parameter names are single word without underscore. • Commands without arguments default to show current settings for the command. • Typing a question mark (?) after a command produces help for that command. • A pipe symbol ( | ) indicates a choice within an optional or required set of keywords or arguments.
Navigation of the CLI 134
Chapter 13: Command Line Interface Show Command The show command displays various configuration settings and is available at all levels.
Initial Configuration Kernel Version : 2.4.12 PMON Version: 2.0.1 RSC Version: 1.0.0.1.16 Supporting software: OpenSSH_4.3p2, OpenSSL 0.9.7i 14 Oct 2005 HTTP Server version: Apache/2.2.0 HTTP Server built: Mar 29 2006 16:06:30 TELNET Linux NetKit 0.17 Initial Configuration Dominion SX units come from the factory with default factory settings. When you first power up and connect to the unit, you must set the following basic parameters so the device can be accessed securely from the network: 1.
Chapter 13: Command Line Interface Date and Time Configuration Note: It is important to set the date and time correctly to ensure that log entries and events contain the correct timestamp. Return to the top menu level by entering the top command. Use the following command to view the current date and time settings: Admin Port > Config > Time > clock The system displays the current settings.
CLI Prompts CLI Prompts The Command Line Interface prompt indicates the current command level. The root portion of the prompt is the login name; for a direct admin serial port connection with a terminal emulation application, Admin Port is the root portion of a command: admin > For TELNET/SSH, admin is the root portion of the command: admin > config > network > CLI Commands The table below lists and describes all available CLI commands.
Chapter 13: Command Line Interface ifconfig Show detailed network configuration. interface Configure the Dominion SX network interface. ipmi IPMI Configuration commands. listports List accessible ports. Kerberos Kerberos based Network Authentication ldap LDAP Configuration . localauthenticatio n Local Authentication Configuration . logout Logout of the current CLI session. maintenance Switch to System Maintenance commands.
CLI Commands top Return to the root menu. traceroute Print the route to a remote system upgrade System command to upgrade the firmware. upgradehistory System command to show the upgrade history. userlist List users. vieweventlog Displays the local event log. Security Issues There are a number of elements to consider when addressing security for console servers: • Encrypting the data traffic sent between the operator console and the Dominion SX unit.
Chapter 13: Command Line Interface Defining SSL Security Certificates SSL Security certificates are used in browser access to ensure that the device you are attaching to is the device that is authorized to be connected. This section describes only how to configure the certificates on the console server. See Appendix C for details on SSL Certificates.
Target Connections and the CLI Command Language Interface Permissions Administrators can execute all commands. Operators and Observers can only execute the following commands: • connect (The port list will be displayed after returning from connect command.) • ? (This functions as help.) • logout • password • history Target Connections and the CLI The purpose of the Dominion SX is to let authorized users establish connections to various targeted devices using the connect command.
Chapter 13: Command Line Interface Set Escape Sequence To set the Escape sequence, ensure that the default Escape sequence set on the Dominion SX server does not conflict with a key sequence required by either the Access Client or the host operating system. The Escape key sequence is user‐configurable. Console sub‐mode should be displayed when the default escape key sequence ^] (programmable) is pressed.
Configuring Authorization and Authentication (AA) Services primaryldap secondaryldap radius primaryradius secondaryradius tacacsplus primarytacacs secondarytacacs Note: When configuring the LDAP server, the query string format on the server should contain the name of a group configured on the SX. When configuring the Radius server, the Filter‐ID format for the users on the server should have the following format “raritan:G{GroupOnSX}:D{DialbackNumber}“.
Chapter 13: Command Line Interface Command Description ldaps Switches to the ldaps menu which includes the following commands: getservercert ‐ FTP Retrieval of ldap certificate removecert ‐ Remove LDAPS Certificate viewcert ‐ View LDAPS Certificate primaryldap Used to configure the primary ldap settings. secondarylda p Used to configure the secondary ldap settings.
Administering the Dominion SX Console Server Configuration Commands TACACSPLUS Command The tacacsplus menu provides access to commands used to configure access to a TACACS+. The syntax of the tacacsplus command is: primarytacacs <> Command Example admin > Config > Authentication > radius > primarytacacs Administering the Dominion SX Console Server Configuration Commands Note: CLI commands are the same for SSH, Telnet, and Local Port access sessions.
Chapter 13: Command Line Interface Comman d Description add Add an SMTP event. delete Delete an SMTP event. smtp Configure the SMTP server settings.
Configuring Log Eventlogfile Command The eventlogfile command controls and configures the logging of events to the local log. The syntax of the eventlogfile command is: eventlogfile [enable ] [size value] [style ] The eventlogfile command options are described in the following table. Command Description enable Enable or disable the system event log logging.
Chapter 13: Command Line Interface Eventsyslog Command Example admin > Config > Log > eventsyslog enable true primip 192.168.134.11 secip 192.168.245.11 nfsgetkey Command The nfsgetkey command gets an NFS encryption key to be used for encrypting port log data. Use the key value as input to the nfssetkey command. The syntax of the nfsget command is: nfsgetkey [type ] The nfsgetkey command options are described in the following table.
Configuring Log key string Provide key string to be used for encryption Note: aes128 is not supported in 3.0. Command Example admin > Config > Log > nfssetkey type aes128 key D2F05B5ED6144138CAB920CD NFS Encryption Enable Command Enable port logging and encryption of data: admin > Config > Log > portlog enable true encrypt true Portlog Command The portlog command enables and configures the logging of port data.
Chapter 13: Command Line Interface inputlog Enable/Disable logging of user input data on the port. Input implies data sent to the target; that is, keystrokes entered by the user). indir name Filename for storing input log (SX1Input) outdir name Filename for storing output log.(SX1Output) Output implies data sent from target to the DSX port. encrypt Enable/Disable Encryption of log data sent to the remote NFS Server.
Configuring Log 2. admin > Config > Log > nfsgetkey type rc4 3. (cut and paste the response of this command into a file, such as: dsx‐encrypt.key) 4. Retrieve decryption application and place it on the Linux machine, or compile its source. 5. Save the encryption key file (e.g. dsx‐encrypt.key) in the same directory where the decryption application is stored. 6. Copy the encrypted portlog file to the same directory. 7. Decrypt the file using the command: 8. .
Chapter 13: Command Line Interface Vieweventlog Command The vieweventlog command displays the local log file. The syntax of the vieweventlog command is: vieweventfile Vieweventlog Command Example admin > Config > Log > vieweventlog Configuring Modem The Modem menu provides access to commands used to configure modem access. Callback (dialback) occurs when the originator of a call is immediately called back in a second call as a response to the first dialin.
Configuring Modem Modem Menu Command Examples admin > Config > modem > dialin enable true serverip 10.0.13.211 clientip 10.0.13.212 admin > Config > modem > dialback enable true admin > Config> modem > show modem Modem Settings: Dialin Enabled: 1 Server IP : 10.0.13.211 Client IP : 10.0.13.212 Dialback : Enabled Dialback with local user Before a modem connection can be established, the local user that is going to be used for dialin authentication should be configured.
Chapter 13: Command Line Interface Primary Server Enabled - true IP Address - 10.0.0.188 Port - 1812 Secret - qaz1wsx On the Remote Radius Server, the userʹs configuration should contain the following line: Filter-Id = "raritan:G{}:D{}" Dialback with remote LDAP user. (OpenLdap v.2 & v.3) Dialin and Dialback should be enabled on the device used for modem communication.
Configuring Network The Remote LDAP Server userʹs configuration should be: Dialback with remote TACACS user. (Tacacs+ v.4.0.3a) Dialin and Dialback should be enabled on the device used for modem communication. Primary (or/and Secondary) Tacacs Server Settings should be configured correctly and enabled on the SX device: Primary Server Enabled - true IP Address - 10.0.0.
Chapter 13: Command Line Interface Note: All operations that normally trigger a reboot or prompt the user for feedbacks are now added a new parameter named force. This force parameter prevents reboot, prompting or both from taking place until all configurations are completed.
Configuring Network gw ipaddress Gateway IP Address obtained from the IP administrator. mode Set Ethernet Mode to auto detect or force 100Mbps full duplex (100fdx) Interface Command Example The following command enables the interface number 1, sets the IP address, mask, and gateway addresses, and sets the mode to auto detect. Admin Port > Config > Network > interface enable true if lan1 ip 192.16.151.12 mask 255.255.255 gw 192.168.51.
Chapter 13: Command Line Interface Ports Command The ports command is used to configure the network ports.
Configuring Network Routeadd Command The routeadd command is used to add a route to the kernel routing table.
Chapter 13: Command Line Interface Getconfig Command The getconfig command retrieves the script from an FTP server. This command appears only in the administratorʹs help menu. An administrator can write a script using the same sequence and commands that they would use within a normal CLI session (also known as a recorded session). The script could be used to set up common things amongst many Dominion SX units, such as remote authentication servers, users, and security settings.
Configuring NFS Configuring NFS The nfs command enables all keystrokes echoed from the target device to be logged to a remote NFS server located within the network. The logs can be reviewed at a later time. admin > Config > NFS > nfs The syntax of the nfs command is: nfs [enable ] [primaryip primaryip] [secondaryip secondaryip] [primarydir primarydir] [secondarydir secondarydir] The nfs command options are described in the following table.
Chapter 13: Command Line Interface Configuring Ports Ports Configuration Menu Target serial ports are configured from the CLI using the ports menu. In addition to the description of the physical nature of the ports, other services may also be defined. Those services are: • The escape sequence used to disconnect from the port to access the emulator to send breaks or control multi user functions. (Example: Ctrl a) • Set the exit string that is to be sent to the target when an idle timeout occurs.
Configuring Ports 164 Command Description flowcontrol Port flowcontrol type hw = hardware flow control sw =X on / X off) detect Enable/Disable detection of port connection escapemode Use Ctrl‐key (escapemode=control) or single key (escapemode=none) as escape sequence; for example, Ctrl‐] => escapemode=control, escapechar=] escapechar char Escape character.
Chapter 13: Command Line Interface Command Example admin > ports >config port 1 name ld1 bps 115200 parity odd flowcontrol hw detect true escapemode none emulation VT100 The following command displays the current settings for port 1: admin > Config > Port > config port 1 Port number 1: Name: Port1 BPS: 9600 Parity: 0 Flow control: 0 RSC Terminal Emulation: VT100 Disconnect: Disabled Application: RaritanConsole Exit String: Escape: Control-] DPA: IP: 0.0.0.
Configuring Ports Authentication successful. Port 1: Configuration Saved. After entering the password, you have direct access to port 1, using the newly assigned IP specifically for port 1. 2. The following example configures DPA port settings for a group of ports (make sure a free range of IPs are available for dpa IP mode usage): admin > Config > Port > config port 1-32 dpaip 10.0.13.200 or admin > Config > Port > config port * dpaip 10.0.13.
Chapter 13: Command Line Interface In both cases above, port 1 will have ssh port 7000 and telnet port 8000 assigned for direct port access, port 2 will have ssh port 7001 and telnet port 8001, and etc.
Configuring Services Ports Keyworddelete Command The keyworddelete command removes an existing keyword.
Chapter 13: Command Line Interface dpa Command The permitted TCP Port Range is 1024‐64510. When run without the mode parameter, the system displays the current dpa type.
Configuring Services dpa Command Example The following example chooses the DPA IP mode IP: admin > Config > Services > dpa mode IP Note: When any changes are made over DPA mode and ports DPA configuration, the SX device needs to be rebooted to apply new settings. DPA changes will not be available until after the DSX is rebooted. After a successful DPA connection, try the following: ssh -l sx_user 10.0.13.1 Password: Authentication successful. Starting DPA for port 1 Authentication successful.
Chapter 13: Command Line Interface Group Settings: Name: Anonymous Class: Observer Ports: To configure Anonymous group settings go to config > user menu and execute the following command: admin > Config > User > editgroup name Anonymous class op ports 1,2,3,4,5 Editing group... Group Anonymous: Configuration Saved The 'Anonymous' group is successfully configured. DPA Anonymous access: The DPA is already configured. (See the DPA configuration settings section.) DPA Mode is IP, IP 10.0.13.
Configuring Services If option suppress is ʺnoneʺ, authentication credentials are shown (username: password:). configuration > ports > config port 1 suppress none ssh -l Anonymous 10.0.13.240 Password: Authentication successful. Starting DPA for port 1 Authentication successful. Escape Sequence is: Control-] You are now master for the port. Encryption Command The encryption command sets the type of encryption for HTTPS. Note: The factory default value of this protocol is SSL.
Chapter 13: Command Line Interface HTTP Command The http command is used to control http access and redirection, and define the port. The syntax of the http command is: http [enable ] [port value] [redirect ] The http command options are described in the following table.
Configuring Services HTTPS Command Example admin > Config > Services > https Https Settings: Enabled : true Port : 443 Logout Command The logout command is used to log out of the current CLI session. You can log out at any command level. LPA Command The lpa command is used to display and set the local port access configuration. Dominion SX units have one or two local ports, depending on the model.
Chapter 13: Command Line Interface SSH Command The syntax of the ssh command is: ssh [enable ] [port value] The ssh command options are described in the following table. Command Description enable Enable or disable SSH access. port value SSH server tcp listen port SSH Command Example admin > Config > Services > ssh enable true port 4 The system displays this message after entering the preceding command. The system will need to be rebooted for changes to take effect.
Configuring SNMP Configuring SNMP The Dominion SX server supports sending SNMP alerts to a predefined SNMP server. The Raritan SNMP MIB may be obtained from the FAQs in the support section of the Raritan web site. The following commands configure the SNMP features: • add • delete • snmp SMNP Add Command The add command adds trap recipients. A recipient is an IP address with an optional space‐ separated port number. Traps may be sent to multiple ports with the same IP address.
Chapter 13: Command Line Interface SNMP Delete Command The SNMP delete command deletes trap recipients. A recipient is an IP address with an optional space‐ separated port number. If a recipient with a port number is to be removed, include the port number in the delete command. Traps may be sent to multiple ports with the same IP address. The syntax of the SNMP delete command is: delete [dest ipaddress] The SNMP delete command options are described in the following table.
Configuring Time Configuring Time Time related configuration mode commands are: • clock • ntp • timezonelist Clock Command The clock command lets the administrator set the time and date for the server. The syntax of the clock command is: clock [tz timezone] [datetime datetime-string] The clock command options are described in the following table. Command Description tz timezone The timezone index is a number corresponding to the desired time zone.
Chapter 13: Command Line Interface NTP Command The ntp command lets the administrator determine if a Network Time Protocol (NTP) server should be used to synchronize the SX clock to a reference. The syntax of the command is: ntp [enable ] [primip primip] [secip secip] The command options are described in the following table. Command Description enable Enable or disable the use of NTP. primip primip The primary NTP server to use first.
Configuring Users Configuring Users The following commands provided the administrators with the ability to manager users: • addgroup • adduser • deletegroup • deleteuser • editgroup • edituser • groups • users Addgroup Command The addgroup command creates a group with common permissions.
Chapter 13: Command Line Interface Adduser Command The adduser command is used to manage information about a specified user. The syntax of the adduser command is: adduser [user loginname] [fullname user's-fullname] [group name] [dialback phonenumber] [password password] [info user-information] [active ] The adduser command options are described in the following table.
Configuring Users Command Example admin > Config > User > deletegroup name unixgroup Deleteuser Command The deleteuser command is used to remove a specified user. The syntax of the deleteuser command is: adduser [user loginname] The deleteuser command options are described in the following table. Command Description user loginname Login Name (Required) Deleteuser Command Example The following example shows how to delete a user.
Chapter 13: Command Line Interface sharing Indicate whether port access is shared while the port is being utilized. Command Example admin > Config > User > editgroup name unixgroup class op ports 1,4 power 1,4 Edituser Command The edituser command is used to manage information about a specified user.
Connect Commands Groups Command The groups command shows the details of existing groups. The syntax of the groups command is: groups Command Example admin > Config > User > groups Users Command The users command shows the details of existing users. The syntax of the users command is: users Users Command Example admin > Config > User > users Connect Commands The connect commands provide a means to access ports and their history. 184 Command Description connect Connect to a port.
Chapter 13: Command Line Interface Command Description powerstatus Query Power status of this port. powertoggle Toggle Power On/Off of this port. Configuring Power The following power commands can be used to manage power strips attached to the Dominion SX. Command Description associate Associate a Power Strip outlet to a Dominion SX Port. association View Currently configured associations. cycle Power cycle specified ID. off Power off specified ID. on Power on specified ID.
IPMI Commands Command Description ifconfig Show detailed network configuration netstat Print network connections ping Ping a remote system ps Report system process status traceroute Trace the network route to a host. [‐dnrv] [‐m maxttl] [‐p port#] [‐q nqueries] [‐s srcaddr] [‐t tos] [‐w wait] host [data size] IPMI Commands The IPMIDiscover and IPMITool commands provide the capability to work with IPMI‐supported devices.
Chapter 13: Command Line Interface Command Example admin> IPMI > ipmidiscover -t 20 10.0.22.1 10.0.22.10 Discovering IPMI Devices : IPMI IP: 10.0.22.2 IPMI IP: 10.0.22.7 It is possible for the IP address range to span different subnets. IPMITOOL This command lets you manage the IPMI functions of a remote system. These functions include printing FRU information, LAN configuration, sensor readings, and remote chassis power control. The ipmitool command controls IPMI‐enabled devices.
IPMI Commands 188 Command Description [‐U ] Remote server username, default is NULL user. [‐L ] Force session privilege level. Can be CALLBACK, USER, OPERATOR, ADMIN. Default is ADMIN. [‐a|‐E|‐P|‐f ] ‐a Prompt for the remote server password. ‐E The remote server password is specified by the environment variable IPMI_PASSWORD. ‐P Remote server password is specified on the command line. If supported it will be obscured in the process list.
Chapter 13: Command Line Interface Command Description raw ‐ Send a RAW IPMI request and print response i2c ‐ Send an I2C Master Write‐Read command and print response lan ‐ Configure LAN Channels chassis ‐ Get chassis status and set power state power ‐ Shortcut to chassis power commands event ‐ Send pre‐defined events to MC mc ‐ Management Controller status and global enables sdr ‐ Print Sensor Data Repository entries and readings sensor ‐ Print detailed sensor information fru ‐ Print built‐in
IPMI Commands Command Example The following command allows the user to get the chassis status and set the power state. admin> IPMI > ipmitool -I lan -H 10.0.22.
Chapter 13: Command Line Interface Port names up to 23 characters are displayed. Longer portnames are truncated to 22 characters, with a $ sign at the end. The letter after the port name describes the state of each port.
Maintenance Commands Maintenance Commands The maintenance commands are used by administrators to perform maintenance related tasks on the Dominion SX firmware.
Chapter 13: Command Line Interface Backup Command The backup command makes a copy of the Dominion SX configuration and writes the backup onto an ftp server. The current SX device configuration is saved to the computer with the IP set in the command parameters in an encrypted format. All device settings are stored in the file EXCEPT network settings. The file can be recovered if a Restore operation becomes necessary.
Maintenance Commands Cleareventlog Command The cleareventlog command clears the contents of the local event log. The syntax of the cleareventlog command is: Cleareventlog Cleareventlog Command Example admin > Config > Log > cleareventlog Factoryreset Command The factoryreset command returns the Dominion SX console server to its default factory settings.
Chapter 13: Command Line Interface The syntax of the factoryreset command is: factoryreset Command Example admin > Maintenance > factoryreset Network Settings: Name: DominionSX Domain : raritan.com CSC Port: 5000 Discover Port: 5000 IP: 192.168.0.192 Net Mask : 255.255.255.0 Gateway : 192.168.0.192 Failover : true Do you wish to commit these settings (no/yes) (default: no) Firmware Command The firmware command provides the versions of the firmware.
Maintenance Commands Command Description logoff Force logoff (terminate) a user or port session. Reboot Command The reboot command restarts the Dominion SX console server. This command is only available to users with administrative privileges. All user sessions will be terminated without warning, and no confirmation will be required. It is highly recommended that you ask all users to log off before you reboot the unit. The userlist command can be used to display a list of connected users and sessions.
Chapter 13: Command Line Interface Password for the above account. [path pathname] Specifies the path to the backup file to be restored to a similar system with the same port density. [file filename] Specifies the name of the file in which the backup data was saved. Restore Command Example In the example below, the console server data is being retrieved from a system at IP address 192.168.51.220. The guest account and password are used.
Maintenance Commands Upgrade Command Note: in order to perform an upgrade, there should be a configured remote ftp server. The upgrade command upgrades one version of the system to another version, for example v2.5 to v3.0. The syntax of the upgrade command is: upgrade [ip ipaddress] [login login] [password password] [path pathname] The command options are described in the following table.
Chapter 13: Command Line Interface Userlist Command The userlist command displays a list of all users who are logged in, their source IP Addresses and any ports to which they are connected. The syntax of the userlist command is: userlist Vieweventlog Command The vieweventlog command displays the local log file.
Security Commands Banner Command The banner command controls the display of a security banner immediately after login.. The syntax of the banner command is: banner [display ] [audit ] The banner command options are described in the following table.
Chapter 13: Command Line Interface Command Example admin > Security > Banner> ftpgetbanner ip 72.236.162.171 login raritan password acy path /ftphome/banner.txt Certificate Command Menu The certificate command menu provides the client and server commands to create and manage security certificates. The syntax of the certificate command is: certificate <> Note: For a description of how to enable LDAP over SSL with a third‐party certification authority, refer to http://support.microsoft.com/default.
Security Commands Client Command Example Enable SSL Client Certificates admin > Security > certificate > clientcert enable true Install Certificate Authority admin > Security > certificate > add ip 10.0.0.189 login root password passwordword path /home/cert/ SXCert file cacert.pem ca ca_test Add Certificate Renovation List admin > Security > certificate > addcrl ip 10.0.0.189 login root password pass path /home/cert/SXCert file demoCA.
Chapter 13: Command Line Interface Server Command Example Install User Certificate admin > Security > certificate > installusercert ip 10.0.0.189 login root password pass path /home/SXCert file sx.pem Install User Key admin > Security > certificate > installuserkey ip 10.0.0.189 login root password pass path /home/ SXCert file sx.
Security Commands IPtables Command The iptables command is an administration tool for IPv4 packet filtering and Network Address Translation (NAT). The iptables command provides an interface to the linux iptables. The command parameters and options are the same as the linux system command. The iptables command options are described in the following table. Command Description ‐A input Append one or more rules to specified chain.
Chapter 13: Command Line Interface iptables Command Examples Iptables can be configured in a plethora of ways that is outside the scope of this document. The examples below show some simple configuration options created with iptables. The following example enables a log for iptables: admin > firewall > iptables -A INPUT -t filter -j LOG --log-prefix DOM_IPACL -m state --state NEW -s Adding a default local rule The default local rule is added as standard implementation in Dominion SX.
Security Commands View the current iptables To view the current iptables rule: admin > Security > firewall > iptables --list or admin > Security > firewall > iptables -xvnL Clear the iptables rules To clear the iptables rules. admin > Security > firewall > iptables --flush Save the configured settings To save the iptables rules into the local database. admin > Security > firewall > iptables-save Note: No spaces between iptables and save. Execute this command once you have configured all the settings.
Chapter 13: Command Line Interface Kerberos and DSX DSX can use kerberos authentication by using the following steps. As a result , Kerberos‐based network mutual authentication and symmetric [ a.k.a. private/secret] key cryptography can be achieved in the CLI and GUI of the DSX for remote user authentication. See the MIT Kerberos website for information about Kerberos, KDC, Kadmind , client machine setup, and the FAQs related to these topics. 1. Set your krb5.
Security Commands Diagnostic Tips: • Use the name command in the network menu to set the FQDN for DSX. • Disable HTTP redirect from the services menu. • Synchronize the time of the client machine. DSX machine, KDC and kadmind machines using time menu and ntp option. • The above 3 machines should be pingable by FQDN. Get the hosts file using gethostnamefile from the Kerberos menu. • Use klist to check the ticket expiration.
Chapter 13: Command Line Interface Command Description idletimeout Set systemwide idletimeout. inactiveloginexpiry Configure local login expiry time. invalidloginretries Configure local login max number of retries. localauth Configure local authentication. lockoutperiod Lockout period on invalid login attempt. singleloginperuser Restrict to a single login session per user. strongpassword Configure strong password rules. unauthorizedportacce ss Unauthorized (Anonymous) port access.
Security Commands Command Description days Number of days before account will expire for local users on inactivity Command Example admin > Security > LoginSettings > inactiveloginexpiry days 5 Invalidloginretries Command The invalidloginretries command specifies the number of failed invalid login attempts before the account is deactivated.
Chapter 13: Command Line Interface Lockoutperiod Command The lockoutperiod command defines the lockout period on invalid login attempts. The syntax of the lockoutperiod command is: lockoutperiod [time time] The lockoutperiod command options are described in the following table. Comman d Description time time Period of time (in minutes) for which the user cannot login after account deactivation.
Security Commands Strongpassword Command The Dominion SX server supports both standard and strong passwords. • Standard passwords have no rules associated with them; that is, they can be in any format and will not expire. • Strong passwords increase the effectiveness of the password by setting rules around content, length and expiration dates. • Strong passwords allow the administrator to pick the rules they want to implement from the following list.
Chapter 13: Command Line Interface Strongpassword Command Example The following example sets the Strong Password rules in effect: • Strong password is enabled. • The minimum length of the password when you create user is 6 symbols. • The maximum length of the password is 30. • The password will expire in 30 days. • Number of password changes to be kept in history is 3 times. • There should be at least one and more uppercase / numeric / other symbols, etc. in the password.
Security Commands Portaccess Command Example admin > Security > LoginSettings > portaccess share admin > Security > LoginSettings > portaccess private Securityprofiles Commands The securityprofiles command menu provides access to the commands used to configure and control security profiles. The securityprofiles commands are listed in the table below. Command Description profiledata View or modify a Security Profile. securityprofile s Enable and select a Security Profile.
Chapter 13: Command Line Interface [timeout ] Enable/Disable idle timeout. [single ] Enable/Disable single login per user. [redirect ] Enable/Disable redirection from HTTP to HTTPS. [tls_required ] Enable/Disable forcing of Transport Layer Security (TLS) on HTTPS.
Chapter 14 Intelligent Platform Management Interface The Intelligent Platform Management Interface (IPMI lets you manage the IPMI functions of a remote system. The following topics are covered in this chapter: • Discover IPMI Devices • IPMI Configuration (thoroug The Intelligent Platform Management Interface (IPMI) lets you manage the IPMI functions of a remote system. In This Chapter Discover IPMI Devices..................................................................................
Chapter 14: Intelligent Platform Management Interface Discover IPMI Devices To discover IPMI servers on the network: 1. Choose IPMI > Discover IPMI Devices. The Discover IPMI Devices screen appears. 2. You can leave the Options field blank, or you can enter ‐t timeout [seconds]. 3. Type starting and ending IP addresses in the corresponding fields. The DSX will discover all IPMI devices within this range of IP addresses. 4. Click the IPMI Discover button.
IPMI Configuration IPMI Configuration IPMI configuration lets you manage the IPMI functions of a remote system. These functions include printing FRU information, LAN configuration, sensor readings, and remote chassis power control. 1. Choose IPMI > IPMI Configuration to get IPMI configuration information. 2. Click the Help button to get IPMI configuration information, which appears on the IPMI Configuration screen. Help: ipmitool version 1.8.7 usage: ipmitool [options...
Chapter 14: Intelligent Platform Management Interface ‐H hostname Remote host name for LAN interface ‐p port Remote RMCP port [default=623] ‐U username Remote session username ‐f file Read remote session password from file ‐S sdr Use local file for remote SDR cache ‐a Prompt for remote password ‐e char Set SOL escape character ‐C ciphersuite interface Cipher suite to be used by lanplus ‐k key Use Kg key for IPMIv2 authentication ‐L level Remote session privilege level [default=ADMINISTRAT
IPMI Configuration i2c print response Send an I2C Master Write‐Read command and lan Configure LAN Channels chassis Get chassis status and set power state power Shortcut to chassis power commands event Send pre‐defined events to MC mc enables Management Controller status and global sdr readings Print Sensor Data Repository entries and sensor Print detailed sensor information fru locators Print built‐in FRU and scan SDR for FRU sel Print System Event Log (SEL) pef Configure Platform Even
Chapter 14: Intelligent Platform Management Interface 6. Type an option in the Option field. 7. Type a command in the Command field. 8. Click the IPMI Discover button. The system displays the results of your command.
Chapter 15 Power Control Power Control lets you manage the power functions. The following topics are covered in this chapter: • Power Control • Associations Power Control • Power Strip Power Control • Power Strip Status In This Chapter Port Power Associations ...............................................................................222 Power Strip Configuration ...........................................................................224 Power Association Groups................................
Chapter 15: Power Control 2. Click Add. The Port Power Association screen appears. 3. Select the port from the drop‐down menu in the Port field. 4. Select the power strip name from the drop‐down menu in the Power Strip field. 5. Select the outlet to associate with the port from the drop‐down menu in the Outlet field. 6. Click Add. Note: It is not recommended to access the port associated with a power strip via RSC or Command Line Interface.
Power Strip Configuration Delete a Port Power Association To delete a port power association: 1. Choose Setup > Port Power Association List. 2. Click Add. The Port Power Association screen appears. 3. Select the association in the Outlet Association list. 4. Click Delete. Power Strip Configuration To configure a power strip: 1. Choose Setup > Power Strip Configuration. 2. Click Add. The Power Strip Configuration screen appears. 3. Type a name and description in the Name and Description fields.
Chapter 15: Power Control 2. Click Add. The Power Association Groups screen appears. 3. Type a name and description in the Group Name and Description fields. 4. Select the number of outlets from the drop‐down menu in the Number of Outlets field. 5. Click OK. Power Control Click the Power Control tab to bring up the power control‐related tools.
Associations Power Control Associations Power Control Choose Power Control > Associations Power Control to access the tool to manage power control associations. Note: When executing power on/off operation, about ~5 seconds are added to the configured sequential interval, resulting in an operational delay time (minimum amount of time to operate). If power cycle is selected, all associated outlets will be powered off sequentially, and then powered on sequentially.
Chapter 15: Power Control Power Strip Power Control Choose Power Control > Power Strip Power Control to access the tool to manage power strips.
Power Strip Status Power Strip Status Choose Power Control > Power Strip Status to check power strip status. CLI Command for Power Control CLI Port Power Association Description: Power Control menu ‐ Associate a power strip outlet to a DSX port Scenario #1 Port power association - add outlet Pre‐condition Administrator user is logged in via CLI. Power Strip device (DPX) is physically connected to DSX named PowerStr1. User is in power menu. Action Type command. Press Enter.
Chapter 15: Power Control CLI Input Command: associate port 1 powerstrip PowerStr1 outlet 1 Scenario #2 Port power association - associate 6 outlets to one port Pre‐condition Administrator user is logged in via CLI. Power Strip device (DPX) is physically connected and configured to DSX named PowerStr1. User is in power menu. Action Type command ‐ associate [port port] [powerstrip powerstrip] [outlet outlet] to associate Outlet1 to Port1 Press Enter. Repeat steps 3 and 4 for Outlet 2, 3, 4, 5 and 6.
CLI Command for Power Control Scenario #4 Port power association - associate one outlet to two ports Pre‐condition Administrator user is logged in via CLI. Power Strip device (DPX) is physically connected and configured to the DSX named PowerStr1. User is in power menu.
Chapter 15: Power Control Action Enter command to associate Port1 to Outlet1 from PowerStr1. Press Enter. Enter command to associate Port1 to Outlet1 from PowerStr2. Press Enter. CLI Input associate port 1 powerstrip PowerStr1 outlet 1 associate port 1 powerstrip PowerStr2 outlet 1 Scenario #7 Port power association - associate outlets from 6 different power strips to one port Pre‐condition Administrator user is logged in via CLI.
CLI Command for Power Control Action Enter Command to edit outlet1 name of PowerStr1. Press Enter. CLI Input outlet name PowerStr1 outlet 1 newname TestName Remove Port Power Association Description: Power Control Menu ‐ Remove a power outlet association from a DSX port. Scenario #1 Remove port power association Pre‐condition Administrator user is logged in via CLI. Power Strip device (DPX) is physically connected and configured to DSX named PowerStr1. User is in power menu. Action Enter command.
Chapter 15: Power Control Scenario #1 Configure a DSX port to contain a power strip device (the port is previously connected to a power strip) Pre‐condition Administrator user is logged in via CLI. Power Strip device (DPX) is physically connected to Port1 of DSX. Administrator is in power menu. Action Enter command. Press Enter.
CLI Command for Power Control CLI Input Command: addpowergroup name ʺTest Groupʺ description ʺTest groupʺ Scenario #2 Add a port to a power group Pre‐condition Administrator user is logged in via CLI. Power strip device (DPX) named PowerStr1 is physically connected to Port1 of DSX. Administrator is in Power > PowerGroups menu. Action Enter Command. Press Enter.
Chapter 15: Power Control Scenario #5 Delete power group Pre‐condition Administrator user is logged in via CLI. Power strip device (DPX) named PowerStr1 is physically connected to Port1 of DSX. Administrator is in Power > PowerGroups menu. Action Enter Command. Press Enter. CLI Input Command: deletepowergroup name ʺTest Groupʺ CLI Power Strip Power Control Description: Power Control Menu Scenario #1 Switch on/off a single Outlet Pre‐condition Administrator user is logged in via CLI.
CLI Command for Power Control Pre‐condition Administrator user is logged in via CLI. Power Strip device (DPX) named PowerStr1 is physically connected to Port1 of DSX. Administrator is in power menu. Action Enter Command. Press Enter. CLI Input on powerstrip PowerStr1 outlet 1,3,7 off powerstrip PowerStr1 outlet 1,3,7 Scenario #4 Power recycle group of outlets Pre‐condition Administrator user is logged in via CLI. Power Strip device (DPX) named PowerStr1 is physically connected to Port1 of DSX.
Chapter 15: Power Control Action Enter command to set sequence interval. Press Enter. Enter command to switch on group of outlets. Press Enter. CLI Input powerdelay sequence 2 off powerstrip PowerStr1 outlet 1,3,7 Scenario #7 Power Recycle Interval Pre‐condition Administrator user is logged in via CLI. Power Strip device (DPX) named PowerStr1 is physically connected to Port1 of DSX. Administrator is in power menu. Action Enter command to set sequence and power recycle interval. Press Enter.
CLI Command for Power Control Action Select Port Association named Target2 Click on Power Recycle Interval and enter value: Press Recycle button. CLI Input Power Recycle Interval value: 1 sec. Scenario #2 Association Power Control ‐ Recycle Port Association (Target is associated to Two Outlets from one Power Strip) Pre‐condition Administrator user is logged in via CLI. Power Strip device (DPX) named PowerStr1 is physically connected to Port1 of DSX.
Chapter 15: Power Control Scenario #4 Association Power Control ‐ Recycle Port Association (outlets in the association are with different statuses) Pre‐condition Administrator user is logged in via GUI. Two Power Strip devices (DPX) named PowerStr1 and PowerStr2 are physically connected to SX Ports. Port Power Association named Target2 is already created and available in the list. Outle1 of PowerStr1 and Outlet2 of PowerStr2 are associated to Target2. Outlet1 and Outlet2 are with different statuses.
CLI Command for Power Control Pre‐condition Administrator user is logged in via CLI. Administrator is in power menu. Group Association named Group1 (shown in Fg.1) is already created. Outlets in Group1 are with different statuses. Action Enter Command. Press Enter. CLI Input Command: on nodegroup Group1 Scenario #3 Turn OFF Group Association Pre‐condition Administrator user is logged in via CLI. Administrator is in power menu. Group Association named Group1 (shown in Fg.1) is already created.
Chapter 15: Power Control CLI Input powerdelay sequence 2 cycle 5 cycle nodegroup Group1 Scenario #6 Recycle Group Association (outlets in association are with different statuses) Pre‐condition Administrator user is logged in via CLI. Administrator is in power menu. Group Association named Group1 (shown in Fg.1) is already created. Outlets in Group1 are with different statuses. Action Enter Command. Press Enter.
CLI Command for Power Control Action Enter Command. Press Enter. CLI Input powerdelay sequence 2 cycle 5 off port 3 nodegroup Group1 Scenario #10 Recycle Group and Port Association simultaneously. Pre‐condition Administrator user is logged in via CLI. Administrator is in power menu. Group Association named Group1 (shown in Fg.1) is already created. Port3 is already associated with outlet8 of PowerStr1 which has been created and available in the list. Action Enter Command. Press Enter.
Chapter 15: Power Control Result Status of PDU should correctly display the following parameters: Power Consumption Average Power Apparent Power True RMS Voltage True RMS Current Maximum Current Status of the outlet breaker Internal Temperature Scenario #2 Status of Power Strip that is actually turn off or disconnected Pre‐condition Administrator user is logged in via CLI. Power strip device (DPX) named PowerStr1 is disconnected from Port1 or turned off. Administrator is in Power menu.
CLI Command for Power Control Pre‐condition Administrator user is logged in via CLI. Power strip device (DPX) named PowerStr1 is physically connected to Port1 of DSX. Outlet1 and Outlet2 are associated with Port1. Outlet1 and Outlet2 are with status ʺONʺ. Administrator is in Power menu. Action Check the current status of outlets ‐ outlet1 is turn on Remove Outlet1 and Outlet2 from outlet association to Port1. Go to Power menu and check the status of outlet1.
Appendix A Specifications This appendix contains sections describing: • DSX models and specifications • Requirements and tested browser requirements • DSX hardware for connecting DSX to common vendor models • DSX Serial RJ‐45 pinouts • DB9 and DB25 Nulling Serial Adapter Pinouts • DSX Terminal ports In This Chapter Dominion SX Models and Specifications....................................................245 Requirements..............................................................................
Dominion SX Models and Specifications MODEL Ports Built-I n Mode m # of Loca l Ports # of Etherne t Ports Power Supply DSXB‐8‐M 8 Yes 1 1 Single AC DSXA‐16 16 Yes 1 1 Dual AC DSXA‐16‐DL 16 No 2 2 Dual AC DSXA‐16‐DL M 16 Yes 1 2 Dual AC DSXA‐32 32 Yes 1 1 Dual AC DSXA‐32‐AC 32 No 2 1 Dual AC DSXA‐32‐DL 32 No 2 2 Dual AC DSXA‐32‐DL M 32 Yes 1 2 Dual AC DSXA‐48 48 Yes 1 2 Dual AC DSXA‐48‐AC 48 No 2 2 Dual AC The following table lists the Domini
Appendix A: Specifications MODEL DIMENSIONS (W) x (D) x (H) WEIGHT DSXA‐16 17.32ʺ x 11.41ʺ x 1.75ʺ; 440 x 290 x 44 mm 8.28 lbs; 3.756 kg DSXA‐16‐DL 17.32ʺ x 11.41ʺ x 1.75ʺ; 440 x 290 x 44 mm 8.58 lbs; 3.86 kg DSXA‐16‐DL M 17.32ʺ x 11.41ʺ x 1.75ʺ; 440 x 290 x 44 mm 8.58 lbs; 3.86 kg DSXA‐32 17.32ʺ x 11.41ʺ x 1.75ʺ; 440 x 272 x 44 mm 8.40 lbs; 3.78 kg DSXA‐32‐AC 17.32ʺ x 11.41ʺ x 1.75ʺ; 440 x 290 x 44 mm 8.40 lbs; 3.78 kg DSXA‐32‐DL 17.32ʺ x 11.41ʺ x 1.75ʺ; 440 x 290 x 44 mm 8.78 lbs; 3.
Requirements Part Number Description CSCSPCS‐1 1’ (0.3m) Cat5e adapter cable (RJ45 Male to RJ45 Female) to connect Dominion SX to Raritan remote power control unit CSCSPCS‐1‐5PK Package of 5 CSCSPCS‐1 (1’; 0.3m) adapter cables (RJ45 Male to RJ45 Female) to connect Dominion SX to Raritan remote power control unit RUST‐LM304 19” (482.6mm) standard rack mount brackets for DSX4, DSXB‐4‐M, DSX8, and DSXB‐8‐M Only RoHS and WEEE compliant units are available in the EU and other selected areas.
Appendix A: Specifications Requirement s Description Approvals CE, FCC Part 15 Class A, US and Canadian UL, VCCI‐A Remote Connection Network One (1) or two (2) 10/100 Ethernet Base‐T; RJ‐45 connection Protocols TCP/IP, PPP, PAP, HTTP, HTTPS, SSL, SSH, TACACS+, LDAP(S), RADIUS, SNMP, Kerberos Warranty Two Years with Advanced Replacement* *To qualify for advanced replacement under the standard warranty, you must register the product at http://Raritan.com/standard_warranty (p://Raritan.
Connectivity PLATFORM BROWSER Netscape 7.1 Slackware 10.2 FireFox 1.5.0.6 FreeBSD 6.1 FireFox 1.5.0.7 Connectivity The following table lists the necessary Dominion SX hardware (adapters and/or cables) for connecting the Dominion SX to common Vendor/Model combinations.
Appendix A: Specifications Vendor Device Console Connector Serial Connection Sun Netra T1 RJ‐45 CRLVR‐15 cable; or CRLVR‐1 adapter and a CAT5 cable Sun Cobalt DB9M Various Windows NT ASCSDB9F adapter and a CAT 5 cable Raritan RPCU RJ‐45 CSCSPCS‐10 cable or CSCSPCS‐1 adapter cable Contact your reseller or Raritan Support for further information on cables and adapters.
Dominion SX Serial RJ-45 Pinouts Go to the following link to find the latest information about the Dominion SX serial pinouts (RJ‐45). http://www.raritan.
Appendix A: Specifications RJ-45 (female) DB25 (female) 1 5 2 6, 8 3 3 4 1 5 7 6 2 7 20 8 4 DB25M Nulling Serial Adapter Pinouts RJ-45 (female) DB25 (male) 1 5 2 6, 8 3 3 4 1 5 7 6 2 7 20 8 4 253
Dominion SX Terminal Ports Dominion SX Terminal Ports All Dominion SX models, except the DSX16 and DSX32, have the same pinouts on the two DB9M serial ports. This applies to models with two serial ports. All dual‐LAN (dual‐power) models have one RJ‐45 serial port. The DSX16 and DSX32 models have only one external DB9M serial port (labeled TERMINAL). All dual‐LAN (dual‐power) models have one RJ‐45 serial port. The DSX16 and DSX32 models have only one external DB9M serial port (labeled TERMINAL).
Appendix A: Specifications DB9M PIN SIGNAL 1 2 RxD 3 TxD 4 DTR (H) 5 GND 6 7 RTS (H) 8 9 Dominion SX16 and SX32 Terminal Ports A modem should not be connected to the DSX16 and DSX32 terminal port because the Ring Indicator (RI) signal is not present. These models have a built‐in modem that can be enabled or disabled. The modem is disabled by default.
Dominion SX16 and SX32 Terminal Ports Here is some additional information about the Dominion SX16 and SX32 Terminal Ports: 256 • Pins 1 and 9 are used to factory reset units shipped after August 2004. • Units shipped prior to August 2004. have the DB9M port labeled RESERVED (not TERMINAL/RESERVED), since this port was used to factory reset the unit, with a Factory reset adapter shipped with each SX unit. Pins 1 and 6 were used for factory reset.
Appendix B System Defaults This appendix contains the system defaults and directions for port access. Item Default IP Address 192.168.0.192 Subnet Mask 255.255.255.
Dominion SX16 and SX32 Terminal Ports Item Default Serial Ports Baud Rate 9600 Parity None Flow Control None Use the following information for initiating port access: initiate port access using Ports Kept open or Closed directions HTTP Ports 80, 443 and 5000 must be kept open in the firewall for the unit to operate. Port 5000 can be configured.
Appendix C Certificates This appendix contains sections describing Certificates and Certificate Authority and provides directions about how to: • Install Dominion SX CA Certificate to a Browser Certificate • Install SX Server Certificate for IE Browsers • Install SX Server Certificate for Netscape Navigator • Install a Third Party Root Certificate In Browsers • **Generate a CSR for a Third Party CA to sign. • **Install Third Party Certificate to SX.
Default SX Certificate Authority Settings Default SX Certificate Authority Settings The Server Certificate generated in the Dominion SX unit must be installed in the browser in order for the browser to trust the Server Certificate. Each time you access an SSL‐enabled Dominion SX unit, you see a New Site Certificate window. You can accept this on a per‐session basis or you can eliminate this windowʹs appearance by accepting a session certificate permanently.
Appendix C: Certificates 3. Type Username and Password when prompted, and log on to the unit. 4. Choose the Security tab and then click the Certificate link. 5. Click the View Default Certificate radio button and select OK. A dialog opens asking to open, save, or cancel the viewing of the certificate. Select save and add the file extension ʺ.cerʺ, e.g. CA_ROOT.cer. 6. Open the CA_ROOT.cer file by double‐clicking it. This will open the certificate. 7.
Install CA Root for IE Browsers 262 2. Choose Content > Certificates. The Certificates Manager window appears. 3. Scroll through the list of certificates and select the certificate to be deleted. The Certificate will normally be installed in the Other People tab and will be identified by the name, which should be the IP address of the Dominion SX. 4. Click Remove. A message dialog will appear. 5. Click Yes to delete the certificate. 6. Click Close on the Certificates dialog to close it. 7.
Appendix C: Certificates Install Dominion SX Server Certificate for Netscape Navigator By installing the Dominion SX Server certificate in Netscape, you can prevent the Security Alert window from appearing whenever you access the Dominion SX Unit. This step will have to be performed for each Dominion SX unit that you wish to access from each clientʹs browser. Accept a Certificate (Session-Based) On initially connecting to a Dominion SX unit will be presented with a certificate warning screen.
Install Dominion SX Server Certificate for Netscape Navigator 3. 264 In the Manage Certificates section, click the Manage Certificates... button. This displays Certificate Manager.
Appendix C: Certificates 4. Select the Web Sites tab and select the certificate name that is the common name of the IP address of the Dominion SX, and select the Delete button. 5. Click OK on the Delete Web Site Certificates window to confirm the deletion of the certificate. 6. On the left side of this window, locate Certificates and click Web Sites. 7. Click OK on the Options Advanced Window.
Install a Third-Party Root Certificate VeriSign Incorporated http://www.verisign.com/ http://www.verisign.com/ Note: Some CAs will provide the root certificate code in text format rather than providing a downloadable root certificate. If this occurs, select the root certificate code, copy it, and follow the steps outlined in the section Install the Raritan Root Certificate, then follow the steps outlined below.
Appendix C: Certificates 9. Find the name of the CA whose certificate you are installing. There may be more than one listing for your CA. Select the listing with the same name as the certificate you are trying to install. 10. Click Delete and then click OK. 11. Return to the CAʹs Web site and try to download the root certificate again and follow steps 1 through 5 again. Generate a CSR for a Third Party CA to sign In order to have a third party CA certificate (e.g.
Install a Third-Party Root Certificate 5. Send the generated CSR to a third party CA to get it signed. 6. CA returns a Signed Certificate built from the CSR. 7. Install the certificate to Dominion SX. 8. Reboot the Dominion SX unit. If the CSR is generated by an external source: 268 1. Generate a CSR for the Dominion SX by an external computer. 2. Send this CSR to the third party CA to get it signed. 3. CA returns a Signed Certificate built from the CSR. 4.
Appendix C: Certificates Install Client Root Certificate into the DominionSX In order for Client Certificates to be recognized as valid by the SX, the Root Certificate of the CA that signed the Client Certificates must be installed on the SX unit with the following steps: 1. Retrieve CAʹs Root certificate used to sign the client certificates and place it on an accessible FTP server 2. Choose Security > SSL Client Certificates. 3. Select Install Certificate Authority. 4.
Import Certificates for LDAP Install Client Certificate into Internet Explorer Installing client certificate into Internet Explorer mostly follows the steps described in the following link: http://www.microsoft.com/technet/prodtechnol/ie/reskit/6/part2/c06ie6rk .mspx?mfr=true Import Certificates for LDAP The Dominion SX will only properly add binary encoded certificates to the local certdb.
Appendix C: Certificates 3. Click the Remote Authentication button. 4. Click the LDAPS Certificate Settings link. 5. Fill in IP, username, password and path to the LDAPS Certificate. 6. If the certifcicate is ASCII encoded, select ASCII. If it is a binary certificate file, select binary. 7. Enter a unique name for this certificate to be stored on the Dominion SX. 8. Click the OK button and the Dominion SX should retrieve the specified certificate file with supplied credentials.
Import Certificates for LDAP Import Certificates from Dominion SX via CLI A user with Administrator privileges can do the following to import certificates for LDAP. Type the configuration command and issue the following commands: Config > Authentication > LDAP > LDAPS >getservercert ip login password path / file ROOT_BIN.
Appendix C: Certificates D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E Fingerprint (SHA1): DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 Signature Algorithm: PKCS #1 MD2 With RSA Encryption Signature: 65:dd:7e:e1:b2:ec:b0:e2:3a:e0:ec:71:46:9a:19:11: b8:d3:c7:a0:b4:03:40:26:02:3e:09:9c:e1:12:b3:d1: 5a:f6:37:a5:b7:61:03:b6:5b:16:69:3b:c6:44:08:0c: 88:53:0c:6b:97:49:c7:3e:35:dc:6c:b9:bb:aa:df:5c: bb:3a:2f:93:60:b6:a9:4b:4d:f2:20:f7:cd:5f:7f:64: 7b:8e:dc:00:5c:d7:fa:77:ca:39:16:59:6f:0e:ea:d3:
Appendix D Server Configuration This appendix contains sections describing the steps to configure Dominion SX units and authentication servers for the following authentication protocols: • Microsoft Internet Authentication Service (IAS) RADIUS Server • Cisco Access Control Server (ACS) Radius Server • TACACS+ (Terminal Access Controller Access‐Control System Plus) In This Chapter Microsoft IAS RADIUS Server .....................................................................
Appendix D: Server Configuration Configure the Dominion SX to Use an IAS RADIUS Server The tasks to set up the Dominion SX unit to use an IAS RADIUIS server are: • Configure a Primary Radius Server (and optional secondary Radius server) • Configure a Radius port • Configure a secret (shared secret) that will be matched in the IAS client configuration within IAS. The following example shows a simple setup based on a new IAS installation.
Microsoft IAS RADIUS Server Add Dominion SX to the client list: 1. From the Internet Authentication Service, right‐click on RADIUS Clients and select New RADIUS Client. 2. Type a friendly name and the IP address of the DSX unit. 3. Select the RADIUS Standard in the Client‐Vendor drop‐down menu, and type a Shared Secret that matches the Dominion SX configuration. Create an IAS Policy The following section describes the steps to create a policy to allow Radius users to access the Dominion SX.
Appendix D: Server Configuration Note: This version of Dominion SX does not support Challenge Authentication Protocol (CHAP). 11. Select the Advanced tab. Remove Framed‐Protocol. Note: Each policy has conditions that must be met. If the conditions are not met then IAS goes to the next policy and examine the conditions. 12. Click the Add... button. The RADIUS attributes list appears. 13. Select Filter‐Id Name and click the Add button. Click Add in the Attribute values section.
Cisco ACS RADIUS Server 18. Ensure that the Active Directory / Local account for the user has Dial In access enabled in their user profile. If the Windows 2000 Domain server is in Native Mode and IAS is registered with the Active Directory, you can set the User Profile > Dial In setting to use Remote Access Policies. Cisco ACS RADIUS Server The Cisco Access Control Server (ACS) is another authentication solution supported by the Dominion SX unit.
Appendix D: Server Configuration 5. Click Authenticate Using drop‐down menu and select RADIUS (IETF). 6. Click Submit. 7. Click Interface Configuration in the left panel of the screen. 8. Click the RADIUS (IETF) link to edit properties. 9. Under the User and Group columns, place a checkmark in the check boxes before Filter‐Id. 10. Click Submit. 11. To add new users and configure RADIUS (IETF) attributes, click User Setup in the left panel of the screen. 12.
TACACS+ Server Configuration Note: If there is more then one Radius user requiring the same authorization on the Dominion SX, the Filter‐Id attribute and its value can be defined at the group level on the Cisco ACS as long as these users belong to the same group. TACACS+ Server Configuration The Dominion SX unit has the capability to use Terminal Access Controller Access‐Control System Plus (TACACS+) for authentication services.
Appendix D: Server Configuration CiscoSecure ACS These instructions are written for CiscoSecure ACS version 3.2. Note: Refer to the following URL: http://cisco.com/en/US/products/sw/secursw/ps2086/products_user_guid e_chapter09186a008007cd49.html#12231 1. Add Dominion SX as a client on Cisco ACS TACACS+.
CiscoSecure ACS 282 2. Select Interface Configuration. 3. Select TACACS+ (Cisco IOS). 4. Add dominionsx service under the heading New Services.
Appendix D: Server Configuration 5. When adding or editing a user or group, the dominionsx service will appear under the heading TACACS+ Settings. The service can be enabled per user or per group by selecting the dominionsx and Custom Attributes check boxes. Add the attributes (user‐type) and the appropriate values to the text box. Note: The value for the user‐group attribute is case sensitive so ensure that it matches exactly the same as the local group name on Dominion SX unit.
Active Directory Active Directory Microsoft Active Directory uses the LDAP protocol natively, and can function as an LDAP server and authentication source for Dominion DSX. See the following Microsoft URL for information about active directory: http://support.microsoft.com/default.aspx?scid=kb;en‐us;321051 If you choose LDAP authentication protocol, complete the LDAP fields as follows: 284 • Default Port / User Defined Port By default, LDAP uses port 389.
Appendix E Modem Configuration In This Chapter Client Dial‐Up Networking Configuration ................................................285 Windows NT Dial‐Up Networking Configuration...................................285 Windows 2000 Dial‐Up Networking Configuration.................................288 Windows XP Dial‐Up Networking Configuration....................................
Windows NT Dial-Up Networking Configuration 286 2. Click New in the Dial‐Up Networking dialog. The New Phonebook Entry dialog allows you to configure the details of this connection. 3. Click the Basic tab and complete the following fields: Entry name ‐ Name of the Dominion SX connection. Phone number ‐ Phone number of the line attached to the Dominion SX.
Appendix E: Modem Configuration 4. Dial using ‐ Modem being used to connect to Dominion SX; if there is no entry here, there is no modem installed in your workstation. Click the Security tab. The Security section allows you to specify the level of security to use with the modem connection. When connecting to the Dominion SX, security is provided by SSL/ with RC4 encryption, therefore no dial‐up security is required.
Windows 2000 Dial-Up Networking Configuration 5. Click the ʺAccept any authentication including clear textʺ radio button. 6. Click OK to return to the main Dial page. 7. Click Dial. See the Windows NT Users Guide if you receive any error messages. Windows 2000 Dial-Up Networking Configuration 1. 288 Choose Start > Programs > Accessories > Communications > Network and Dial‐Up Connections.
Appendix E: Modem Configuration 2. Double‐click the Make New Connection icon when the Network and Dial‐Up Connections window appears. 3. Click Next and follow the steps in the Network Connection Wizard dialog to create custom dial‐up network profiles.
Windows 2000 Dial-Up Networking Configuration 290 4. Click the ʺDial‐up to private networkʺ radio button and click Next. 5. Select the checkbox before the modem that you want to use to connect to the Dominion SX and then click Next. 6. Type the area code and phone number you wish to dial in the appropriate fields.
Appendix E: Modem Configuration 7. Click the Country/region code drop‐down arrow and select the country or region from the list. 8. Click Next. The Connection Availability dialog appears. 9. Click the ʺOnly for myselfʺ radio button in the Connection Availability dialog.
Windows XP Dial-Up Networking Configuration 10. Click Next. The Network Connection has been created. 11. Type the name of the Dial‐up connection. 12. Click Finish. 13. Click Dial to connect to the remote machine when the Dial dialog appears. A dialog indicating that a successful connection has been established will appear. Consult the Windows 2000 Dial‐up Networking Help if you receive any error messages. Windows XP Dial-Up Networking Configuration 292 1.
Appendix E: Modem Configuration 4. Click the ʺSet up my connection manuallyʺ radio button and click Next.
Windows XP Dial-Up Networking Configuration 5. 294 Click the radio button before ʺConnect using a dial‐up modemʺ and click Next.
Appendix E: Modem Configuration 6. Type a name to identify this particular connection in the ISP Name field and click Next.
Windows XP Dial-Up Networking Configuration 296 7. Type the phone number for the connection in the Phone number field and click Next. 8. Type your ISP information. Type the user name and password in the appropriate fields, and retype the password to confirm it.
Appendix E: Modem Configuration 9. Click the checkbox before the appropriate option below the fields and click Next. 10. Click Finish. 11. Click Dial to connect to the remote machine when the Dial dialog appears. A dialog indicating that you connected successfully appears. If you get any errors, consult Windows XP Dial‐up Networking Help. Note: The maximum modem speed connecting to the Dominion SX is 33,600 bps, as it is a Linux default limitation.
Appendix F Troubleshooting The following tables describe problems and suggested solutions for the problems. In This Chapter Page Access.....................................................................................................298 Firewall............................................................................................................299 Login................................................................................................................300 Port Access...................
Appendix F: Troubleshooting Problem Solution DNS Error/Server Unreachable When attempting to connect to the Dominion SX URL using Microsoft IE, a web page may appear indicating a DNS error and reading that the server is unreachable. Remove any installed Dominion SX certificates and restart the browser. Unsupported Encryption The unit supports only 128‐bit SSL encryption. In Internet Explorer, view Help > About Internet Explorer and determine the maximum SSL bit strength for the browser.
Login Problem Solution Login Failure Firewalls must be configured to allow connections using the Dominion SX configurable port network parameter (Default 51000). If the firewall does not allow these connections, the applet indicates that the login has failed. Contact your system administrator and request that connections be allowed on the configurable port. SSL Security Warnings The unit embeds its Internet Address (IP) in its SSL certificate.
Appendix F: Troubleshooting Port Access Problem Solution Port Access Refresh The unit does not automatically refresh the Port Access list. It is refreshed only when the user clicks Port Access. Therefore, it is possible that a user will have permissions revoked and these changes will not be visible on the port access screen until the Port Access button is activated. You must log out and log in again for the new restriction to be applied. Then the restricted ports are invisible.
Upgrade Problem Solution Insufficient Partition Size The latest 3.1.0.5.7 firmware is specifically applicable to Dominion SX models ‐ DSX‐16 and DSX‐32 only (purchased before August 2004). This version also supports the use with CC‐SG 3.1 (CommandCenter SecureGateway) or higher. Please note that the attempt to upgrade firmware to the latest 3.1.0.5.7 version will be aborted if the DSX unit is detected with less than 32mb partition size.
Appendix F: Troubleshooting 303
Upgrade Problem Solution Upgrade failed in dual‐LAN units While upgrading dual‐LAN units from 2.5.x versions, an error message appears stating ʺThe upgrade has failed. Please check your upgrade directory and/or your connections, and try again.ʺ. (See the figure below for details.) In order to properly complete the upgrade, please do not reboot the unit when the message appears, but re‐apply the upgrade pack again.
Appendix F: Troubleshooting Modem Problem Solution Login Failure The unit supports Web‐browser access through the modem at connection speeds of 28.8K bps or greater. If the baud rate is insufficient, the user may be unable to log on to the unit via the modem. 28.8K bps minimum connection speed is recommended for browser‐based modem authentications (login). For CLI‐based access, using SSH or Telnet, speed as low as 9600bps is adequate.
Index A About Security Profiles • 97 Accept a Certificate (Session‐Based) • 264, 267 Accessing Telnet from a Windows PC • 133 Accessing the Dominion SX Using CLI • 131 Acronyms • 1 Active Directory • 288 Add a New Static Route • 31 Add an IPTables Rule • 99 Addgroup Command • 184 Adding a New Certificate Revocation List to the DSX • 95 Adduser Command • 185 Administering the Dominion SX Console Server Configuration Commands • 142, 150 Administrator Tools ‐ Process Status • 126 Anonymous Port Access • 54 Ass
Index Configuring Authorization and Authentication (AA) Services • 147 Configuring Encryption • 106 Configuring Events • 150 Configuring IP Forwarding and Static Routes • 30 Configuring LDAP • xvi, 45 Configuring Local Event Logging • 101 Configuring Log • 151 Configuring Logging and Alerts • 145 Configuring Modem • 157 Configuring Modem Access • 30 Configuring Network • 160 Configuring NFS • 166 Configuring NFS Logging • 109 Configuring Ports • 52, 167 Configuring Power • 189 Configuring RADIUS • 44 Confi
Index Enabling Client Certificate Authentication: • 94 Enabling Firewall Protection • 144 Enabling Security Profiles • 144 Enabling Telnet • 132 Encryption Command • 176 Ethernetfailover Command • 161, 196 Eventlogfile Command • 151 Eventsyslog Command • 152 F Factoryreset Command • 161, 196, 198 Firewall • 98, 303 Firewall Command • 207 Firmware Command • 199 ftpgetbanner Command • 204 G Generate a Certificate Signing Request • 89 Generate a CSR for a Third Party CA to sign • 271 Getconfig Command • 165
Index Launching RSC on Windows Systems • 81 LDAP Configuration Menu • 148 LED State • 12 Listports Command • 194 Local Authentication • 86 Local Port Connection to the Dominion SX • 133 Localauth Command • 214 Lockoutperiod Command • 215 Logging • 101 Login • 131, 132, 133, 134, 304 Login Handling • 42, 87 Login Settings • 54, 86 Loginsettings Commands • 212 Logoff Command • 199 Logout Command • 178 LPA Command • 178 M Maintenance • 112 Maintenance Commands • 196 Managing the Client Certificate Revocation
Index Remote Services • 147 Remove an Accepted Certificate • 267 Remove an Accepted Certificate In Internet Explorer • 265 Removing a User‐Added Certificate Authority • 94 Requirements • 252 Restore Command • 200 Restoring the DSX • 117 Retrieve LDAP Certificate via Access from HTTP Interface • 274 Route Command • 163 Routeadd Command • 164 Routedelete Command • 164 Runconfig Command • 165 SSH Access from a Windows PC • 131 SSH Command • 179 SSH Connection to the Dominion SX • xx, 131 SSL Client Certifica
Index W Welcome Banner Configuration • 144 Windows 2000 Dial‐Up Networking Configuration • 292 ¾ U.S./Canada/Latin America Monday ‐ Friday 8 a.m. ‐ 8 p.m. ET Phone: 800‐724‐8090 or 732‐764‐8886 For CommandCenter NOC: Press 6, then Press 1 For CommandCenter Secure Gateway: Press 6, then Press 2 Fax: 732‐764‐8887 Email for CommandCenter NOC: tech‐ccnoc@raritan.com Email for all other products: tech@raritan.com ¾ China Beijing Monday ‐ Friday 9 a.m. ‐ 6 p.m.
