- DL manuals
- Raritan
- Security System
- Home Security System
- User Manual
Raritan Home Security System User Manual
Summary of Home Security System
Page 1
Copyright © 2010 raritan, inc. Cca-0k-v4.3-e december 2009 255-80-5140-00 commandcenter secure gateway administrators guide release 4.3.
Page 2
This document contains proprietary information that is protected by copyright. All rights reserved. No part of this document may be photocopied, reproduced, or translated into another language without express prior written consent of raritan, inc. © copyright 2009 raritan, inc., commandcenter®, domi...
Page 3: Contents
Iii contents what's new in the cc-sg administrators guide xvi chapter 1 introduction 1 prerequisites .................................................................................................................................. 1 terminology/acronyms ................................................
Page 4
Contents iv how to create associations .............................................................................................. 22 adding, editing, and deleting categories and elements.............................................................22 add a category...................................
Page 5
Contents v delete a device group ...................................................................................................... 54 adding devices with csv file import .......................................................................................... 54 devices csv file requirements ....
Page 6
Contents vi about interfaces................................................................................................................. 78 viewing nodes ............................................................................................................................. 78 nodes tab .....
Page 7
Contents vii chapter 9 users and user groups 129 the users tab ........................................................................................................................... 130 default user groups ............................................................................................
Page 8
Contents viii using custom views in the admin client ..................................................................................155 custom views for nodes .................................................................................................155 custom views for devices................
Page 9
Contents ix navigate multiple page reports ......................................................................................181 print a report................................................................................................................... 181 save a report to a file.............
Page 10
Contents x chapter 15 advanced administration 206 configuring a message of the day ............................................................................................206 configuring applications for accessing nodes..........................................................................207...
Page 11
Contents xi security manager....................................................................................................................... 234 remote authentication ....................................................................................................234 aes encryption...........
Page 12
Contents xii edit network interfaces configuration (network interfaces) ........................................... 275 ping an ip address ..........................................................................................................276 use traceroute .......................................
Page 13
Contents xiii cc-sg and client for ipmi, ilo/riloe, drac, rsa .....................................................318 cc-sg and snmp...........................................................................................................318 cc-sg internal ports.......................................
Page 14
Contents xiv appendix c user group privileges 321 appendix d snmp traps 330 appendix e csv file imports 332 common csv file requirements..............................................................................................333 audit trail entries for importing ...................................
Page 15
Contents xv node information ....................................................................................................................... 353 location information .................................................................................................................. 354 contact...
Page 16: What'S New In The Cc-Sg
Xvi the following sections have changed or information has been added to the commandcenter secure gateway administrators guide based on enhancements and changes to the equipment and/or documentation. • discover and add devices (on page 15) • add user groups and users (on page 19) • add a kvm or seri...
Page 17
What's new in the cc-sg administrators guide xvii • configuring power control of power iq it devices (on page 306) • cc-sg clustering (on page 315) see the release notes for a more detailed explanation of the changes applied to this version of the commandcenter secure gateway..
Page 19: Chapter 1
1 the commandcenter secure gateway (cc-sg) administrators guide offers instructions for administering and maintaining your cc-sg. This guide is intended for administrators who typically have all available privileges. Users who are not administrators should see raritan's commandcenter secure gateway ...
Page 20
Chapter 1: introduction 2 terminology/acronyms terms and acronyms found in this document include: access client - html-based client intended for use by normal access users who need to access a node managed by cc-sg. The access client does not allow the use of administration functions. Admin client -...
Page 21
Chapter 1: introduction 3 ghosted ports - when managing paragon devices, a ghosted port can occur when a cim or target server is removed from the system or powered off (manually or accidentally). See raritan's paragon ii user guide. Hostname - can be used if dns server support is enabled. See about ...
Page 22
Chapter 1: introduction 4 node groups - a defined group of nodes that are accessible to a user. Node groups are used when creating a policy to control access to the nodes in the group. Ports - connection points between a raritan device and a node. Ports exist only on raritan devices, and they identi...
Page 23: Chapter 2
5 you can access cc-sg in several ways: • browser: cc-sg supports numerous web browsers (for a complete list of supported browsers, see the compatibility matrix on the raritan support website). • thick client: you can install a java web start thick client on your client computer. The thick client fu...
Page 24
Chapter 2: accessing cc-sg 6 jre incompatibility if you do not have the minimum required version of jre installed on your client computer, you will see a warning message before you can access the cc-sg admin client. The jre incompatibility warning window opens when cc-sg cannot find the required jre...
Page 25
Chapter 2: accessing cc-sg 7 5. To check the setting in cc-sg: choose administration > security. In the encryption tab, look at the browser connection protocol option. If the https/ssl option is selected, then you must select the secure socket layer ssl checkbox in the thick client's ip address spec...
Page 26
Chapter 2: accessing cc-sg 8 cc-sg admin client upon valid login, the cc-sg admin client appears..
Page 27
Chapter 2: accessing cc-sg 9 • nodes tab: click the nodes tab to display all known target nodes in a tree view. Click a node to view the node profile. Interfaces are grouped under their parent nodes. Click the + and - signs to expand or collapse the tree. Right-click an interface and select connect ...
Page 28: Chapter 3
10 upon the first login to cc-sg, you should confirm the ip address, set the cc-sg server time, and check the firmware and application versions installed. You may need to upgrade the firmware and applications. Once you have completed your initial configurations, proceed to guided setup. See configur...
Page 29
Chapter 3: getting started 11 date - click the drop-down arrow to select the month, use the up and down arrows to select the year, and then click the day in the calendar area. Time - use the up and down arrows to set the hour, minutes, and seconds, and then click the time zone drop-down arrow to sel...
Page 30
Chapter 3: getting started 12 2. Select an application name from the list. Note the number in the version field. Some applications do not automatically show a version number. To upgrade an application: if the application version is not current, you must upgrade the application. You can download the ...
Page 31: Chapter 4
13 guided setup offers a simple way to complete initial cc-sg configuration tasks once the network configuration is complete. The guided setup interface leads you through the process of defining associations, discovering and adding devices to cc-sg, creating device groups and node groups, creating u...
Page 32
Chapter 4: configuring cc-sg with guided setup 14 associations in guided setup create categories and elements to create categories and elements in guided setup: 1. In the guided setup window, click associations, and then click create categories in the left panel to open the create categories panel. ...
Page 33
Chapter 4: configuring cc-sg with guided setup 15 discover and add devices the discover devices panel opens when you click continue at the end of the associations task. You can also click device setup, and then click discover devices in the guided tasks tree view in the left panel to open the discov...
Page 34
Chapter 4: configuring cc-sg with guided setup 16 14. If you are manually adding a powerstrip device, click the number of ports drop-down arrow and select the number of outlets the powerstrip contains. 15. If you are adding an ipmi server, type an interval, used to check for availability, and an aut...
Page 35
Chapter 4: configuring cc-sg with guided setup 17 3. There are two ways to add devices to a group, select devices and describe devices. The select devices tab allows you to select which devices you want to assign to the group by selecting them from the list of available devices. The describe devices...
Page 36
Chapter 4: configuring cc-sg with guided setup 18 select nodes a. Click the select nodes tab in the node group: new panel. B. In the available list, select the node you want to add to the group, and then click add to move the node into the selected list. Nodes in the selected list will be added to t...
Page 37
Chapter 4: configuring cc-sg with guided setup 19 add user groups and users the add user group panel opens when you click continue at the end of the create groups task. You can also click user management, and then click add user group in the guided tasks tree view in the left panel to open the add u...
Page 38
Chapter 4: configuring cc-sg with guided setup 20 13. Select the login enabled checkbox if you want the user to be able to log in to cc-sg. 14. Select the remote authentication checkbox only if you want the user to be authenticated by an outside server, such as tacacs+, radius, ldap, or ad. If you a...
Page 39: Chapter 5
21 in this chapter about associations ..................................................................................21 adding, editing, and deleting categories and elements ........................22 adding categories and elements with csv file import..........................23 about associatio...
Page 40
Chapter 5: associations, categories, and elements 22 policies also use categories and elements to control user access to servers. For example, the category/element pair location/america can be used to create a policy to control user access to servers in america. See policies for access control. (see...
Page 41
Chapter 5: associations, categories, and elements 23 select string if the value is read as text. Select integer if the value is a number. 5. In the applicable for field, select whether this category applies to: devices, nodes, or device and nodes. 6. Click ok to create the new category. The new cate...
Page 42
Chapter 5: associations, categories, and elements 24 categories and elements csv file requirements the categories and elements csv file defines the categories, their associated elements, their type, and whether they apply to devices, nodes or both. • all category and categoryelement records are rela...
Page 43
Chapter 5: associations, categories, and elements 25 sample categories and elements csv file add, category, os, string, node add, categoryelement, os, unix add, categoryelement, os, windows add, categoryelement, os, linux add, category, location, string, device add, categoryelement, location, aisle ...
Page 44
Chapter 5: associations, categories, and elements 26 export categories and elements the export file contains comments at the top that describe each item in the file. The comments can be used as instructions for creating a file for importing. To export categories and elements: 1. Choose administratio...
Page 45: Chapter 6
27 to add raritan powerstrip devices that are connected to other raritan devices to cc-sg, see managed powerstrips (on page 69). Note: to configure ilo/riloe devices, ipmi devices, dell drac devices, ibm rsa devices, or other non-raritan devices, use the add node menu and add these items as an inter...
Page 46
Chapter 6: devices, device groups, and ports 28 viewing devices the devices tab click the devices tab to display all devices under cc-sg management. Each device's configured ports are nested under the devices they belong to. Devices with configured ports appear in the list with a + symbol. Click the...
Page 47
Chapter 6: devices, device groups, and ports 29 icon meaning serial port unavailable ghosted port (see raritan's paragon ii user guide for details on ghosting mode.) device paused device unavailable power strip outlet port blade chassis available blade chassis unavailable blade server available blad...
Page 48
Chapter 6: devices, device groups, and ports 30 note: for blade servers without an integrated kvm switch, such as hp bladesystem servers, their parent device is the virtual blade chassis that cc-sg creates, not the kx2 device. These servers will be sorted only within the virtual blade chassis device...
Page 49
Chapter 6: devices, device groups, and ports 31 the device profile includes tabs that contain information about the device. Associations tab the associations tab contains all categories and elements assigned to the node. You can change the associations by making different selections. See association...
Page 50
Chapter 6: devices, device groups, and ports 32 2. Choose devices > device manager > topology view. The topology view for the selected device appears. Click + or - to expand or collapse the view. Right click options in the devices tab you can right-click a device or port in the devices tab to displa...
Page 51
Chapter 6: devices, device groups, and ports 33 discovering devices discover devices initiates a search for all devices on your network. After discovering the devices, you may add them to cc-sg if they are not already managed. To discover devices: 1. Choose devices > discover devices. 2. Type the ra...
Page 52
Chapter 6: devices, device groups, and ports 34 adding a device devices must be added to cc-sg before you can configure ports or add interfaces that provide access to the nodes connected to ports. The add device screen is used to add devices whose properties you know and can provide to cc-sg. To sea...
Page 53
Chapter 6: devices, device groups, and ports 35 6. Type the time (in seconds) that should elapse before timeout between the new device and cc-sg in the heartbeat timeout (sec) field. 7. When adding a dominion sx or dominion kx2 version 2.2 or later device, the allow direct device access checkbox ena...
Page 54
Chapter 6: devices, device groups, and ports 36 14. If the firmware version of the device is not compatible with cc-sg, a message appears. Click yes to add the device to cc-sg. You can upgrade the device firmware after adding it to cc-sg. See upgrading a device (on page 59). Add a powerstrip device ...
Page 55
Chapter 6: devices, device groups, and ports 37 if you do not see the category or element values you want to use, you can add others. See associations, categories, and elements (on page 21). 8. When you are done configuring this device, click apply to add this device and open a new blank add device ...
Page 56
Chapter 6: devices, device groups, and ports 38 adding notes to a device profile you can use the notes tab to add notes about a device for other users to read. All notes display in the tab with the date, username, and ip address of the user who added the note. If you have the device, port, and node ...
Page 57
Chapter 6: devices, device groups, and ports 39 deleting a device you can delete a device to remove it from cc-sg management. Important: deleting a device will remove all ports configured for that device. All interfaces associated with those ports will be removed from the nodes. If no other interfac...
Page 58
Chapter 6: devices, device groups, and ports 40 6. Click the access application drop-down menu and select the application you want to use when you connect to this port from the list. To allow cc-sg to automatically select the correct application based on your browser, select auto-detect. 7. Click ok...
Page 59
Chapter 6: devices, device groups, and ports 41 editing a port you can edit ports to change various parameters, such as port name, access application, and serial port settings. The changes you can make vary, based on port type and device type. Note: you can also edit dominion kx2 port settings by us...
Page 60
Chapter 6: devices, device groups, and ports 42 deleting a port delete a port to remove the port entry from a device. When a port is down, the information in the port profile screen is read-only. You can delete a port that is down. Important: if you delete a port that is associated with a node, the ...
Page 61
Chapter 6: devices, device groups, and ports 43 blade chassis without an integrated kvm switch a blade chassis without an integrated kvm switch, such as hp bladesystem series, allows each blade server to connect to kx2 respectively via a cim. As each blade server in that chassis has a cim for access...
Page 62
Chapter 6: devices, device groups, and ports 44 3. Cc-sg automatically creates a virtual blade chassis and adds the blade chassis icon in one tab. Note that a virtual blade chassis never appears as a node in the nodes tab. In the devices tab, the virtual blade chassis device appears beneath the kx2 ...
Page 63
Chapter 6: devices, device groups, and ports 45 to configure slots using the configure blades command: 1. In the devices tab, click the + next to the kx2 device that is connected to the blade chassis device. 2. Select the blade chassis device whose slots you want to configure. 3. Choose nodes > conf...
Page 64
Chapter 6: devices, device groups, and ports 46 deleting slots on a blade chassis device you can delete unused blade servers or slots so they do not appear in the devices and nodes tabs. To delete a slot from the delete ports screen: 1. In the devices tab, click the + next to the kx2 device that is ...
Page 65
Chapter 6: devices, device groups, and ports 47 delete a blade chassis device you can delete a blade chassis device connected to a kx2 device from cc-sg. When you delete the blade chassis device from the kx2 device, the blade chassis device and all configured blade servers or slots disappear from th...
Page 66
Chapter 6: devices, device groups, and ports 48 2. Change the blade port group for these blade servers to a non-blade port group. A. In cc-sg, choose devices > device manager > launch admin. The kx2 admin client opens. B. Click port group management. C. Click the blade port group whose group propert...
Page 67
Chapter 6: devices, device groups, and ports 49 7. In the location and contacts tab, select the checkbox for the information you want to copy: select the copy location information checkbox to copy the location information displayed in the location section. Select the copy contact information checkbo...
Page 68
Chapter 6: devices, device groups, and ports 50 if the group was formed based on common attributes, the describe devices tab will appear, showing the rules that govern selection of the devices for the group. To search for a device in the device group list, type a string in the search field at the bo...
Page 69
Chapter 6: devices, device groups, and ports 51 3. Select the create full access policy for group checkbox to create a policy for this device group that allows access to all devices in the group at all times with control permission. 4. To add another device group, click apply to save this group, the...
Page 71
Chapter 6: devices, device groups, and ports 53 7. Click view devices to see what nodes satisfy this expression. A devices in device group results window opens, displaying the devices that will be grouped by the current expression. This can be used to check if the description was correctly written. ...
Page 72
Chapter 6: devices, device groups, and ports 54 delete a device group to delete a device group: 1. Choose associations > device groups. The device groups manager window opens. 2. Existing device groups appear in the left panel. Select the device group you want to delete. The device group details pan...
Page 73
Chapter 6: devices, device groups, and ports 55 devices csv file requirements the devices csv file defines the devices, ports, and their details required to add them to cc-sg. • for devices that support power strips connected to a port (sx, kx, kx2, ksx2), configuring the port will configure the pow...
Page 74
Chapter 6: devices, device groups, and ports 56 column number tag or value details 9 tcp port default is configured in the admin client in administration > configuration > device settings tab. 10 configure all ports true or false default is true for dominion px devices. Default is false for all othe...
Page 75
Chapter 6: devices, device groups, and ports 57 column number tag or value details use " outlet " for configuring outlets on a px device. 5 port or outlet number required field. 6 port or outlet name optional. If left blank, a default name or the name already assigned at the device level will be use...
Page 76
Chapter 6: devices, device groups, and ports 58 column number tag or value details 2 device- categoryelement enter the tag as shown. Tags are not case sensitive. 3 device name required field. 4 category name required field. 5 element name required field. Sample devices csv file add, device, dominion...
Page 77
Chapter 6: devices, device groups, and ports 59 5. Check the actions area to see the import results. Items that imported successfully show in green text. Items that failed import show in red text. Items that failed import because a duplicate item already exists or was already imported also show in r...
Page 78
Chapter 6: devices, device groups, and ports 60 5. A message appears. Click yes to restart the device. A message appears when the device has been upgraded. 6. To ensure that your browser loads all upgraded files, close your browser window, and then login to cc-sg in a new browser window. Backing up ...
Page 79
Chapter 6: devices, device groups, and ports 61 restoring device configurations the following device types allow you to restore a full backup of the device configuration. • kx • ksx • kx101 • sx • ip-reach kx2, ksx2, and kx2-101 devices allow you to choose which components of a backup you want to re...
Page 80
Chapter 6: devices, device groups, and ports 62 restore all configuration data except network settings to a kx2, ksx2, or kx2-101 device the protected restore option allows you to restore all configuration data in a backup file, except network settings, to a kx2, ksx2, or kx2-101 device. You can use...
Page 81
Chapter 6: devices, device groups, and ports 63 restore all configuration data to a kx2, ksx2, or kx2-101 device the full restore option allows you to restore all configuration data in a backup file to a kx2, ksx2, or kx2-101 device. To restore all configuration data to a kx2, ksx2, or kx2-101 devic...
Page 82
Chapter 6: devices, device groups, and ports 64 3. Click upload. Navigate to and select the device backup file. The file type is .Rfp. Click open. The device backup file uploads to cc-sg and appears in the page. Copying device configuration the following device types allow you to copy configurations...
Page 83
Chapter 6: devices, device groups, and ports 65 restarting a device use the restart device function to restart a device. To restart a device 1. Click the devices tab and select the device you want to restart. 2. Choose devices > device manager > restart device. 3. Click ok to restart the device. 4. ...
Page 84
Chapter 6: devices, device groups, and ports 66 2. Choose devices > device manager > resume management. The device icon in the device tree will indicate the device's active state. Device power manager use the device power manager to view the status of a powerstrip device (including voltage, current,...
Page 85
Chapter 6: devices, device groups, and ports 67 disconnecting users administrators can terminate any user's session on a device. This includes users who are performing any kind of operation on a device, such as connecting to ports, backing up the configuration of a device, restoring a device's confi...
Page 86
Chapter 6: devices, device groups, and ports 68 ip-reach and ust-ip administration you can perform administrative diagnostics on ip-reach and ust-ip devices connected to your paragon system setup directly from the cc- sg interface. After adding the paragon system device to cc-sg, it appears in the d...
Page 87: Chapter 7
69 there are three ways to configure power control using powerstrips in cc-sg. 1. All supported raritan-brand powerstrips can be connected to another raritan device and added to cc-sg as a powerstrip device. Raritan- brand powerstrips include dominion px and rpc powerstrips. Check the compatibility ...
Page 88
Chapter 7: managed powerstrips 70 configuring powerstrips that are managed by another device in cc-sg in cc-sg, managed powerstrips can be connected to one of the following devices: • dominion kx • dominion kx2 • dominion kx2-101 • dominion sx 3.0 • dominion sx 3.1 • dominion ksx • dominion ksx2 • p...
Page 89
Chapter 7: managed powerstrips 71 configuring powerstrips connected to kx, kx2, kx2-101, ksx2, and p2sc cc-sg automatically detects powerstrips connected to kx, kx2, kx2- 101, ksx2, and p2sc devices. You can perform the following tasks in cc-sg to configure and manage powerstrips connected to these ...
Page 90
Chapter 7: managed powerstrips 72 delete a powerstrip connected to a kx, kx2, kx2-101, ksx2, or p2sc device you cannot delete a powerstrip connected to a kx, kx2, kx2-101, ksx2, or p2sc device from cc-sg. You must physically disconnect the powerstrip from the device to delete the powerstrip from cc-...
Page 91
Chapter 7: managed powerstrips 73 10. For each category listed, click the element drop-down menu and select the element you want to apply to the device. Select the blank item in the element field for each category you do not want to use. See associations, categories, and elements (on page 21). Optio...
Page 92
Chapter 7: managed powerstrips 74 configuring powerstrips connected to sx 3.1 you can perform the following tasks in cc-sg to configure and manage powerstrips connected to sx 3.1 devices. • add a powerstrip connected to an sx 3.1 device (on page 74) • move an sx 3.1's powerstrip to a different port ...
Page 93
Chapter 7: managed powerstrips 75 move an sx 3.1's powerstrip to a different port when you physically move a powerstrip from one sx 3.1 device or port to another sx 3.1 device or port, you must delete the powerstrip from the old sx 3.1 port and add it to the new sx 3.1 port. See delete a powerstrip ...
Page 94
Chapter 7: managed powerstrips 76 3. Choose devices > port manager > configure ports. To configure multiple outlets with the default names shown in the screen, select the checkbox for each outlet you want to configure, and then click ok to configure each outlet with the default name. To configure ea...
Page 95: Chapter 8
77 this section covers how to view, configure, and edit nodes and their associated interfaces, and how to create node groups. Connecting to nodes is covered briefly. See raritan's commandcenter secure gateway user guide for details on connecting to nodes. In this chapter nodes and interfaces overvie...
Page 96
Chapter 8: nodes, node groups, and interfaces 78 node names node names must be unique. Cc-sg will prompt you with options if you attempt to manually add a node with an existing node name. When cc- sg automatically adds nodes, a numbering system ensures that node names are unique. See naming conventi...
Page 97
Chapter 8: nodes, node groups, and interfaces 79 node profile click a node in the nodes tab to open the node profile page. The node profile page includes tabs that contain information about the node..
Page 98
Chapter 8: nodes, node groups, and interfaces 80 interfaces tab the interfaces tab contains all the node's interfaces. You can add, edit, and delete interfaces on this tab, and select the default interface. Nodes that support virtual media include an additional column that shows whether virtual medi...
Page 99
Chapter 8: nodes, node groups, and interfaces 81 control system server nodes, such as vmware's virtual center, include the control system data tab. The control system data tab contains information from the control system server that is refreshed when the tab opens. You can access a topology view of ...
Page 100
Chapter 8: nodes, node groups, and interfaces 82 service accounts service accounts overview service accounts are special login credentials that you can assign to multiple interfaces. You can save time by assigning a service account to a set of interfaces that often require a password change. You can...
Page 101
Chapter 8: nodes, node groups, and interfaces 83 add, edit, and delete service accounts to add a service account: 1. Choose nodes > service accounts. The service accounts page opens. 2. Click the add row icon to add a row to the table. 3. Enter a name for this service account in the service account ...
Page 102
Chapter 8: nodes, node groups, and interfaces 84 2. Find the service account whose password you want to change. 3. Enter the new password in the password field. 4. Re-type the password in the retype password field. 5. Click ok. Note: cc-sg updates all interfaces that use the service account to use t...
Page 103
Chapter 8: nodes, node groups, and interfaces 85 adding, editing, and deleting nodes add a node to add a node to cc-sg: 1. Click the nodes tab. 2. Choose nodes > add node. 3. Type a name for the node in the node name field. All node names in cc-sg must be unique. See naming conventions (on page 353)...
Page 104
Chapter 8: nodes, node groups, and interfaces 86 nodes created by configuring ports when you configure the ports of a device, a node is created automatically for each port. An interface is also created for each node. When a node is automatically created, it is given the same name as the port to whic...
Page 105
Chapter 8: nodes, node groups, and interfaces 87 adding location and contacts to a node profile enter details about the location of the node, and contact information for the people who administer or use the node. To add location and contacts to a node profile: 1. Select a node in the nodes tab. The ...
Page 106
Chapter 8: nodes, node groups, and interfaces 88 configuring the virtual infrastructure in cc-sg terminology for virtual infrastructure cc-sg uses the following terminology for virtual infrastructure components. Term definition example control system the control system is the managing server. The co...
Page 107
Chapter 8: nodes, node groups, and interfaces 89 virtual nodes overview you can configure your virtual infrastructure for access in cc-sg. The virtualization page offers two wizard tools, add control system wizard and add virtual host wizard, that help you add control systems, virtual hosts, and the...
Page 108
Chapter 8: nodes, node groups, and interfaces 90 enter a username and password for authentication. Maximum 64 characters each. 8. To allow users who access this control system to automatically log into the vi client interface, select the enable single sign on for vi client checkbox. Optional. 9. Cli...
Page 109
Chapter 8: nodes, node groups, and interfaces 91 leave these fields blank if you prefer to add names and login credentials to each interface individually. The interface will take the name of the node if the field is left blank. A. Enter names for interfaces. Maximum 32 characters. Virtual host vi cl...
Page 110
Chapter 8: nodes, node groups, and interfaces 92 4. Click add virtual host. 5. Hostname/ip address: enter the ip address or hostname of the virtual host. Maximum 64 characters. 6. Connection protocol: specify http or https communications between the virtual host and cc-sg. 7. Tcp port: enter the tcp...
Page 111
Chapter 8: nodes, node groups, and interfaces 93 use ctrl+click or shift+click to select multiple virtual machines that you want to add. In the check/uncheck selected rows section, select the virtual machine checkbox. To add a vnc, rdp, or ssh interface to the virtual host nodes and virtual machine ...
Page 112
Chapter 8: nodes, node groups, and interfaces 94 one node for each virtual host. Each virtual host node has a vi client interface. Virtual host nodes are named with their ip addresses or host names. Edit control systems, virtual hosts, and virtual machines you can edit the control systems, virtual h...
Page 113
Chapter 8: nodes, node groups, and interfaces 95 10. For each interface type, enter a name and login credentials. The name and login credentials will be shared by all the interfaces added to each virtual machine node and virtual host node configured. Optional. You can leave these fields blank if you...
Page 114
Chapter 8: nodes, node groups, and interfaces 96 delete a virtual machine node there are two ways to delete virtual machine nodes: • use the delete node feature. See delete a node (on page 86). • deselect the configure checkbox for the virtual machine. See edit control systems, virtual hosts, and vi...
Page 115
Chapter 8: nodes, node groups, and interfaces 97 2. In the list of nodes, select the nodes you want to synchronize. Use ctrl+click to select multiple items. 3. Click synchronize. If the virtual infrastructure had changed since the last synchronization, the information in cc-sg updates. The configure...
Page 116
Chapter 8: nodes, node groups, and interfaces 98 3. Click reboot or force reboot. Accessing the virtual topology view the topology view is a tree structure that shows the relationships of the control system, virtual hosts, and virtual machines associated with the selected node. You must have the dev...
Page 117
Chapter 8: nodes, node groups, and interfaces 99 pinging a node you can ping a node from cc-sg to make sure that the connection is active. To ping a node: 1. Click the nodes tab, and then select the node you want to ping. 2. Choose nodes > ping node. The ping results appear in the screen. Adding, ed...
Page 118
Chapter 8: nodes, node groups, and interfaces 100 in-band - vnc: select this item to create a kvm connection to a node through vnc server software. See interfaces for in-band connections (on page 101). Out-of-band connections: out-of-band - kvm: select this item to create a kvm connection to a node ...
Page 119
Chapter 8: nodes, node groups, and interfaces 101 see web browser interface (on page 106). 3. A default name appears in the name field depending on the type of interface you select. You can change the name. This name appears next to the interface in the nodes list. See naming conventions (on page 35...
Page 120
Chapter 8: nodes, node groups, and interfaces 102 microsoft rdp connection details • if using a windows xp client, you must have terminal server client 6.0 or higher to connect a microsoft rdp interface from cc-sg. Update the terminal server client to 6.0 using this link: http://support.Microsoft.Co...
Page 121
Chapter 8: nodes, node groups, and interfaces 103 interfaces for drac power control connections to add an interface for drac power control connections: 1. Type the ip address or hostname for this interface in the ip address/hostname field. 2. Type a tcp port for this connection in the tcp port field...
Page 122
Chapter 8: nodes, node groups, and interfaces 104 rsa interface details when you create an in-band rsa kvm or power interface, cc-sg discards the username and password associated with the interface, and creates two user accounts on the rsa server. This allows you to have simultaneous kvm and power a...
Page 123
Chapter 8: nodes, node groups, and interfaces 105 6. Click ok to save your changes. Note: a managed power strip interface can be added to a blade chassis node, but not to a blade server node. Interfaces for ipmi power control connections to add an interface for ipmi power control connections: 1. Typ...
Page 124
Chapter 8: nodes, node groups, and interfaces 106 if the it device has not been added to power iq yet, accept the default value for the external key or change it, but make sure to use the same value when adding the it device to power iq. You can quickly make a file of all node and interface informat...
Page 125
Chapter 8: nodes, node groups, and interfaces 107 http(s)://www.Example.Com/cgi/login http(s)://example.Com/home.Html 4. Enter authentication information: optional. To use a service account for authentication, select the use service account credentials checkbox. Select the service account to use in ...
Page 126
Chapter 8: nodes, node groups, and interfaces 108 example: adding a web browser interface to a px node a dominion px-managed powerstrip can be added to cc-sg as a node. Then you can add a web browser interface that enables users to access the dominion px's web-based administration application to the...
Page 127
Chapter 8: nodes, node groups, and interfaces 109 delete an interface you can delete any interface from a node except for these: a vmw viewer interface or a vmw power interface on a virtual machine node. A web browser interface on a blade chassis which has an integrated kvm switch and has a url or i...
Page 128
Chapter 8: nodes, node groups, and interfaces 110 4. A default name for the bookmark appears in the bookmark name field. You can change the name, which will appear in your favorites list in internet explorer. 5. Click ok. The add favorite window opens. 6. Click ok to add the bookmark to your favorit...
Page 129
Chapter 8: nodes, node groups, and interfaces 111 6. In the associations tab, select the copy node associations checkbox to copy all categories and elements of the node. You may change, add or delete any data in this tab. The modified data will be copied to multiple nodes in the selected nodes list ...
Page 130
Chapter 8: nodes, node groups, and interfaces 112 adding nodes with csv file import you can add nodes and interfaces to cc-sg by importing a csv file that contains the values. You must have the device, port, and node management and cc setup and control privileges to import and export nodes. You must...
Page 131
Chapter 8: nodes, node groups, and interfaces 113 nodes csv file requirements the nodes csv file defines the nodes, interfaces, and their details required to add them to cc-sg. • node names must be unique. If you enter duplicate node names, cc-sg adds a number in parentheses to the name to make it u...
Page 132
Chapter 8: nodes, node groups, and interfaces 114 column number tag or value details 3 node name enter the same value as entered for raritan port name. 4 raritan device name required field. The device must already be added to cc-sg. 5 port number required field. 6 blade slot if the node is associate...
Page 133
Chapter 8: nodes, node groups, and interfaces 115 column number tag or value details 9 parity valid for sx ports only. 10 flow control valid for sx ports only. 11 description optional. To add an rdp interface to the csv file: column number in csv file tag or value details 1 add the first column for ...
Page 134
Chapter 8: nodes, node groups, and interfaces 116 to add an ssh or telnet interface to the csv file: column number tag or value details 1 add the first column for all tags is the command add . 2 node-ssh-interface for ssh interfaces node-telnet- interface for telnet interfaces enter the tag as shown...
Page 135
Chapter 8: nodes, node groups, and interfaces 117 column number tag or value details 8 password optional. Leave blank if specifying service account. 9 description optional. To add a drac kvm, drac power, ilo kvm, ilo power, integrity ilo2 power, or rsa power interface to the csv file: when importing...
Page 136
Chapter 8: nodes, node groups, and interfaces 118 column number tag or value details account or a username and password. Leave blank if specifying service account. 8 password you must enter either a service account or a username and password. Leave blank if specifying service account. 9 description ...
Page 137
Chapter 8: nodes, node groups, and interfaces 119 to add an ipmi power control interface to the csv file: column number tag or value details 1 add the first column for all tags is the command add . 2 node-ipmi-interface enter the tag as shown. Tags are not case sensitive. 3 node name required field....
Page 138
Chapter 8: nodes, node groups, and interfaces 120 column number tag or value details power strip is connected to. Required field for all power strips except dominion px. 8 managing port the name of the port on the device that the power strip is connected to. Required field for all power strips excep...
Page 139
Chapter 8: nodes, node groups, and interfaces 121 to add a power iq proxy power control interface tothe csv file: see power control of power iq it devices (on page 305) for details about configuring this interface type. Column number tag or value details 1 add the first column for all tags is the co...
Page 140
Chapter 8: nodes, node groups, and interfaces 122 to assign categories and elements to a node to the csv file: categories and elements must already be created in cc-sg. You can assign multiple elements of the same category to a node in the csv file. Column number tag or value details 1 add the first...
Page 141
Chapter 8: nodes, node groups, and interfaces 123 if the file is not valid, an error message appears. Click ok and look at the problems area of the page for a description of the problems with the file. Click save to file to save the problems list. Correct your csv file and then try to validate it ag...
Page 142
Chapter 8: nodes, node groups, and interfaces 124 adding, editing, and deleting node groups node groups overview node groups are used to organize nodes into a set. The node group will become the basis for a policy either allowing or denying access to this particular set of nodes. See adding a policy...
Page 143
Chapter 8: nodes, node groups, and interfaces 125 2. Choose groups > new. A template for a node group appears. 3. In the group name field, type a name for a node group you want to create. See naming conventions (on page 353) for details on cc- sg's rules for name lengths. 4. There are two ways to ad...
Page 144
Chapter 8: nodes, node groups, and interfaces 126 4. If you want to create a policy that allows access to the nodes in this group at any time, select the create full access policy for group checkbox. 5. When you are done adding nodes to the group, click ok to create the node group. The group will be...
Page 145
Chapter 8: nodes, node groups, and interfaces 127 4. If you want to add another rule, click the add new row icon again, and make the necessary configurations. Configuring multiple rules will allow more precise descriptions by providing multiple criteria for evaluating nodes. To remove a rule, highli...
Page 146
Chapter 8: nodes, node groups, and interfaces 128 6. Click validate when a description has been written in the short expression field. If the description is formed incorrectly, a warning appears. If the description is formed correctly, a normalized form of the expression appears in the normalized ex...
Page 147: Chapter 9
129 user accounts are created so that users can be assigned a username and password to access cc-sg. A user group defines a set of privileges for its members. You cannot assign privileges to users themselves, only to user groups. All users must belong to at least one user group. Cc-sg maintains a ce...
Page 148
Chapter 9: users and user groups 130 the users tab click the users tab to display all user groups and users in cc-sg. Users are nested underneath the user groups to which they belong. User groups with users assigned to them appear in the list with a + symbol next to them. Click the + to expand or co...
Page 149
Chapter 9: users and user groups 131 default user groups cc-sg is configured with three default user groups: cc-super user, system administrators, and cc users. Cc super-user group the cc super-user group has full administrative and access privileges. Only one user can be a member of this group. The...
Page 150
Chapter 9: users and user groups 132 adding, editing, and deleting user groups add a user group creating user groups first will help you organize users when the users are added. When a user group is created, a set of privileges is assigned to the user group. Users assigned to the group will inherit ...
Page 151
Chapter 9: users and user groups 133 the all policies table lists all the policies available on cc-sg. Each policy represents a rule allowing or denying access to a group of nodes. See policies for access control (on page 149) for details on policies and how they are created. 9. In the all policies ...
Page 152
Chapter 9: users and user groups 134 7. Select the checkbox that corresponds to each privilege you want to assign to the user group. Deselect a privilege to remove it from the group. 8. In the node access area, click the drop-down menu for each kind of interface you want this group to have access th...
Page 153
Chapter 9: users and user groups 135 limit the number of kvm sessions per user you can limit the number of kvm sessions allowed per user for sessions with dominion kxii, ksxii and kx (kx1) devices. This prevents any single user from using all available channels at once. When a user attempts a connec...
Page 154
Chapter 9: users and user groups 136 2. Select the require users to enter access information when connecting to a node checkbox. 3. In the message to users field, enter a message that users will see when attempting to access a node. A default message is provided. 256 character maximum. 4. Move the u...
Page 155
Chapter 9: users and user groups 137 note: see naming conventions (on page 353) for details on cc- sg's rules for name lengths. If strong passwords are enabled, the password entered must conform to the established rules. The information bar at the top of the screen will display messages to assist wi...
Page 156
Chapter 9: users and user groups 138 3. Select the remote authentication only checkbox if you want the user to be authenticated by an external server such as tacacs+, radius, ldap, or ad. If you are using remote authentication, a password is not required and the new password and retype new password ...
Page 157
Chapter 9: users and user groups 139 assigning a user to a group use this command to assign an existing user to another group. Users assigned in this way will be added to the new group while still existing in any group they were previously assigned to. To move a user, use this command in conjunction...
Page 158
Chapter 9: users and user groups 140 adding users with csv file import you can add user information to cc-sg by importing a csv file that contains the values. If you have multiple cc-sg units in a neighborhood, exporting users from one cc-sg then importing the users into another cc-sg is a quick way...
Page 159
Chapter 9: users and user groups 141 column number tag or value details 6 maximum number of kvm sessions allowed per user enter just the number, from 1-8 . Default is 2 . To assign permissions to a user group in the csv file: enter the value true to assign a permission to the user group. Enter the v...
Page 160
Chapter 9: users and user groups 142 column number tag or value details tags are not case sensitive. 3 user group name required field. User group names are case sensitive. 4 policy name required field. To associate an ad module to a user group in the csv file: column number tag or value details 1 ad...
Page 161
Chapter 9: users and user groups 143 column number tag or value details email address is used with system notifications. 8 telephone number optional. 9 login enabled true or false default is true enable login to allow the user to log in to cc-sg. 10 remote authentication true or false 11 force passw...
Page 162
Chapter 9: users and user groups 144 sample users csv file add, usergroup, windows administrators, ms it team add, usergroup-permissions, windows administrators, false, true, true, true, true, true, true, true add, usergroup-policy, windows administrators, full access policy add, usergroup-admodule,...
Page 163
Chapter 9: users and user groups 145 export users the export file contains all users that have a user account created in cc- sg. This excludes ad-authorized users, unless they also have a user account created on cc-sg. The export file includes user and the details from the user profile, user groups,...
Page 164
Chapter 9: users and user groups 146 change your name you cannot change your user name. You can change the first and last name associated with your user name. To change your name: 1. Choose secure gateway > my profile. 2. Type your first and last name in the full name field. See naming conventions (...
Page 165
Chapter 9: users and user groups 147 change the cc-sg super user's username you must be logged into cc-sg using the cc super user account to change the cc super user's username. The default cc super user username is admin . 1. Choose secure gateway > my profile. 2. Type a new name in the username fi...
Page 166
Chapter 9: users and user groups 148 bulk copying users you can use bulk copy for users to copy one user's user group affiliations to another user or list of users. If the users receiving the affiliations have existing group affiliations, the existing affiliations will be removed. To perform a bulk ...
Page 167
149 policies are rules that define which nodes and devices users can access, when they can access them, and whether virtual-media permissions are enabled, where applicable. The easiest way to create policies is to categorize your nodes and devices into node groups and device groups, and then create ...
Page 168
Chapter 10: policies for access control 150 adding a policy if you create a policy that denies access (deny) to a node group or device group, you also must create a policy that allows access (control) for the selected node group or device group. Users will not automatically receive control rights wh...
Page 169
Chapter 10: policies for access control 151 13. In the device/node access permission field, select control to define this policy to allow access to the selected node or device group for the designated times and days. Select deny to define this policy to deny access to the selected node or device gro...
Page 170
Chapter 10: policies for access control 152 7. Click the days drop-down arrow, and then select which days of the week this policy covers: all (everyday), weekday (monday through friday only) and weekend (saturday and sunday only), or custom (select specific days). 8. Select custom to select your own...
Page 171
Chapter 10: policies for access control 153 support for virtual media cc-sg provides remote virtual media support for nodes connected to virtual media-enabled kx2, ksx2, and kx2-101 devices. For detailed instructions on accessing virtual media with your device, see: • dominion kx ii user guide • dom...
Page 172: Nodes
154 custom views enable you to specify different ways to display the nodes and devices in the left panel, using categories, node groups, and device groups. In this chapter types of custom views.........................................................................154 using custom views in the admi...
Page 173
Chapter 11: custom views for devices and nodes 155 using custom views in the admin client custom views for nodes add a custom view for nodes to add a custom view for nodes: 1. Click the nodes tab. 2. Choose nodes > change view > create custom view. The custom view screen appears. 3. In the custom vi...
Page 174
Chapter 11: custom views for devices and nodes 156 2. Click the name drop-down arrow and select a custom view from the list. 3. Click apply view. Or • choose nodes > change view. All defined custom views are options in the pop-up menu. Choose the custom view you want to apply. Change a custom view f...
Page 175
Chapter 11: custom views for devices and nodes 157 2. Choose nodes > change view > create custom view. The custom view screen appears. 3. Click the name drop-down arrow, and select a custom view from the list. Details of the items included and their order appear in the custom view details panel 4. I...
Page 176
Chapter 11: custom views for devices and nodes 158 3. In the custom view panel, click add. The add custom view window appears. 4. Type a name for the new custom view in the custom view name field. 5. In the custom view type section: select filter by device group to create a custom view that displays...
Page 177
Chapter 11: custom views for devices and nodes 159 2. Choose devices > change view > create custom view. The custom view screen appears. 3. Click the name drop-down arrow, and select a custom view from the list. Details of the items included and their order appear in the custom view details panel. T...
Page 178
Chapter 11: custom views for devices and nodes 160 assign a default custom view for devices to assign a default custom view for devices: 1. Click the devices tab. 2. Choose devices > change view > create custom view. The custom view screen appears. 3. Click the name drop-down arrow, and select a cus...
Page 179
161 in this chapter authentication and authorization (aa) overview ..................................161 distinguished names for ldap and ad................................................162 specifying modules for authentication and authorization .....................163 establishing order of exter...
Page 180
Chapter 12: remote authentication 162 3. Username and password are either accepted or rejected and sent back. If authentication is rejected, this results in a failed login attempt. 4. If authentication is successful, authorization is performed. Cc-sg checks if the username entered matches a group th...
Page 181
Chapter 12: remote authentication 163 specify a username for ad when authenticating cc-sg users on an ad server by specifying cn=administrator,cn=users,dc=xyz,dc=com in username, if a cc-sg user is associated with an imported ad group, the user will be granted access with these credentials. Note tha...
Page 182
Chapter 12: remote authentication 164 2. Click the authentication tab. All configured external authorization and authentication servers appear in a table. 3. Select a server from the list, and then click the up and down arrows to prioritize the order of engagement. 4. Click update to save your chang...
Page 183
Chapter 12: remote authentication 165 ad general settings in the general tab, you must add the information that allows cc-sg to query the ad server. Do not add duplicate ad modules. If your users see a message that says "you are not a member of any group" when attempting to login, you may have confi...
Page 184
Chapter 12: remote authentication 166 5. Type the password for the user account you want to use to query the ad server in the password and confirm password fields. Maximum length is 32 characters. 6. Click test connection to test the connection to the ad server using the given parameters. You should...
Page 185
Chapter 12: remote authentication 167 select the use bind checkbox if the user logging in from the applet has permissions to perform search queries in the ad server. If a username pattern is specified in bind username pattern, the pattern will be merged with the username supplied in the applet and t...
Page 186
Chapter 12: remote authentication 168 4. Click next to proceed. The trusts tab opens. Ad trust settings in the trusts tab, you can set up trust relationships between this new ad domain and any existing domains. A trust relationship allows resources to be accessible by authenticated users across doma...
Page 187
Chapter 12: remote authentication 169 3. Select the ad module you want edit, and then click edit. 4. Click each tab in the edit module window to view the configured settings. Make changes as needed. See ad general settings (on page 165), ad advanced settings (on page 166), ad group settings (on page...
Page 188
Chapter 12: remote authentication 170 to search for user groups, type a search string in the search for user group field, and then click go. Click a column header to sort the list of user groups by the information in that column. Click select all to select all user groups for import. Click deselect ...
Page 189
Chapter 12: remote authentication 171 synchronize all user groups with ad you should synchronize all user groups if you have made a change to a user group, such as moving a user group from one ad module to another. You can also change the ad association of a user group manually, in the user group pr...
Page 190
Chapter 12: remote authentication 172 synchronize all ad modules you should synchronize all ad modules whenever you change or delete a user in ad, change user permissions in ad, or make changes to a domain controller. When you synchronize all ad modules, cc-sg retrieves the user groups for all confi...
Page 191
Chapter 12: remote authentication 173 to disable daily synchronization of all ad modules: 1. Choose administration > security. 2. Click the authentication tab. All configured authorization and authentication servers appear in a table. 3. Deselect the daily synchronization of all modules checkbox. 4....
Page 192
Chapter 12: remote authentication 174 ldap general settings 1. Click the general tab. 2. Type the ip address or hostname of the ldap server in the ip address/hostname field. See terminology/acronyms (on page 2) for hostname rules. 3. Type the port value in the port field. The default port is 389. 4....
Page 193
Chapter 12: remote authentication 175 2. Select base 64 if you want the password to be sent to the ldap server with encryption. Select plain text if you want the password to be sent to the ldap server as plain text. 3. Default digest: select the default encryption of user passwords. 4. Type the user...
Page 194
Chapter 12: remote authentication 176 openldap (edirectory) configuration settings if using an openldap server for remote authentication, use this example: parameter name open ldap parameters ip address/hostname user name cn=, o= password user base o=accounts, o= user filter (objectclass=person) pas...
Page 195
Chapter 12: remote authentication 177 about tacacs+ and cc-sg cc-sg users who are remotely authenticated by a tacacs+ server must be created on the tacacs+ server and on cc-sg. The user name on the tacacs+ server and on cc-sg must be the same, although the passwords may be different. See users and u...
Page 196
Chapter 12: remote authentication 178 about radius and cc-sg cc-sg users who are remotely authenticated by a radius server must be created on the radius server and on cc-sg. The user name on the radius server and on cc-sg must be the same, although the passwords may be different. See users and user ...
Page 197
Chapter 12: remote authentication 179 two-factor authentication using radius by using an rsa radius server that supports two-factor authentication in conjunction with an rsa authentication manager, cc-sg can make use of two-factor authentication schemes with dynamic tokens. In such an environment, u...
Page 198: Chapter 13 Reports
180 in this chapter using reports ........................................................................................180 audit trail report...................................................................................182 error log report........................................................
Page 199
Chapter 13: reports 181 view report details • double-click a row to view details of the report. • when a row is highlighted, press the enter key to view details. All details of the selected report display in a dialog that appears, not just the details you can view in the report screen. For example, ...
Page 200
Chapter 13: reports 182 purge a report's data from cc-sg you can purge the data that appears in the audit trail and error log reports. Purging these reports deletes all data that satisfy the search criteria used. For example, if you search for all audit trail entries from march 26, 2008 through marc...
Page 201
Chapter 13: reports 183 3. You can limit the data that the report will contain by entering additional parameters in the message type, message, username, and user ip address fields. Wildcards are accepted in these fields except for the message type field. To limit the report to a type of message, sel...
Page 202
Chapter 13: reports 184 click purge to delete the error log. See purge a report's data from cc-sg (on page 182). Access report generate the access report to view information about accessed devices and nodes, when they were accessed, and the user who accessed them. To generate the access report: 1. C...
Page 203
Chapter 13: reports 185 3. Click apply. Active users report the active users report displays current users and user sessions. You can select active users from the report and disconnect them from cc- sg. To generate the active users report: • choose reports > users > active users. To disconnect a use...
Page 204
Chapter 13: reports 186 the password expiration field displays the number of days that the user can use the same password before being forced to change it. See add a user (on page 136). The groups field displays the user groups to which the user belongs. The privileges field displays the cc-sg privi...
Page 205
Chapter 13: reports 187 device group data report the device group data report displays device group information. To generate the device group data report: 1. Choose reports > devices > device group data. 2. Double-click a row to display the list of devices in the group. Query port report the query p...
Page 206
Chapter 13: reports 188 state type port state definition been configured. 3. Select ghosted ports to include ports that are ghosted. A ghosted port can occur when a cim or target server is removed from a paragon system or powered off (manually or accidentally). See raritan's paragon ii user guide. O...
Page 207
Chapter 13: reports 189 3. The url column contains direct links to each node. You can use this information to create a web page with links to each node, instead of bookmarking each node individually. See bookmarking an interface (on page 109). Active nodes report the active nodes report includes the...
Page 208
Chapter 13: reports 190 node group data report the node group data report displays the list of nodes that belong to each group, the user groups that have access to each node group, and, if applicable, the rules that define the node group. The list of nodes is in the report details, which you can vie...
Page 209
Chapter 13: reports 191 scheduled reports scheduled reports displays reports that were scheduled in the task manager. You can find the upgrade device firmware reports and restart device reports in the scheduled reports screen. Scheduled reports can be viewed in html format only. See task manager (on...
Page 210
Chapter 13: reports 192 upgrade device firmware report the upgrade device firmware report is located in the scheduled reports list. This report is generated when an upgrade device firmware task is running. View the report to get real-time status information about the task. Once the task has complete...
Page 211
193 in this chapter maintenance mode ................................................................................193 entering maintenance mode..................................................................193 exiting maintenance mode ..............................................................
Page 212
Chapter 14: system maintenance 194 2. Password: type your password. Only users with the cc setup and control privilege can enter maintenance mode. 3. Broadcast message: type the message that will display to users who will be logged out of cc-sg. 4. Enter maintenance mode after (min): enter the numbe...
Page 213
Chapter 14: system maintenance 195 b. Type the ip address or hostname of the server in the ip address/hostname field. C. If you are not using the default port for the selected protocol (ftp: 21, sftp: 22), type the communications port used in the port number field. D. Type a username for the remote ...
Page 214
Chapter 14: system maintenance 196 what is the difference between full backup and standard backup? Standard backup: a standard backup includes all data in all fields of all ccsg pages, except for data in the following pages: • administration > configuration manager > network tab • administration > c...
Page 215
Chapter 14: system maintenance 197 3. Click ok to delete the backup from the cc-sg system. Restoring cc-sg you can restore cc-sg using a backup file that you created. Important: the neighborhood configuration is included in the cc- sg backup file so make sure you remember or note down its setting at...
Page 216
Chapter 14: system maintenance 198 restore data - cc-sg configuration, device and node configuration, and user data. Selecting data restores the standard backup portion of a full backup file. See what is the difference between full backup and standard backup? (on page 196) restore logs - error logs ...
Page 217
Chapter 14: system maintenance 199 option description part of the cc-sg database. The snmp configuration and traps are reset. The snmp agent is not reset. Ip-acl settings are reset with a full database reset whether you select the ip acl tables option or not. The neighborhood configuration is remove...
Page 218
Chapter 14: system maintenance 200 option description snmp trap destinations default firmware this option resets all device firmware files to factory defaults. This option does not change the cc-sg database. Upload firmware to database after reset this option loads the firmware files for the current...
Page 219
Chapter 14: system maintenance 201 3. Broadcast message: type the message that will display to users who will be logged off cc-sg. 4. Restart after (min): enter the number of minutes (from 0-720) that should elapse before cc-sg restarts. If specifying over 10 minutes, the broadcast message displays ...
Page 220
Chapter 14: system maintenance 202 4. Once cc-sg is in maintenance mode, choose system maintenance > upgrade. 5. Click browse. Navigate to and select the cc-sg firmware file (.Zip) then click open. 6. Click ok to upload the firmware file to cc-sg. After the firmware file is uploaded to cc-sg, a succ...
Page 221
Chapter 14: system maintenance 203 clear the browser's cache these instructions may vary slightly for different browser versions. To clear the browser cache in internet explorer 6.0 or later: 1. Choose tools > internet options. 2. On the general tab, click delete files then click ok to confirm. In f...
Page 222
Chapter 14: system maintenance 204 if specifying over 10 minutes, the broadcast message displays to users immediately, and then repeats at 10 and 5 minutes before the event occurs. 5. Click ok to shut down cc-sg. Restarting cc-sg after shutdown after shutting down cc-sg, use one of these two methods...
Page 223
Chapter 14: system maintenance 205 ending cc-sg session there are two ways to end a cc-sg session. • log out to end your session while keeping the client window open. See log out of cc-sg (on page 205). • exit to end your session and close the client window. See exit cc- sg (on page 205). Log out of...
Page 224
206 in this chapter configuring a message of the day ........................................................206 configuring applications for accessing nodes .....................................207 configuring default applications ...........................................................209 manag...
Page 225
Chapter 15: advanced administration 207 c. Click the font size drop-down menu and select a font size for the message text. If you select message of the day file: a. Click browse to browse for the message file. B. Select the file in the dialog window that opens then click open. C. Click preview to re...
Page 226
Chapter 15: advanced administration 208 2. Click the application name drop-down arrow and select the application that must be upgraded from the list. If you do not see the application, you must add it first. See add an application (on page 208). 3. Click browse, locate and select the application upg...
Page 227
Chapter 15: advanced administration 209 5. Click ok. An open dialog appears. 6. Navigate to and select the application file (usually a .Jar or .Cab file), and then click open. 7. The selected application loads onto cc-sg. Delete an application to delete an application: 1. Choose administration > app...
Page 228
Chapter 15: advanced administration 210 view the default application assignments to view the default application assignments: 1. Choose administration > applications. 2. Click the default applications tab to view and edit the current default applications for various interfaces and port types. Applic...
Page 229
Chapter 15: advanced administration 211 2. Click add to add a new firmware file. A search window opens. 3. Navigate to and select the firmware file you want to upload to cc- sg, and then click open. When the upload completes, the new firmware appears in the firmware name field. Delete firmware to de...
Page 230
Chapter 15: advanced administration 212 model primary lan name primary lan location secondary lan name secondary lan location v1-0 or v1-1 lan1 left lan port lan2 right lan port e1 lan ports: model primary lan name primary lan location secondary lan name secondary lan location e1-0 not labeled top l...
Page 231
Chapter 15: advanced administration 213 if the primary lan is connected and receiving a link integrity signal, cc- sg uses this lan port for all communications. If the primary lan loses link integrity, and secondary lan is connected, cc-sg will failover its assigned ip address to the secondary lan. ...
Page 232
Chapter 15: advanced administration 214 6. Click the adapter speed drop-down arrow and select a line speed from the list. Make sure your selection agrees with your switch's adapter port setting. If your switch uses 1 gig line speed, select auto. 7. If you selected auto in the adapter speed field, th...
Page 233
Chapter 15: advanced administration 215 what is ip isolation mode? Ip isolation mode allows you to isolate clients from devices by placing them on separate sub-networks and forcing clients to access the devices through cc-sg. In this mode, cc-sg manages traffic between the two separate ip domains. I...
Page 234
Chapter 15: advanced administration 216 • specify at most one default gateway in the network setup panel in cc-sg. Use diagnostic console to add more static routes if needed. See edit static routes (on page 278). To configure ip isolation mode in cc-sg: 1. Choose administration > configuration. 2. C...
Page 235
Chapter 15: advanced administration 217 recommended dhcp configurations for cc-sg review the following recommended dhcp configurations. Make sure that your dhcp server is set up properly before you configure cc-sg to use dhcp. • configure the dhcp to statically allocate cc-sg's ip address. • configu...
Page 236
Chapter 15: advanced administration 218 2. Click the logs tab. 3. Click purge. 4. Click yes. Configuring the cc-sg server time and date cc-sg's time and date must be accurately maintained to provide credibility for its device-management capabilities. Important: the time/date configuration is used wh...
Page 237
Chapter 15: advanced administration 219 connection modes: direct and proxy about connection modes cc-sg offers three connection modes for in-band and out-of-band connections: direct, proxy, and both. • direct mode allows you to connect to a node or port directly, without passing data through cc-sg. ...
Page 238
Chapter 15: advanced administration 220 configure proxy mode for all client connections to configure proxy mode for all client connections: 1. Choose administration > configuration. 2. Click the connection mode tab. 3. Select proxy mode. 4. Click update configuration. Configure a combination of dire...
Page 239
Chapter 15: advanced administration 221 3. Type a new timeout duration in the heartbeat (sec) field. The valid range is 30 seconds to 50,000 seconds. 4. Click update configuration to save your changes. To enable or disable a warning message for all power operations: select the display warning messag...
Page 240
Chapter 15: advanced administration 222 enable akc download server certificate validation overview if you are using the akc client, you can choose to use the enable akc download server certificate validation feature or opt not to use this feature. Option 1: do not enable akc download server certific...
Page 241
Chapter 15: advanced administration 223 configuring custom jre settings cc-sg will display a warning message to users who attempt to access cc-sg without the minimum jre version that you specify. Check the compatibility matrix for the minimum supported jre version. Choose administration > compatibil...
Page 242
Chapter 15: advanced administration 224 to clear the default message and minimum jre version: 1. Choose administration > configuration. Click the custom jre tab. 2. Click clear. Configuring snmp simple network management protocol allows cc-sg to push snmp traps (event notifications) to an existing s...
Page 243
Chapter 15: advanced administration 225 9. Select the checkboxes before the traps you want cc-sg to push to your snmp hosts: under trap sources, a list of snmp traps grouped into two different categories: system log traps, which include notifications for the status of the cc unit itself, such as a h...
Page 244
Chapter 15: advanced administration 226 requirements for cc-sg clusters • the primary and secondary nodes in a cluster must be running the same firmware version on the same hardware version (v1 or e1). • your cc-sg network must be in ip failover mode to be used for clustering. Clustering will not wo...
Page 245
Chapter 15: advanced administration 227 5. Type a valid user name and password for the backup node in the username for backup secure gateway and password for backup secure gateway fields. 6. Select the redirect by hostname checkbox to specify that secondary to primary redirection access should be vi...
Page 246
Chapter 15: advanced administration 228 switch the primary and secondary node status you can exchange the roles of primary and secondary nodes when the secondary, or backup, node is in the "joined" state. When the secondary node is in the "waiting" state, switching is disabled. After the roles are s...
Page 247
Chapter 15: advanced administration 229 note: if the clustered cc-sg units do not share the same time zone, when the primary node failure occurs, and the secondary node becomes the new primary node, the time specified for automatic rebuild still follows the time zone of the old primary node. Delete ...
Page 248
Chapter 15: advanced administration 230 create a neighborhood you can log into a cc-sg unit where you want to create a neighborhood and which is not a member of any neighborhood yet. After a neighborhood is created, all members in the neighborhood share the same neighborhood information. If any memb...
Page 249
Chapter 15: advanced administration 231 to deactivate any cc-sg unit, deselect the activate checkbox next to that unit. Deactivated cc-sg units operate as standalone units and do not show up as one of the neighborhood members to access client users. Click the column header to sort the table by that ...
Page 250
Chapter 15: advanced administration 232 4. If new cc-sg units meet the neighborhood criteria and are found, they display in the neighborhood configuration table. Otherwise, a message appears and return you to the add member dialog. Then make changes in the dialog as needed. 5. Select the active chec...
Page 251
Chapter 15: advanced administration 233 delete a neighborhood member when a cc-sg unit in a neighborhood becomes inappropriate, you may either remove or deactivate it in the neighborhood configuration. Otherwise, access client users may find these units inaccessible when trying to switch to them. Fo...
Page 252
Chapter 15: advanced administration 234 2. Choose administration > neighborhood. 3. Click delete neighborhood. 4. Click yes to confirm the deletion. Security manager the security manager is used to manage how cc-sg provides access to users. Within security manager you can configure authentication me...
Page 253
Chapter 15: advanced administration 235 check your browser for aes encryption cc-sg supports aes-128 and aes-256. If you do not know if your browser uses aes, check with the browser manufacturer. You may also want to try navigating to the following web site using the browser whose encryption method ...
Page 254
Chapter 15: advanced administration 236 click the key length drop-down arrow to select the encryption level - 128 or 256. The cc-sg port field displays 80. The browser connection protocol field displays https/ssl selected. 5. Click update to save your changes. Configure browser connection protocol: ...
Page 255
Chapter 15: advanced administration 237 require strong passwords for all users 1. Choose administration > security. 2. Click the login settings tab. 3. Select the strong passwords required for all users checkbox. 4. Select a maximum password length. Passwords must contain fewer than the maximum numb...
Page 256
Chapter 15: advanced administration 238 lockout settings administrators can lock out cc-sg users and ssh users after a specified number of failed login attempts. You can enable this feature for locally authenticated users, for remotely authenticated users, or for all users. Note: by default, the adm...
Page 257
Chapter 15: advanced administration 239 2. Open the login settings tab. 3. Deselect the lockout enabled for local users checkbox to disable lockout for locally authenticated users. Deselect the lockout enabled for remote users checkbox to disable lockout for remotely authenticated users. 4. Click up...
Page 258
Chapter 15: advanced administration 240 logo a small graphic file can be uploaded to cc-sg to act as a banner on the login page. The maximum size of the logo is 998 by 170 pixels. To upload a logo: 1. Click browse in the logo area of the portal tab. An open dialog appears. 2. Select the graphic file...
Page 259
Chapter 15: advanced administration 241 click browse. A dialog window opens. In the dialog window, select the text file with the message you want to use, and then click open. The maximum length of the text message is 10,000 characters. Click preview to preview the text contained in the file. The pre...
Page 260
Chapter 15: advanced administration 242 a. Encryption mode: if require aes encryption between client and server is selected in the administration > security > encryption screen, aes-128 is the default. If aes is not required, des 3 is the default. B. Private key length: 1024 is the default. C. Valid...
Page 261
Chapter 15: advanced administration 243 14. Type raritan in the password field if the csr was generated by cc- sg. If a different application generated the csr, use the password for that application. Note: if the imported certificate is signed by a root and subroot ca (certificate authority), using ...
Page 262
Chapter 15: advanced administration 244 access control list an ip access control list specifies ranges of client ip addresses for which you want to deny or allow access to cc-sg. Each entry in the access control list becomes a rule that determines whether a user in a certain group, with a certain ip...
Page 263
Chapter 15: advanced administration 245 6. Click the action drop-down arrow and select allow or deny to specify whether the specified users in the ip range can access cc-sg. 7. Click update to save your changes. To change the order in which cc-sg applies rules: 1. Choose administration > security. 2...
Page 264
Chapter 15: advanced administration 246 7. Type a valid email address that will identify messages from cc-sg in the from field. 8. Type the number of times emails should be re-sent should the send process fail in the sending retries field. 9. Type the number of minutes (from 1-60) that should elapse...
Page 265
Chapter 15: advanced administration 247 schedule sequential tasks you may want to schedule tasks sequentially to confirm that expected behavior occurred. For example, you may want to schedule an upgrade device firmware task for a given device group, and then schedule an asset management report task ...
Page 266
Chapter 15: advanced administration 248 schedule a task this section covers most tasks that can be scheduled. See schedule a device firmware upgrade (on page 250) for details on scheduling device firmware upgrades. To schedule a task: 1. Choose administration > tasks. 2. Click new. 3. In the main ta...
Page 267
Chapter 15: advanced administration 249 b. Periodic: use the up and down arrows to select the start time at which the task should begin. Type the number of times the task should be executed in the repeat count field. Type the time that should elapse between repetitions in the repeat interval field. ...
Page 268
Chapter 15: advanced administration 250 12. Specify email addresses to which a notification should be sent upon task success or failure. By default, the email address of the user currently logged in is available. User email addresses configured in the user profile. To add another email address, clic...
Page 269
Chapter 15: advanced administration 251 a. Start date/time: select the date and time at which the task begins. The start date/time must be later than the current date/time. B. Restrict upgrade window and latest upgrade start date/time: if you must finish all upgrades within a specific window of time...
Page 270
Chapter 15: advanced administration 252 change a scheduled task you can change a scheduled task before it runs. To change a scheduled task: 1. Select the task you want to change. 2. Click edit. 3. Change the task specifications as needed. See schedule a task (on page 248) and schedule a device firmw...
Page 271
Chapter 15: advanced administration 253 delete a task you can delete a task to remove it from the task manager. You cannot delete a task that is currently running. To delete a task: • select the task, then click delete. Ssh access to cc-sg use secure shell (ssh) clients, such as putty or openshh cli...
Page 272
Chapter 15: advanced administration 254 to display all ssh commands: • at the shell prompt, type ls to display all commands available. Get help for ssh commands you can get limited help for all commands at once. You can also get in- depth help on a single command at a time. To get help for a single ...
Page 273
Chapter 15: advanced administration 255 ssh commands and parameters the following table lists all commands available in ssh. You must be assigned the appropriate privileges in cc-sg to access each command. Some commands have additional parameters that you must type to execute the command. For more i...
Page 276
Chapter 15: advanced administration 258 command syntax device id value you should type ssh -id 100 ssh -id 100 • the default escape character is a tilde followed by a period. For example: ~. See end ssh connections (on page 260) for details on using the escape character and the exit command. You may...
Page 277
Chapter 15: advanced administration 259 2. Connect to the device by typing ssh -id . Using the figure above as an example, you can connect to sx-229 by typing ssh -id 1370 . Use ssh to connect to a node via a serial out-of-band interface you can use ssh to connect to a node through its associated se...
Page 278
Chapter 15: advanced administration 260 command alias description get_write gw gets write access. Allows ssh user to execute commands at target server while browser user can only observe proceedings. Get_history gh gets history. Displays the last few commands and results at target server. Send_break...
Page 279
Chapter 15: advanced administration 261 serial admin port the serial admin port on cc-sg can be connected directly to a raritan serial device, such as dominion sx or ksx. You can connect to the sx or ksx via the ip address using a terminal emulation program, such as hyperterminal or putty. Set the b...
Page 280
Chapter 15: advanced administration 262 3. A new window opens with your cc-sg serial number. Web services api you must accept the end user agreement before adding a web services api client to cc-sg. You can add up to five ws-api clients. See the cc-sg web services api guide for details on using the ...
Page 281
Chapter 15: advanced administration 263 h. Division/department name: csr tag is organization unit name. Maximum 64 characters. I. Fully qualified domain name: csr tag is common name. J. Administrator email address: type in the email address of the administrator who is responsible for the certificate...
Page 282
264 the diagnostic console is a non-graphical, menu-based interface that provides local access to cc-sg. You can access diagnostic console from a serial or kvm port. See access diagnostic console via vga/keyboard/mouse port (on page 264). Or, you can access diagnostic console from a secure shell (ss...
Page 283
Chapter 16: diagnostic console 265 status console about status console • you can use the status console to check the health of cc-sg, the various services cc-sg uses, and the attached network. • by default, status console does not require a password. • you can configure cc-sg to provide the status c...
Page 284
Chapter 16: diagnostic console 266 2: access the status console via web browser: 1. Using a supported internet browser, type this url: http(s):///status/ where is the ip address of the cc-sg. Note the forward slash (/) following /status is mandatory. For example, https://10.20.3.30/status/ . 2. A st...
Page 285
Chapter 16: diagnostic console 267 cc-sg title, date and time the cc-sg title is constant so users know that they are connected to a cc-sg unit. The date and time at the top of the screen is the last time when the cc- sg data was polled. The date and time reflect the timing values saved on the cc-sg...
Page 286
Chapter 16: diagnostic console 268 information description restoring cc-sg is in the process of restoring itself and database queries are temporarily suspended. Down database server has not started yet. Most of the access to the cc-sg server is through the web. This field shows the state of the web ...
Page 287
Chapter 16: diagnostic console 269 information description speed the speed that this interface is operating: 10, 100 or 1000 mbits per second. Duplex indicate whether the interface is full- or half-duplex. Ipaddr the current ipv4 address of this interface. Rx -pkts the number of ip packets received ...
Page 288
Chapter 16: diagnostic console 270 status console via web browser after connecting to the status console via the web browser, the read- only status console web page appears. The web page displays the same information as the status console, and also updates the information approximately every 5 secon...
Page 289
Chapter 16: diagnostic console 271 administrator console about administrator console the administrator console allows you to set some initial parameters, provide initial networking configuration, debug log files, and perform some limited diagnostics and restarting cc-sg. The default login for the ad...
Page 290
Chapter 16: diagnostic console 272 the main administrator console screen appears. Administrator console screen administrator console screen consists of 4 main areas. • menu bar: you can perform administrator console functions by activating the menu bar. Press ctrl+x to activate the menu bar or click...
Page 291
Chapter 16: diagnostic console 273 • status bar: status bar is just above the navigation keys bar. It displays some important system information, including cc-sg's serial number, firmware version, and the time when the information shown in the main display area was loaded or updated. Screenshots con...
Page 292
Chapter 16: diagnostic console 274 edit diagnostic console configuration the diagnostic console can be accessed via the serial port (com1), vga/keyboard/mouse (kvm) port, or from ssh clients. If you want to access status console, one more access mechanism, web access, is also available. For each por...
Page 293
Chapter 16: diagnostic console 275 4. Click save. Edit network interfaces configuration (network interfaces) in network interface configuration, you can perform initial setup tasks, such as setting the hostname and ip address of the cc-sg. 1. Choose operation > network interfaces > network interface...
Page 294
Chapter 16: diagnostic console 276 even if dhcp is being used to determine the ip configuration for an interface, you must provide a properly formatted ip address and netmask. 6. In the adapter speed, select a line speed. The other values of 10, 100, and 1000 mbps are on a scrollable list (where onl...
Page 295
Chapter 16: diagnostic console 277 option description record route records route. Turns on the ip record route option, which will store the route of the packet inside the ip header. Use broadcast address allows pinging a broadcast message. Adaptive timing adaptive ping. Interpacket interval adapts t...
Page 296
Chapter 16: diagnostic console 278 option description no dns resolution does not resolve addresses to host names. Use icmp (vs. Normal udp) use icmp echo instead of udp datagrams. 4. Type values for how many hops the traceroute command will use in outgoing probe packets (default is 30), the udp dest...
Page 297
Chapter 16: diagnostic console 279 although you can delete all other routes, including the default gateway, doing this will greatly impact the communication with cc- sg..
Page 298
Chapter 16: diagnostic console 280 view log files in diagnostic console you can view one or more log files simultaneously via logviewer, which allows browsing through several files at once to examine system activity. The logfile list is updated only when the associated list becomes active, as when a...
Page 299
Chapter 16: diagnostic console 281 3. Click with the mouse or use the arrow keys to navigate and press the space bar to select a log file, marking it with an x. You can view more than one log file at a time. To sort the logfiles to view list: the sort logfile list by options control the order in whi...
Page 300
Chapter 16: diagnostic console 282 option description contents of this package is not available to customer. Exported logfiles will be available for up to 10 days, and then the system will automatically delete them. View view the selected log(s). When view is selected with individual windows, the lo...
Page 301
Chapter 16: diagnostic console 283 note: system load is static as of the start of this admin console session - use the top utility to dynamically monitor system resources. To filter a log file with a regular expression: 1. Type e to add or edit a regular expression and select a log from the list if ...
Page 302
Chapter 16: diagnostic console 284 diagnostic console. See restarting cc-sg (on page 200). Restarting cc-sg in diagnostic console will not notify users that it is being restarted. To restart cc-sg with diagnostic console: 1. Choose operation > admin > cc-sg restart. 2. Either click restart cc-sg app...
Page 303
Chapter 16: diagnostic console 285 2. Either click reboot system or press enter to reboot cc-sg. Confirm the reboot in the next screen to proceed. Power off cc-sg system from diagnostic console this option will power off the cc-sg unit. Logged-in users will not receive a notification. Cc-sg, ssh, an...
Page 304
Chapter 16: diagnostic console 286 2. Either click power off the cc-sg or press enter to remove ac power from the cc-sg. Confirm the power off operation in the next screen to proceed. Reset cc super-user password with diagnostic console this option will reset the password for the cc super user accou...
Page 305
Chapter 16: diagnostic console 287 2. Either click reset cc-sg gui admin password or press enter to change the admin password back to factory default. Confirm the password reset in the next screen to proceed. Reset cc-sg factory configuration (admin) this option will reset all or parts of the cc-sg ...
Page 306
Chapter 16: diagnostic console 288 option description full cc-sg database reset this option removes the existing cc-sg database and builds a new version with the factory default values. Network settings, snmp settings, firmware, and diagnostic console settings are not part of the cc-sg database. Ip-...
Page 307
Chapter 16: diagnostic console 289 option description diagnostic console reset this option restores diagnostic console settings back to factory defaults. Ip access control lists reset this option removes all entries from the ip-acl table. Ip-acl settings are reset with a full database reset whether ...
Page 308
Chapter 16: diagnostic console 290 2. In the password history depth field, type the number of passwords that will be remembered. The default setting is five. 3. Select either regular, random, or strong for the admin and status (if enabled) passwords. Password setting description regular these are st...
Page 309
Chapter 16: diagnostic console 291 password setting description every password must have at least one digit in it. Diagnostic console account configuration by default, the status account does not require a password, but you can configure it to require one. Other aspects of the admin password can be ...
Page 310
Chapter 16: diagnostic console 292 setting description user \ user name (read-only). This is the current user name or id for this account. Last changed (read-only). This is the date of the last password change for this account. Expire (read-only). This is the day that this account must change its pa...
Page 311
Chapter 16: diagnostic console 293 configure remote system monitoring you can enable the remote system monitoring feature to use the gkrellm tool. The gkrellm tool provides a graphical view of resource utilization on the cc-sg unit. This tool is similar to the windows task manager's performance tab....
Page 312
Chapter 16: diagnostic console 294 3: configure the remote system monitoring client to work with cc-sg: follow the instructions in the read me file to set the cc-sg unit as the target to monitor. Windows users must use the command line to locate the gkrellm installation directory and then run the co...
Page 313
Chapter 16: diagnostic console 295 display raid status and disk utilization this option displays the status of cc-sg disks, including disk size, active and up status, state of the raid-1, and amount of space currently used by various file systems. To display disk status of the cc-sg: 1. Choose opera...
Page 314
Chapter 16: diagnostic console 296 perform disk or raid tests you can manually perform smart disk drive tests or raid check and repair operations. To perform a disk drive test or a raid check and repair operation: 1. Choose operation > utilities > disk/raid utilities > manual disk/raid tests. 2. To ...
Page 315
Chapter 16: diagnostic console 297 d. After the test is complete, you can view the results in the repair/rebuild raid screen. See repair or rebuild raid disks (on page 299). If a non-zero value displays in the mis- match column for the given array, indicating that there may be a problem, you should ...
Page 316
Chapter 16: diagnostic console 298 schedule disk tests you can schedule smart-based tests of the disk drives to be periodically performed. Firmware on the disk drive will perform these tests, and you can view the test results in the repair/rebuild screen. See repair or rebuild raid disks (on page 29...
Page 317
Chapter 16: diagnostic console 299 2. Click with the mouse or use the arrow keys to navigate and press the space bar to select a test type, marking it with an x. Different types of tests take a different period of time. A short test takes about 2 minutes to complete when the system is lightly loaded...
Page 318
Chapter 16: diagnostic console 300 2. If any item does not show "no" under the "replace??" or "rebuild??" column, contact raritan technical support for assistance. A good system: a contrived system showing multiple problems: the system will update displayed information when you move between disk dri...
Page 319
Chapter 16: diagnostic console 301 4. Selecting either replace disk drive or rebuild raid array, and follow onscreen instructions until you finish the operation. View top display with diagnostic console top display allows you to view the list of currently-running processes and their attributes, as w...
Page 320
Chapter 16: diagnostic console 302 ntp is not enabled or not configured properly: ntp is properly configured and running:.
Page 321
Chapter 16: diagnostic console 303 take a system snapshot when cc-sg does not function properly, it is extremely helpful if you can capture the information stored in cc-sg, such as the system logs, configurations or database, and provide it to raritan technical support for analysis and troubleshooti...
Page 322
Chapter 16: diagnostic console 304 2: retrieve the cc-sg snapshot file: 1. Using a supported internet browser, type this url: http(s):///upload/ where is the ip address of the cc-sg. Note the forward slash (/) following /upload is mandatory. For example, https://10.20.3.30/upload/ . 2. The enter net...
Page 323
305 if you have a cc-sg and power iq, there are severals ways to use them together. 1. Control power to power iq it devices via cc-sg. For example, if you want to control power to a power iq it device which is also a cc-sg node, you can use a power iq proxy interface to give power control commands i...
Page 324
Chapter 17: power iq integration 306 2. Type a name for the device in the power iq device name field. The name must be unique for the power iq device providing the service. Cc-sg does not accept duplicate names. See naming conventions (on page 353) for details on cc-sg's rules for name lengths. 3. T...
Page 325
Chapter 17: power iq integration 307 import power strips from power iq you can import dominion px devices and their outlet names from power iq. If the dominion px devices are already managed by cc-sg, you must delete them first. The import adds the dominion px devices, and configures and names the o...
Page 326
Chapter 17: power iq integration 308 column number tag or value details default is false. 7 description optional. Step 3: import the edited csv file into cc-sg 1. In the cc-sg admin client, choose administration > import > import powerstrips. 2. Click browse and select the csv file to import. Click ...
Page 327
Chapter 17: power iq integration 309 4. Click save. Step 2: edit the csv file and import into power iq: the export file contains three sections. Read the comments in the csv file for instructions on how to use each section as part of a power iq multi-tabbed csv import file. See the power iq user gui...
Page 328
310 in this chapter v1 model................................................................................................310 e1 model................................................................................................311 v1 model v1 general specifications form factor 1u dimensions (dx...
Page 329
Appendix a: specifications for v1 and e1 311 operating humidity 5% - 95% rh altitude operate properly at any altitude between 0 to 10,000 feet, storage 40,000 feet (estimated) vibration 5-55-5 hz, 0.38mm,1 minutes per cycle; 30 minutes for each axis (x,y,z) shock n/a e1 model e1 general specificatio...
Page 330
Appendix a: specifications for v1 and e1 312 operating non-operating temperature -40°-70° c humidity 5-90%, non-condensing altitude sea level to 40,000 feet vibration 10 hz to 300 hz sweep at 2 g constant acceleration for one hour on each of the perpendicular axes x, y, and z shock 30 g for 11 ms wi...
Page 331
313 this appendix contains network requirements, including addresses, protocols, and ports, of a typical cc-sg deployment. It includes information about how to configure your network for both external access and internal security and routing policy enforcement. Details are provided for the benefit o...
Page 332
Appendix b: cc-sg and network configuration 314 port number protocol purpose details raritan device that will be externally accessed. The other ports in the table must be opened only for accessing cc-sg. Aes-128/aes-256 encrypted if configured. 80 and 443 for control system nodes 80, 443, 902, and 9...
Page 333
Appendix b: cc-sg and network configuration 315 cc-sg and raritan devices a main role of cc-sg is to manage and control raritan devices, such as dominion kx ii. Typically, cc-sg communicates with these devices over a tcp/ip network (local, wan, or vpn) and both tcp and udp protocols are used as foll...
Page 334
Appendix b: cc-sg and network configuration 316 communication direction port number protocol configurable? Details cc-sg to cc-sg 5432 tcp no from ha-jdbc on primary to backup postgresql db server. Not encrypted. Cc-sg to cc-sg 8732 tcp no primary-backup server sync clustering control data exchange....
Page 335
Appendix b: cc-sg and network configuration 317 communication direction port number protocol configurable? Details pc client to cc-sg 443 tcp no client-server communication. Ssl/aes-128/aes-256 encrypted if configured. Pc client to cc-sg 80 tcp no client-server communication. Not encrypted. If ssl i...
Page 336
Appendix b: cc-sg and network configuration 318 communication direction port number protocol configurable? Details client to raritan device to out-of-band kvm node (direct mode) 5000 (on raritan device) tcp yes client-server communication. Ssl/aes-128/aes-256 encrypted if configured. Client to rarit...
Page 337
Appendix b: cc-sg and network configuration 319 communication direction port number protocol configurable? Details cc-sg to snmp manager 162 udp yes snmp standard cc-sg internal ports cc-sg uses several ports for internal functions, and its local firewall function blocks access to these ports. Howev...
Page 338
Appendix b: cc-sg and network configuration 320 vnc access to nodes port 5800 or 5900 must be open for vnc access to nodes. Ssh access to nodes port 22 must be open for ssh access to nodes. Remote system monitoring port when the remote system monitoring feature is enabled, port 19150 is opened by de...
Page 339
321 this table shows which privilege must be assigned for a user to have access to a cc-sg menu item. *none means that no particular privilege is required. Any user who has access to cc-sg will be able to view and access these menus and commands. Menu > sub- menu menu item required privilege descrip...
Page 340
Appendix c: user group privileges 322 menu > sub- menu menu item required privilege description devices this menu and the devices tree is available only for users with any one of the following privileges: device, port, and node management device configuration and upgrade management discover devices ...
Page 341
Appendix c: user group privileges 323 menu > sub- menu menu item required privilege description management or device configuration and upgrade management > launch user station admin device, port, and node management > disconnect users device, port, and node management or device configuration and upg...
Page 342
Appendix c: user group privileges 324 menu > sub- menu menu item required privilege description > by port number device, port, and node management or device configuration and upgrade management nodes this menu and the nodes tree is available only for users with any one of the following privileges: d...
Page 343
Appendix c: user group privileges 325 menu > sub- menu menu item required privilege description control configure blades device, port, and node management ping node device, port, and node management bookmark node interface node in-band access or node out-of-band access > node sorting options > by no...
Page 344
Appendix c: user group privileges 326 menu > sub- menu menu item required privilege description node power control > tree view any of the following: device, port, and node management or node in-band access or node out-of-band access or node power control associations this menu is available only for ...
Page 345
Appendix c: user group privileges 327 menu > sub- menu menu item required privilege description > devices > device asset report device, port, and node management or device configuration and upgrade management > device group data device, port, and node management > query port device, port, and node m...
Page 346
Appendix c: user group privileges 328 menu > sub- menu menu item required privilege description upgrade management configuration cc setup and control cluster configuration cc setup and control neighborhood cc setup and control security cc setup and control notifications cc setup and control tasks cc...
Page 347
Appendix c: user group privileges 329 menu > sub- menu menu item required privilege description device, port, and node management export devices cc setup and control and device, port, and node management export power iq data cc setup and control and device, port, and node management system maintenan...
Page 348: Appendix D Snmp Traps
330 cc-sg provides the following snmp traps: snmp trap description ccunavailable cc-sg application is unavailable. Ccavailable cc-sg application is available. Ccuserlogin cc-sg user logged in. Ccuserlogout cc-sg user logged out. Ccportconnectionstarted cc-sg session started. Ccportconnectionstopped ...
Page 349
Appendix d: snmp traps 331 snmp trap description ccdiagnosticconsolelogout user has logged out of the cc-sg diagnostic console. Ccusergroupadded a new user group has been added to cc-sg. Ccusergroupdeleted cc-sg user group has been deleted. Ccusergroupmodified cc-sg user group has been modified. Ccs...
Page 350
332 this section contains more information about csv file imports. In this chapter common csv file requirements .........................................................333 audit trail entries for importing .............................................................334 troubleshoot csv file proble...
Page 351
Appendix e: csv file imports 333 common csv file requirements the best way to create the csv file is to export a file from cc-sg, and then use the exported csv file as an example for creating your own. The export file contains comments at the top that describe each item in the file. The comments can...
Page 352
Appendix e: csv file imports 334 audit trail entries for importing each item imported into cc-sg is logged in the audit trail. Skipped duplicates are not logged in the audit trail. The audit trail includes an entry for the following actions, under the message type "configuration." • import of csv fi...
Page 353
Appendix e: csv file imports 335 troubleshoot csv file problems to troubleshoot csv file validation: error messages appear in the problems area of the import page. The error messages identify problems that are found in the csv file during validation. You can save the list of errors to a csv file. Ea...
Page 354
336 • launching cc-sg from your web browser requires a java plug-in. If your machine has an incorrect version, cc-sg will guide you through the installation steps. If your machine does not have a java plug-in, cc-sg cannot automatically launch. In this case, you must uninstall or disable your old ja...
Page 355
Appendix f: troubleshooting 337 • if you access more than one cc-sg unit using the same client and firefox, you may see a "secure connection failed" message that says you have an invalid certificate. You can resume access by clearing the invalid certificate from your browser. A. In firefox, choose t...
Page 356
338 cc-sg comes with a few diagnostic utilities which may be extremely helpful for you or raritan technical support to analyse and debug the cause of cc-sg problems. In this chapter memory diagnostic................................................................................338 debug mode .........
Page 357
Appendix g: diagnostic utilities 339 capture the memtest86+ screen containing the memory errors and contact raritan technical support for assistance. Shut down cc-sg and re-install the memory dimm modules to ensure the contact is good. Then perform the memtest86+ diagnostic to verify if the memory i...
Page 358
Appendix g: diagnostic utilities 340 cc-sg disk monitoring if cc-sg disk space exhaustion in one or more file systems occurs, it may negatively impact your operation and even results in the loss of some engineering data. Therefore, you should monitor the cc-sg disk usage and take corrective actions ...
Page 359
Appendix g: diagnostic utilities 341 file system data corrective action /sg/db cc-sg database contact raritan technical support /opt cc-sg backups and snapshots 1. Save any new snapshot files on a remote client pc. See take a system snapshot (on page 303) for the retrieval procedure. 2. Enter the sy...
Page 360
Appendix g: diagnostic utilities 342 note: for file system problems that are not mentioned in this section, or when the corrective actions you take cannot resolve the problems, contact raritan technical support for assistance..
Page 361
343 cc-sg can be configured to point to an rsa radius server that supports two-factor authentication via an associated rsa authentication manager. Cc-sg acts as a radius client and sends user authentication requests to rsa radius server. The authentication request includes user id, a fixed password,...
Page 362: Appendix I Faqs
344 in this chapter general faqs........................................................................................344 authentication faqs..............................................................................346 security faqs ................................................................
Page 363
Appendix i: faqs 345 question answer can i upgrade to newer versions of cc-sg software as they become available? Yes. Contact your authorized raritan sales representative or raritan, inc. Directly. How many nodes and/or dominion units and/or ip- reach units can be connected to cc-sg? There is no spe...
Page 364
Appendix i: faqs 346 question answer model with ip-reach and the ip user station (ust-ip). The network model scales through use of the tcp/ip network and aggregates access through cc-sg, so users don't have to know ip addresses or the topology of access devices. It also provides the convenience of s...
Page 365
Appendix i: faqs 347 question answer security tools such as ldap, ad, radius, and so on? Tacacs+, radius, and ldap. Why does the error message "incorrect username and/or password" appear after i correctly enter a valid username and password to log into cc-sg? Check the user account in ad. If ad is s...
Page 366
Appendix i: faqs 348 question answer wan, but lan, too)? Does cc-sg support crl list, that is, ldap list of invalid certificates? No. Does cc-sg support client certificate request? No. Accounting faqs question answer accounting the event times in the audit trail report seem incorrect. Why? Log event...
Page 367
Appendix i: faqs 349 grouping faqs question answer grouping is it possible to put a given server in more than one group? Yes. Just as one user can belong to multiple groups, one device can belong to multiple groups. For example, a sun in nyc could be part of group sun: "ostype = solaris" and group n...
Page 368
Appendix i: faqs 350 interoperability faqs question answer interoperability how does cc-sg integrate with blade chassis products? Cc-sg can support any device with a kvm or serial interface as a transparent pass-through. To what level is cc-sg able to integrate with third party kvm tools, down to th...
Page 369
Appendix i: faqs 351.
Page 370
352 the following keyboard shortcuts can be used in the java-based admin client. Operation keyboard shortcut refresh f5 print panel ctrl + p help f1 insert row in associations table ctrl + i appendix j keyboard shortcuts.
Page 371
353 this appendix includes information about the naming conventions used in cc-sg. Comply with the maximum character lengths when naming all the parts of your cc-sg configuration. In this chapter user information ....................................................................................353...
Page 372
Appendix k: naming conventions 354 field in cc-sg number of characters cc-sg allows audit information 256 location information field in cc-sg number of characters cc-sg allows department 64 site 64 location 128 contact information field in cc-sg number of characters cc-sg allows primary contact name...
Page 373
Appendix k: naming conventions 355 field in cc-sg number of characters cc-sg allows periods are converted to hyphens. Device description 160 device ip/hostname 64 username 64 password 64 notes 256 port information field in cc-sg number of characters cc-sg allows port name 32 associations field in cc...
Page 374: Messages
356 prior to version 4.0, cc-sg diagnostic console displays a number of messages on the screen each time when it boots up. These messages are standard linux diagnostic and warning messages and usually do not imply any system problems. The table offers a short introduction to a few frequent messages....
Page 375: Index
357 a about administrator console • 264, 271 about applications for accessing nodes • 207 about associations • 21 about cc-sg lan ports • 211, 212, 215 about cc-sg passwords • 237 about connection modes • 78, 219 about default applications • 209 about interfaces • 78, 219 about ldap and cc-sg • 173 ...
Page 376
Index 358 adding, editing, and deleting user groups • 84, 132 adding, editing, and deleting users • 136 administration • 355 administrator console • 271 administrator console screen • 272 advanced administration • 137, 138, 165, 169, 206 aes encryption • 234 all users data report • 185 allow concurr...
Page 377
Index 359 checking and upgrading application versions • 11, 207 checking the compatibility matrix • 11 clear the browser's cache • 202, 203, 336 clear the java cache • 202, 203, 208, 336 client browser requirements • 4 command tips • 255, 257 common csv file requirements • 24, 55, 113, 140, 333 conf...
Page 378
Index 360 delete a user • 138 delete a user group • 134 delete a virtual infrastructure • 96 delete a virtual machine node • 95, 96 delete an application • 209 delete an interface • 94, 109 delete control systems and virtual hosts • 95, 96 delete firmware • 211 deleting a device • 30, 39 deleting a ...
Page 379
Index 361 finding your cc-sg serial number • 261 flow for authentication • 161 g general faqs • 344 get help for ssh commands • 254 getting started • 10 grouping faqs • 349 h hide or show report filters • 182 how to create associations • 22 i ibm ldap configuration settings • xvi, 176 import categor...
Page 380
Index 362 notification manager • 245, 247 o older version of application opens after upgrading • xvi, 12, 208 openldap (edirectory) configuration settings • 176 p paragon ii system controller (p2-sc) • 67 pausing cc-sg's management of a device • 65 pc clients to cc-sg • 316 pc clients to nodes • 317...
Page 381
Index 363 save, upload, and delete device backup files • 63 saving and deleting backup files • 194, 196, 198 schedule a device firmware upgrade • 248, 250, 252 schedule a task • 170, 172, 248, 252 schedule a task that is similar to another task • 252 schedule disk tests • 298 schedule sequential tas...
Page 382
Index 364 user information • 353 user management • 13, 18 users and user groups • 50, 124, 129, 153, 162, 177, 178 users csv file requirements • xvi, 140 using chat • 111 using custom views in the admin client • 155 using reports • 180 v v1 environmental requirements • 310 v1 general specifications ...
Page 384
U.S./canada/latin america monday - friday 8 a.M. - 6 p.M. Et phone: 800-724-8090 or 732-764-8886 for commandcenter noc: press 6, then press 1 for commandcenter secure gateway: press 6, then press 2 fax: 732-764-8887 email for commandcenter noc: tech-ccnoc@raritan.Com email for all other products: te...