Page 2 This page intentionally left blank.
Page 3: Fcc Information
Copyright and Trademark Information This document contains proprietary information that is protected by copyright. All rights reserved. No part of this document may be photocopied, reproduced, or translated into another language without express prior written consent of Raritan, Inc. © Copyright 2007 Raritan, CommandCenter, RaritanConsole, Dominion, and the Raritan company logo are trademarks or registered trademarks of Raritan, Inc.
Page 4: Rack Mount Safety Guidelines
Safety Guidelines To avoid potentially fatal shock hazard and possible damage to Raritan equipment: • Do not use a 2-wire power cord in any product configuration. • Test AC outlets at your computer and monitor for proper polarity and grounding. •...
Page 5: Table Of Contents
Check and Upgrade CC-SG Firmware Version...9 Check and Upgrade Application Versions...10 Power Down CC-SG...11 Compatibility Matrix ...11 Chapter 3: Configuring CC-SG with Guided Setup ... 13 Prepare to Configure CC-SG with Guided Setup ...13 Guided Setup Overview ...13 Start Guided Setup:...13 Associations...14...
Page 6 Upgrade Device ...47 Backup Device Configuration...47 Restore Device Configuration...48 Copy Device Configuration...48 Restart Device ...49 Ping Device ...49 Pause Management...49 Resume Management ...49 Device Power Manager...50 Launch Admin ...50 Topological View...51 Disconnect Users ...52 Viewing Devices ...53 Tree View ...53 Custom View...53 Special Access to Paragon II System Devices...56 Paragon II System Controller (P2-SC) ...56...
Page 7 Flow for Authentication ...99 User Accounts ...99 Distinguished Names for LDAP and AD ...100 Username ...100 Base DN...100 AD Configurations...101 Add AD Module to CC-SG ...101 AD General Settings...102 AD Advanced Settings...103 AD Group Settings ...104 AD Trust Settings...105 Edit AD Modules ...106 Import AD User Groups...106...
Page 8 Modem Configuration ...156 SNMP...163 Cluster Configuration...165 Create a Cluster...165 Remove Secondary CC-SG Node...167 Remove Primary CC-SG Node ...167 Recover a Failed CC-SG Node ...168 Set Advanced Settings ...168 Configure Security...169 Remote Authentication ...169 Secure Client Connections ...169 Login Settings...170 Portal ...172 Certificate ...173...
Page 9 Hardware Specifications ...212 Environmental Requirements...212 E1 Platform...213 General Specifications ...213 Hardware Specifications ...213 Environmental Requirements...213 Appendix B: CC-SG and Network Configuration ... 215 Introduction ...215 Executive Summary ...215 CC-SG Communication Channels ...217 CC-SG and Raritan Devices ...217 CC-SG Clustering ...217 Access to Infrastructure Services ...218...
Page 10 IGURES Figures Figure 1 Login Window ... 3 Figure 2 IP Specification Window...4 Figure 3 CC-SG Window Components ... 6 Figure 4 Confirm IP Address ... 7 Figure 5 Time/Date Configuration... 8 Figure 6 Upgrade CC-SG ... 9 Figure 7 CC-SG Application Manager ... 10 Figure 8 Compatibility Matrix ...
Page 11 IGURES Figure 52 Custom View Screen... 54 Figure 53 Selecting a Custom View... 54 Figure 54 Custom View Screen... 55 Figure 55 Paragon Manager Application Window ... 56 Figure 56 IP-Reach Administration Screen... 57 Figure 57 Device Groups Manager ... 58 Figure 58 Device Group: New Panel, Select Devices Tab ...
Page 12 Figure 136 Backup CommandCenter Screen... 138 Figure 137 Restore CommandCenter Screen... 139 Figure 138 Saving a Backup File... 140 Figure 139 Reset CC-SG Screen ... 141 Figure 140 Restart Screen... 141 Figure 141 Upgrade CC-SG Screen ... 142 Figure 142 Shutdown CC-SG Screen... 143 Figure 143 Configuring the Message of the Day ...
Page 13 Figure 204 Rebooting CC-SG in Diagnostic Console ... 202 Figure 205 Power Down CC-SG in Diagnostic Console... 203 Figure 206 Admin Password Reset for CC-SG GUI in Diagnostic Console... 204 Figure 207 Reset CC-SG Factory Configuration ... 204 Figure 208 Configuring Password Settings... 206 Figure 209 Configuring Accounts ...
Page 14 IGURES Figure 211 Displaying CC-SG Processes in Diagnostic Console... 209 Figure 212 NTP not configured in CC-SG GUI ... 210 Figure 213 NTP running on the CC-SG GUI ... 210 Figure 214 CC-SG Deployment Elements ... 216...
Page 15: Chapter 1: Introduction
CIMs, and CIMs should be connected to the Raritan device BEFORE adding the device and configuring ports in CC-SG. Otherwise, a blank CIM name will overwrite the CC-SG port name. Servers need to be rebooted after connecting to a CIM. •...
Page 16 • iLO/RILOE—Hewlett Packard’s Integrated Lights Out/Remote Insight Lights Out servers that can be managed by CC-SG. Targets of an iLO/RILOE device are powered on/off and recycled directly. iLO/RILOE devices cannot be discovered by CC-SG; they have to be manually added as nodes.
Page 17: Chapter 2: Accessing Cc-Sg
CCESSING Chapter 2: Accessing CC-SG Once you have configured CC-SG with an IP address, the CC-SG unit can be placed at its final destination. Make all necessary hardware connections to make the unit operational. You can access CC-SG in several ways, each described in this chapter: •...
Page 18: Thick Client Access
Figure 2 Thick Client IP Address Specification Window 5. Type the IP address of the CC-SG unit you want to access in the IP to Connect field. Once you have connected, this address will be available from the IP to Connect drop-down list.
Page 19: Use The Thick Client
Integration window when you installed the thick client, you can double-click the shortcut icon on your desktop to launch the thick client and access CC-SG. If you do not have a shortcut icon, you can create one at any time: search your client computer for AMcc.jnlp, and create a shortcut to that file.
Page 20: Cc-Sg Window Components
Nodes, Users, and Devices Selection tabs. The menus and menu items you see are determined by your user access privileges. 6. Server time: The current time and time zone as configured on CC-SG in Configuration Manager. This time is used when scheduling tasks in Task Manager. Please refer to Task Management in Chapter 12: Advanced Administration for additional information.
Page 21: Check Ip Address, Firmware Version, And Application Versions
CCESSING Check IP Address, Firmware Version, and Application Versions After logging in, you should confirm the IP address, set the CC-SG server time, and check the firmware and application versions installed. You may need to upgrade the firmware and applications.
Page 22: Set The Cc-Sg Server Time
Note: Network Time Protocol (NTP) is the protocol used to synchronize the attached computer’s date and time data with a referenced NTP server. When CC-SG is configured with NTP, it can synchronize its clock time with the publicly available NTP reference server and maintain correct and consistent time.
Page 23: Check And Upgrade Cc-Sg Firmware Version
5. In the Enter Maintenance Mode screen, type the message that will display to users who will be logged off CC-SG, and the number of minutes in which you want to enter maintenance mode in the corresponding fields, and then click OK.
Page 24: Check And Upgrade Application Versions
Check and Upgrade Application Versions Check and upgrade the CC-SG applications, for example, Raritan Console (RC) and Raritan Remote Client (RRC). 1. On the Administration menu, click Applications. Figure 7 CC-SG Application Manager 2. Click the Application name drop-down arrow and select an application from the list. Note the number in the Version field.
Page 25: Power Down Cc-Sg
Power Down CC-SG If a V1 unit loses AC power while it is up and running CC-SG, the V1 unit will remember its last power state. Once AC power is restored, the V1 unit automatically reboots. However, if a V1 unit loses AC power when it is powered off, the V1 unit will remain powered off when AC power is restored.
Page 26 OMMAND ENTER ECURE ATEWAY DMINISTRATOR UIDE This page intentionally left blank.
Page 27: Chapter 3: Configuring Cc-Sg With Guided Setup
IP address and creating a CC-SG administrator account. Guided Setup Overview Guided Setup offers a simple way to complete initial CC-SG configuration tasks, once the system configuration is complete. The Guided Setup interface leads you through the process of defining Associations, discovering and adding devices to CC-SG, creating device groups and node groups, creating user groups, assigning policies and privileges to user groups, and adding users.
Page 28: Associations
CC-SG and to devices and nodes. Associations You can set up Associations to help organize the equipment that CC-SG manages. Each Association includes a Category, which is the top-level organizational group, and its related Elements, which are subsets of a Category.
Page 29: Device Setup
The second task of Guided Setup is Device Setup. Device Setup allows you to search for and discover devices in your network, and add those devices to CC-SG. When adding devices you may select one element per category to be associated with the device.
Page 30: Figure 12 Guided Setup - Device Discovery Results
7. When the discovery is complete, a confirmation message pops up. Click OK in the confirmation message. 8. If CC-SG has discovered devices of the specified type and in the specified address range, the devices display in a table in the bottom section of the Discover Devices panel. You can click the black arrow at the top of the panel to hide the top section, expanding your view of the discovery results in the bottom section of the panel.
Page 31: Figure 13 Guided Setup - Add Device
ONFIGURING WITH 9. In the table of discovered devices, select the device you want to add to CC-SG, and then click Add. The Add Device panel opens. The Add Device panel is slightly different depending on the type of device you are adding.
Page 32: Create Groups
20. If you want the Element to apply to the device and to the nodes connected to the device, check the Apply to Nodes checkbox. 21. If you want to add another device, click Apply to save this device, and then repeat the steps in this section to add additional devices.
Page 33 3: C CC-SG HAPTER ONFIGURING WITH b. In the Available list, select the device you want to add to the group, and then click Add to move the device into the Selected list. Devices in the Selected list will be added to the group.
Page 34: Figure 15 Guided Setup-Add Node Groups, Select Nodes
Select Nodes a. Click the Select Nodes tab in the Add Nodes Groups panel. Figure 15 Guided Setup—Add Node Groups, Select Nodes b. In the Available list, select the node you want to add to the group, and then click Add to move the node into the Selected list.
Page 35: User Management
Privileges and Policies that govern the access and activities of groups of users. Privileges specify which activities the members of the user group can perform in CC-SG. Policies specify which devices and nodes the members of the user group can view and modify. Policies are based on Categories and Elements.
Page 36: Figure 17 Add User Group--Privileges
5. In the Node Access section, you can specify whether you want the user group to have access to In band and Out of band nodes, and to Power Management functions. Check the checkboxes that correspond to the types of access you want to assign to the group. Figure 17 Add User Group--Privileges 6.
Page 37: Figure 18 Add User Group-Policies
12. In the Username field, type the name that the user you want to add will use to log in to CC- 13. Check the Login Enabled checkbox if you want the user to be able to log in to CC-SG.
Page 38 20. Click the User Group drop-down arrow and select the user group to which you want to assign the user from the list. 21. If you want to add another user, click Apply to save this user, and then repeat the steps in this section to add additional users.
Page 39: Chapter 4: Creating Associations
Raritan devices and nodes according to your chosen Category—Location, and it’s associated Elements—New York, Philadelphia, and New Orleans, in the CC-SG interface. The figure below shows a custom view created using this example. You can customize the CC-SG to organize and display your servers however you like.
Page 40: Associations--Defining Categories And Elements
As you add devices and nodes to CC-SG, you link them to your predefined categories and elements. When you create node and device groups and assign policies to them, you will use your categories and elements to define which nodes and devices belong in each group.
Page 41: How To Create Associations
• Guided Setup combines many configuration tasks into an automated interface. Guided Setup is recommended for your initial CC-SG configuration. Once you have completed Guided Setup, you can always edit your configurations individually. Please refer to Configuring CC-SG with Guided Setup •...
Page 42: Edit Category
2. Click Add in the Category panel to add a new category. The Add Category window appears. 3. Type a category name in the Category Name field. Maximum length is 31 characters. 4. Click the Value Type drop-down arrow to select a value type of String or Integer. 5.
Page 43: Delete Category
Deleting a category deletes all of the elements created within that category. The deleted category will no longer appear in the Nodes or Devices trees once the screen refreshes or the user logs out and then logs back into CC-SG. 1. On the Associations menu, click Association. The Association Manager screen appears.
Page 44: Edit Element
3. Click Add in the Elements For Category panel to add a new element. The Add Element window appears. 4. Type the new element name in the Enter Value for Element field. 5. Click OK to add the element or Cancel to exit the window. The new element appears in the Elements For Category panel.
Page 45: Figure 27 Delete Element Window
4: C HAPTER REATING SSOCIATIONS 3. Select the element to be deleted from the Element For Category list, and then click Delete in the Elements For Category panel. The Delete Element window appears. 4. Click Yes to delete the element or No to close the window. The element name is removed from the Element For Category list.
Page 46 OMMAND ENTER ECURE ATEWAY DMINISTRATOR UIDE This page intentionally left blank.
Page 47: Chapter 5: Adding Devices And Device Groups
You must add Raritan devices, such as Dominion series devices and IP-Reach units, to CC-SG before you can use CC-SG to configure and manage them. The Devices menu offers all the functions related to devices and ports. You can also access some functions by right-clicking a device or port in the Devices tab, and selecting from the menu that appears.
Page 48: Device And Port Icons
Device and Port Icons For easier identification, KVM, Serial, and Power devices and ports have different icons in the Devices tree. Hold the mouse pointer over an icon in the Devices tree to view a tool tip containing information about the device or port. Device available KVM port available or connected KVM port inactive...
Page 49: Search For Devices
5: A HAPTER DDING EVICES AND EVICE Search for Devices The Devices tab provides the ability to search for devices within the tree. Searching will only return devices as results and will not include port names. The method of searching can be configured through the My Profile screen described later in Chapter 7: Adding and Managing Users and User Groups.
Page 50: Add A Device
Add a Device Devices must be added to CC-SG before you can configure ports or add Out-of-Band interfaces to Nodes through those ports. Add Device is used to add devices whose properties you know and can provide to CC-SG. To add a device to CC-SG: 10.
Page 51: Adding A Powerstrip Device
23. If the firmware version of the device is not compatible with CC-SG, a message will alert you and ask if you want to proceed. Click Yes to add the device to CC-SG. You can upgrade the device firmware after adding it to CC-SG. Please refer to Upgrade Devices later in this chapter.
Page 52: Discover Devices
Raritan devices on your network, including Paragon II System Controller, IP-Reach, Dominion KX, Dominion KX101, Dominion KSX, Dominion SX, and eRIC units. After discovering the devices, you may add them to CC-SG if they are not already managed.
Page 53: Figure 33 Discovered Devices List Window
11. If the firmware version of a device is not compatible with CC-SG, a message will alert you and ask if you want to proceed. Click Yes to add the device to CC-SG, or No to cancel the ROUPS...
Page 54: Edit Device
You can upgrade the device firmware after adding the device to CC-SG. Please refer to Upgrade Devices later in this chapter for additional information. Edit Device You can edit a device to rename it and modify its properties. 1. Click the Devices tab and select the device you want to edit. The Device Profile screen appears.
Page 55: Delete Device
Successfully message confirms that the device has been deleted. Note: You must first pause KSX devices before they can be successfully deleted from CC-SG. To pause a KSX device, right-click the device in the Devices tab, and then click Pause Management.
Page 56: Configure Ports
Add Device screen, you can use the Configure Ports screen to add individual ports or a set of ports on the device to CC-SG. You must configure ports before any Out-of-Band interfaces using those ports can be added to nodes.
Page 57: Figure 38 Configure Serial Ports Screen
6. Click the Access Application drop-down menu and select the application you want to use when you connect to this port from the list. To allow CC-SG to automatically select the correct application based on your browser, select Auto-Detect.
Page 58: Configure A Kvm Port
Configure a KVM Port 1. Click the Devices tab and select a KVM device from the Devices tree. 2. On the Devices menu, click Port Manager, and then click Configure Ports. The Configure Ports screen appears. • Click a column header to sort the ports by that attribute in ascending order. Click the header again to sort the ports in descending order.
Page 59: Edit Ports
6. Click the Access Application drop-down menu and select the application you want to use when you connect to this port from the list. To allow CC-SG to automatically select the correct application based on your browser, select Auto-Detect.
Page 60: Delete Ports
4. Click OK to delete the selected port. A Port Deleted Successfully window confirms that port has been deleted. Device Management Once a device has been added to CC-SG, several management functions besides configuring ports can be performed. Bulk Copy for Device Categories and Elements The Bulk Copy command allows you to copy the assigned categories and elements from one device to multiple other devices.
Page 61: Upgrade Device
4. Click OK to upgrade the device. Upgrading SX and KX devices takes about 20 minutes. If the firmware version of the device is not compatible with CC-SG, a message will alert you and ask if you want to proceed. Please refer to Chapter 2: Accessing CC-SG for additional information.
Page 62: Restore Device Configuration
Restore Device Configuration You can restore a previously backed-up device configuration to a device. 1. Click the Devices tab and select the device you want to restore to a backup configuration. 2. On the Devices menu, click Device Manager, Configuration, and then click Restore. The Restore Device Configuration screen appears.
Page 63: Restart Device
Pause Management You can pause a device to temporarily suspend CC-SG control of it without losing any of the configuration data stored within CC-SG. 1. Click the Devices tab and select the device for which you want to pause CC-SG management.
Page 64: Device Power Manager
Device Power Manager Device Power Manager is used to view the status of a PowerStrip device (including voltage, current, and temperature) as well as manage all power outlets on a PowerStrip device. As opposed to powering Nodes on and off individually, Device Power Manager provides a PowerStrip-centric view of its outlets.
Page 65: Topological View
5: A HAPTER DDING EVICES AND EVICE Topological View Topological View displays the structural setup of all the connected appliances in your configuration. 1. Click the Devices tab and select the device whose topological view you want to see. 2. On the Devices menu, click Device Manager, and then click Topological View. The Topological View for the selected device appears.
Page 66: Disconnect Users
3. Select the users whose session you want to disconnect in the Disconnect users table. 4. Click Disconnect to disconnect them from the device. Note: For Dominion SX devices only, you can disconnect users who are directly logged onto the device as well as those who are connected to the device via CC-SG.
Page 67: Viewing Devices
EVICE ROUPS Viewing Devices CC-SG offers different options for displaying devices in the Devices tab. Tree View Select Tree View to view devices in the Devices tree grouped in the default view. Selecting Tree View will also return you to the standard view from a Custom View. Please refer to Custom Views later in this chapter for additional information.
Page 68: Figure 52 Custom View Screen
4. Click Set Current to arrange the Devices tree to reflect the selected custom view. 5. Click Set Default if you want the selected custom view to be displayed when logging into CC-SG. 6. Check Is System Wide to make this the default view for all users who are not viewing their own default Custom View.
Page 69: Delete Custom View
5: A HAPTER DDING EVICES AND EVICE 2. On the Devices menu, click Change View, and then click Create Custom View. The Custom View screen appears. 3. In the Custom View panel, click Add. An Add Custom View window appears. 4.
Page 70: Special Access To Paragon Ii System Devices
Special Access to Paragon II System Devices Paragon II System Controller (P2-SC) Paragon II System Integration users can add their P2-SC devices to the CC-SG Devices tree and configure them via the P2-SC Admin application from within CC-SG. Please refer to Raritan’s Paragon II System Controller User Guide for additional information on using P2-SC Admin.
Page 71: Ip-Reach And Ust-Ip Administration
You can also perform administrative diagnostics on IP-Reach and UST-IP devices connected to your Paragon System setup directly from the CC-SG interface. After adding the Paragon System device to CC-SG, it appears in the Devices tree. To access Remote User Station Administration: 1.
Page 72: Device Group Manager
OMMAND ENTER ECURE ATEWAY DMINISTRATOR UIDE Device Group Manager Use the Device Groups Manager screen to add device groups, edit device groups, and remove device groups. When you add a new device group, you can create a full access policy for the group.
Page 73: Figure 58 Device Group: New Panel, Select Devices Tab
5: A HAPTER DDING EVICES AND EVICE 2. Click the New Group icon Figure 58 Device Group: New Panel, Select Devices Tab 3. In the Group name field, type a name for a device group you want to create. 4. There are two ways to add devices to a group, Select Devices and Describe Devices. The Select Devices tab allows you to select which devices you want to assign to the group by selecting them from the list of available devices.
Page 74: Figure 59 Describe Devices Tab
Describe Devices a. Click the Describe Devices tab in the Device Group: New panel. In the Describe Devices tab, you create a table of rules that describe the devices you want to assign to the group. b. Click the Add New Row icon c.
Page 75 5: A HAPTER DDING EVICES AND EVICE description only requires a single rule, then simply type that rule’s name in the field. If multiple rules are being evaluated, type the rules into the field using a set of logical operators to describe the rules in relation to each other: •...
Page 76: Edit Device Group
Edit Device Group 1. On the Associations menu, click Device Groups. The Device Groups Manager window opens. Figure 60 Device Groups Manager Screen 2. Existing device groups display in the left panel.. Select the Device Group whose name you want to edit. The Device Group Details panel appears. 3.
Page 77: Delete Device Group
5: A HAPTER DDING EVICES AND EVICE Delete Device Group 1. On the Associations menu, click Device Groups. The Device Groups Manager window opens. Figure 61 Device Groups Manager Screen 2. Existing device groups display in the left panel. Select the device group you want to delete. The Device Group Details panel appears.
Page 78: Figure 63 Delete Device Group Panel
OMMAND ENTER ECURE ATEWAY DMINISTRATOR UIDE 4. The Delete Device Group panel appears. Click Delete. Figure 63 Delete Device Group Panel 5. Click Yes in the confirmation message that displays.
Page 79: Chapter 6: Configuring Nodes And Interfaces
View Nodes In CC-SG, you can view all nodes in the Nodes tree, and select a node to view its Node Profile. Nodes Tree When you click the Nodes tab, the Nodes tree displays the available nodes. Nodes are displayed alphabetically by name, or grouped by their availability status.
Page 80: Nodes And Interfaces Overview
VNC, or a piece of networking infrastructure with a remote serial management connection. You can manually add nodes to CC-SG after you have added the devices to which they are connected. However, nodes can also be created automatically, by checking the Configure all ports checkbox on the Add Device screen when you are adding a device.
Page 81: Add Node
2. On the Nodes menu, click Add Node. The Node Profile screen appears. 3. Type a name for the node in the Node Name field. All node names in CC-SG must be unique. 4. Optionally, type a short description for this node under the Description field.
Page 82 2. Click the Interface Type drop-down menu and select the type of connection being made to the node: In-Band Connections • DRAC KVM: Select this item to create a KVM connection to a Dell DRAC server through the DRAC interface. You will be required to configure a DRAC Power interface afterwards.
Page 83: Figure 66 Add Interface-In-Band Ilo/Riloe Kvm
6: C HAPTER ONFIGURING ODES AND ROUPS For In-Band connections and DRAC, RSA, and iLO/RILOE power connections: Figure 66 Add Interface—In-Band iLO/RILOE KVM 1. Type the IP Address or Hostname for this interface in the IP Address/Hostname field. 2. If necessary, type a TCP Port for this connection in the TCP Port field. 3.
Page 84: Figure 67 Configuring An Out-Of-Band Kvm Connection
2. Click the Raritan Device Name drop-down menu and select the Raritan device providing access to this node. Note, a device must be added to CC-SG first before appearing in this list. 3. Click the Raritan Port Name drop-down menu and select the port on the Raritan device providing access to this node.
Page 85: Figure 68 Configuring A Managed Power Strip Power Control Interface
2. Click the Power Strip Name drop-down menu and select the Power Strip that provides power to the node. The power strip must be configured in CC-SG before it will appear in this list.
Page 86: Figure 69 Configuring An Ipmi Power Control Interface
For IPMI Power Control connections: Figure 69 Configuring an IPMI Power Control Interface 1. Type the IP Address or Hostname for this interface in the IP Address/Hostname field. 2. Type a UDP Port for this interface in the UDP Port field. 3.
Page 87: Connect To A Node
6: C HAPTER ONFIGURING ODES AND ROUPS Connect to a Node Once a node has an interface, you can connect to that node through the interface in a number of ways. Please refer to Raritan’s CommandCenter Secure Gateway User Guide for additional information.
Page 88: Delete An Interface
5. Click Yes to delete the interface. Ping a Node You can ping a node from CC-SG to make sure that the connection is active. 1. Click the Nodes tab, and then select the node you want to ping. 2. On the Nodes menu, select Ping Node. The ping results appear in the screen.
Page 89: Delete A Node
6: C HAPTER ONFIGURING ODES AND 5. Select an existing node in the Interfaces table, and then click Edit or Delete to edit or delete that interface from the node. Please refer to the Edit an Interface or Delete an Interface section above for additional information on this procedure.
Page 90: Chat
Chat Chat provides a way for users connected to the same node to communicate with each other. You must be connected to a node to start a chat session for that node. Only users on the same node will be able to chat with each other. To engage in a chat session: 1.
Page 91: Chapter 7: Adding And Managing Users And User Groups
Figure 75 The Users Tree The Users Tree displays all of the User Groups and Users in CC-SG. Users are nested underneath the User Groups they belong to. User Groups with users assigned to them appear in the list with a + symbol next to them.
Page 92: Special User Groups
DMINISTRATOR UIDE Special User Groups CC-SG is configured with three user groups by default: CC-Super User, System Administrators, and CC Users. CC Super-User Group The CC Super-User group has full administrative and access privileges. Only one user can be a member of this group.
Page 93: Add User Groups
7: A HAPTER DDING AND ANAGING SERS AND Add User Groups Creating user groups first will help you organize users when they are added. When a user group is created, a set of privileges is assigned to the user group. Users that are assigned to that group will inherit those privileges.
Page 94: Figure 77 The Policies Tab On The Add User Group Screen
Figure 77 The Policies Tab on the Add User Group Screen The All Policies table lists all the policies available on CC-SG. Each policy represents a rule allowing (or denying) access to a group of nodes. Please refer to Chapter 8: Policies for more information on policies and how they are created.
Page 95: Edit A User Group
7: A HAPTER DDING AND ANAGING SERS AND Edit A User Group Edit a User Group to change the existing privileges and policies for that group. Note: You cannot edit the Privileges or Policies of the CC-Super User group and the Users not in Group group.
Page 96: Delete User Group
After clicking OK, a status message will appear to confirm the successful deletion of the group. Add User Add users to a group to assign the user access privileges in CC-SG. A User’s ability to access nodes or manage devices will depend on what User Group they are added to.
Page 97: Edit A User
7. In the New Password and Retype New Password fields, type the password that the user will use to log in to CC-SG. Note: If strong passwords are enabled, the password entered must conform to the established rules. The information bar at the top of the screen will display messages to assist with the password requirements.
Page 98: Delete User
4. Uncheck Login enabled if you want to prevent this user from logging in to CC-SG. Check Login enabled if you want to allow this user to log into CC-SG. 5. Check Remote Authentication only if you want the user to be authenticated by an external server, such as TACACS+, RADIUS, LDAP, or AD.
Page 99: Assign Users To Group
Delete Users From Group This command removes a selected user from the group they are selected under. This command will not remove the user from any other groups and will not delete the user from CC-SG. To delete a user from a group: 1.
Page 100: Other User And User Group Functions
4. On the Users menu, click User Manager, then Delete User From Group. The Delete User appears displaying the user and the group they will be removed from. Figure 84 Deleting a User From A Group 5. Click OK to delete the user from the group or click Cancel to exit without removing the user. Note: If you delete a user from a group and they do not belong to any other groups, the user will be added to Users Not In Group group.
Page 101: Logout Users
7. When you are done editing your profile click OK to save the changes or Cancel to exit without saving. Logout Users This command can be used to log active users out of CC-SG. It can also be used to log out all active users of a User Group. To log out users: 1.
Page 102: Bulk Copy
Bulk Copy To save time, Bulk Copy can be used to clone one user’s privileges and policies to a number of other existing users by moving them to the same User Groups as the selected user. To perform a Bulk Copy: 1.
Page 103: Chapter 8: Policies
Configuring new policies to provide user access to nodes is optional, but central to making effective use of CC-SG ability to control that access. If you want to give all users access to all nodes, simply assign the Full Access Policy to all user groups.
Page 104: Node Groups
Additionally, if you used the Associations manager to create categories and elements for nodes, some means to organize nodes along common attributes have already been created. CC-SG automatically creates default access policies based on these elements. Refer to Chapter 4: Associations for more details on creating categories and elements.
Page 105: Add Node Groups
8: P HAPTER OLICIES 3. If viewing a group based on attributes, click View Nodes to display a list of nodes currently in the Node Group. A Nodes In Node Group window will appear displaying the nodes and all their attributes. Figure 89 Nodes in a Group Based on Attributes Add Node Groups To add a new Node Group:...
Page 106: Figure 90 Adding Nodes Using Select Nodes
Select Nodes Figure 90 Adding Nodes Using Select Nodes 1. Click the Select Nodes tab. 2. Click the Device Name drop-down menu and select a device if you want to filter the Available list to only display nodes with interfaces from that device. 3.
Page 107: Figure 91 Describing A Node Group With Multiple Rules
8: P HAPTER OLICIES Describe Nodes Figure 91 Describing a Node Group With Multiple Rules 1. Click the Select Nodes tab. 2. Click Add New Row to add a row in the table for a new rule. Rules take the form of an expression which can be compared against nodes.
Page 108 4. If you want to add another rule, click Add New Row again, and make the necessary configurations. Configuring multiple rules will allow more precise descriptions by providing multiple criteria for evaluating nodes. 5. If you want to remove a rule, highlight the rule in the table, and then click Remove Row. 6.
Page 109: Edit Node Group
8: P HAPTER OLICIES Edit Node Group Edit a node group to change the membership or description of the group. To edit a node group: 1. On the Associations menu, click Node Group. The Node Groups Manager window displays. 2. Click the node you want to edit in the Node Group List to the left. The details of that node will appear in the Node Groups window.
Page 110: Device Groups
Device Groups Device groups operate in a similar fashion to Node Groups, except that Device Groups are used to organize Raritan devices into sets for management by policies. Please refer to Chapter 5: Adding Devices and Device Groups, Device Group Manager additional information.
Page 111: Edit A Policy
Edit a Policy When you edit a policy, the changes do not affect users who are currently logged in to CC-SG. The changes will go into effect at the next login. If you need to make sure that your changes go into effect sooner, first enter Maintenance Mode, and then edit policies.
Page 112: Delete A Policy
7. In the End Time field, type the time of day this policy ends. The time must be in 24-Hour format. 8. In the Device/Node Access Permission field, select Control to define this policy to allow access to the selected node or device group for the designated times and days. Select Deny to define this policy to deny access to the selected node or device group for the designated times and days.
Page 113: Chapter 9: Configuring Remote Authentication
4. If authentication is successful, local authorization is performed. CC-SG checks if the user name entered matches a group that has been created in CC-SG or imported from AD, and grants privileges per the assigned policy.
Page 114: Distinguished Names For Ldap And Ad
CC-SG cn=administrator,cn=users,dc=xyz,dc=com in username, if a CC-SG user is associated with an imported AD group, the user will be granted access with these credentials. Note that you can specify more than one common name, organizational unit, and domain component.
Page 115: Ad Configurations
AD server. Once your AD server is configured as a module in CC- SG, CC-SG can query all domain controllers for a given domain. You can synchronize your AD modules in CC-SG with your AD servers to ensure that CCSG has the most current authorization information on your AD user groups.
Page 116: Ad General Settings
AD General Settings In the General tab, you add the information that allows CC-SG to query the AD server. 1. Type the AD domain you want to query in the Domain field. For example, if the AD domain is installed in the xyz.com domain, type xyz.com in the Domain field. CC-SG and the AD server you want to query must be configured either on the same domain or on different domains that trust each other.
Page 117: Ad Advanced Settings
LDAP connections is 636. 3. Check Secure Connection for LDAP if you want to use a secure channel for the connection. If checked, CC-SG uses LDAP over SSL to connect to AD. This option may not be supported by your AD configuration.
Page 118: Ad Group Settings
6. Specify the way in which the search query will be performed for the user entry. If you check Use Bind, CC-SG attempts to connect, or bind, to AD directly with the username and password supplied in the applet. However, if a username pattern is specified in Bind username pattern, the pattern will be merged with the username supplied in the applet and the merged username will be used to connect to the AD server.
Page 119: Ad Trust Settings
9: C HAPTER ONFIGURING EMOTE UTHENTICATION XAMPLE dc=raritan,dc=com cn=Administrators,cn=Users,dc=raritan,dc=com The search query for the user in the 3. Type a user’s attributes in Filter so the search query for the user in the group will be restricted to only those entries that meet this criterion. For example, if you specify cn=Groups,dc=raritan,dc=com as the Base DN and (objectclass=group) as the Filter, then all entries that are in the Groups entry and are of type group will be returned.
Page 120: Edit Ad Modules
AD modules to synchronize all groups and users in all modules. Please refer to User Groups Synchronize All AD Note: Make sure that you have configured the CC-SG DNS and Domain Suffix in Configuration Manager before attempting to import AD user groups. Please refer to Manager for additional information.
Page 121: Figure 100 Importing Groups From Ad Server
Select all to select all user groups for import. Click Deselect all to deselect all selected user groups. 5. In the Policies column, click the field and then select a CC-SG access policy from the list to assign the policy to the selected group. These policies should already be created, please refer to Chapter 8: Policies for additional information.
Page 122: Synchronize Ad User Groups
AD, and identifies the matches. CC-SG will present the matches and allow you to select which ones you want to import. This ensures that CC-SG has imported the most current AD user group information. CC-SG also automatically synchronizes all AD modules once per day.
Page 123: Set Ad Synchronization Time
If you have upgraded CC-SG from 3.0.2 to 3.1, you must reconfigure your AD modules before any of your AD users can login to CC-SG. CC-SG 3.1 requires a DNS and Domain Name to be specified for each AD module. This configuration allows CC-SG to query all domain controllers for a given domain.
Page 124: Add Ldap (Netscape) Module To Cc-Sg
Once CC-SG starts and a username and password are entered, a query is forwarded either through CC-SG or directly to the LDAP server. If the username and password match those in the LDAP directory, the user is authenticated. The user will then be authorized against the local user groups on the LDAP server.
Page 125: Ldap General Settings
9: C HAPTER ONFIGURING EMOTE UTHENTICATION LDAP General Settings 1. Click the General tab. 2. Type the IP address or hostname of the LDAP server in the IP Address/Hostname field. For hostname rules, please refer to Terminology/Acronyms in Chapter 1: Introduction. 3.
Page 126: Ldap Advanced Settings
5. Type the bind pattern in the Bind Username Pattern field. 6. Check Use bind if you want CC-SG to send the username and password entered at login to the LDAP server for authentication. If Use Bind is not checked, CC-SG will search the LDAP server for the user name, and if found, will retrieve the LDAP object and locally compare the associated password with the one entered.
Page 127: Sun One Ldap (Iplanet) Configuration Settings
1. Click the Advanced tab. 2. Click Browse, navigate to the certificate file you want to upload, and then click Open. 3. Click Accept to accept the certificate as trusted by CC-SG. Click Reject to remove the certificate. 4. If you want to delete a certificate, select the certificate, and then click Delete.
Page 128: Add A Tacacs+ Module
UIDE Add a TACACS+ Module CC-SG users who are remotely authenticated by a TACACS+ server need to be created on the TACACS+ server and on CC-SG. The user name on the TACACS+ server and on CC-SG must be the same, although the passwords may be different. Please refer to Chapter 7: Adding and Managing Users and User Groups for additional information on adding users who will be remotely authenticated.
Page 129: Tacacs+ General Settings
9: C HAPTER ONFIGURING EMOTE UTHENTICATION TACACS+ General Settings 1. Type the IP address or hostname of the TACACS+ server in the IP Address/Hostname Name field. For hostname rules, please refer to Terminology/Acronyms in Chapter 1: Introduction Figure 108 TACACS+ General Settings 2.
Page 130: Add A Radius Module
CC-SG users who are remotely authenticated by a RADIUS server need to be created on the RADIUS server and on CC-SG. The user name on the RADIUS server and on CC-SG must be the same, although the passwords may be different. Please refer to Chapter 7: Adding and Managing Users and User Groups for additional information on adding users who will be remotely authenticated.
Page 131: Radius General Settings
RSA Authentication Manager, CC-SG can make use of two-factor authentication schemes with dynamic tokens. In such an environment, the user logs into CC-SG by first typing their username in the Username field. Then the user types their fixed password, followed by the dynamic token value in the Password field.
Page 132: Specify Modules For Authentication And Authorization
Establish Order of External AA Servers In the General tab, you can set the order in which CC-SG will query the configured external AA servers. If the first checked option is unavailable, CC-SG will try the second, then the third, and so on, until it is successful.
Page 133: Chapter 10: Generating Reports
The sorting value and column width you use becomes the default report view the next time you log in and run CC-SG reports. For all reports, you can double-click a row to view further details of the report.
Page 134: Error Log Report
Click Close to close the report. Error Log Report CC-SG stores error messages in a series of Error Log files, which can be accessed and used to help troubleshoot problems. 1. On the Reports menu, click Error Log. The Error Log screen appears.
Page 135: Access Report
10: G HAPTER ENERATING EPORTS • If you want to limit the report to a particular IP address’s activities, type the user’s IP address in the User IP address field. 4. Click OK to run the report. The report is generated, displaying data about activities that occurred during the designated time period that also comply with any additional parameters specified.
Page 136: Figure 117 Access Report
3. You can limit the data that the report will contain by entering additional parameters in the Message, Device name, Port name, Username, and User IP address fields. • If you want to limit the report by the message text associated with an activity, type the text in the Message field.
Page 137: Availability Report
10: G HAPTER ENERATING EPORTS Availability Report The Availability Report displays the status of all connections, showing devices by name and IP address. This report gives you the full accessibility picture for all devices on your system, and supplies information that could be useful for troubleshooting. 1.
Page 138: Active Users Report
1. On the Reports menu, click Users, and then click Active Users. The Active Users report is generated. • To disconnect a user from an active session in CC-SG, select the user name you want to disconnect, and then click Logout. •...
Page 139: Locked Out Users Report
1. On the Reports menu, click Users, and then click Locked Out Users. Figure 120 Locked Out Users Report • To unlock a user who has been locked out of CC-SG, select the user name you want to unlock, and then click Unlock User. An •...
Page 140: User Data Report
• The Enabled field displays true if the user is able to log in to CC-SG, or false if the user is not able to log in to CC-SG, based on whether the Login Enabled checkbox is checked in the User Profile.
Page 141: Users In Groups Report
10: G HAPTER ENERATING EPORTS Users in Groups Report The Users In Group report displays data on users and the groups with which they are associated. 1. On the Reports menu, click Users, and then click Users In Groups. The Users In Groups report is generated.
Page 142: Group Data Report
1. On the Reports menu, click Users, and then click AD Users Group Report. The AD User Groups Report screen appears. 2. The AD Server list includes all AD servers that have been configured on CC-SG for both authentication and authorization. Check the checkbox that corresponds to each AD server you want CC-SG to include in the report.
Page 143: Asset Management Report
Click Close to close the report. Asset Management Report The Asset Management report displays data on devices currently managed by CC-SG. 1. On the Reports menu, click Devices, and then click Asset Management Report. The Asset Management report is generated for all devices.
Page 144: Node Asset Report
The Node Asset report displays node name, interface name and type, device name and type, and node group for all nodes under CC-SG management. You can also filter the report to include only data about nodes that correspond to a specified node group, interface type, device type, or device.
Page 145: Active Nodes Report
10: G HAPTER ENERATING EPORTS 3. Click Apply to generate the report. The Node Asset Report generates. • Click Manage Report Data… to save or print the report. Click Save to save the records that are displayed in the current report page to a CSV file or click Save All to save all records. Click Print to print the records that are displayed in the current report page or Print All to print all records.
Page 146: Node Creation Report
Click Print to print the records that are displayed in the current report page or Print All to print all records. Click Close to close the window. • Click Close to close the report. Node Creation Report The Node Creation report lists all node creation attempts, both successful and unsuccessful, within a specified timeframe.
Page 147: Query Port Report
10: G HAPTER ENERATING EPORTS Query Port Report The Query Port Report displays all ports according to port status. 1. On the Reports menu, click Ports, and then click Query Port. The Query Port screen appears. 2. In the Select port status section, check the checkboxes that correspond to the port statuses you want to include in the report.
Page 148: Active Ports Report
4. Click Apply to generate the report. • Click the arrow icons at the bottom right of the report to navigate through multiple page reports. • Click Configure next to a New or Unused port in the report to configure it. •...
Page 149: Scheduled Reports
Please refer to Add a CC-NOC in Chapter 12: Advanced Administration for details. You can also purge targets from the CC-SG database from this report. 1. On the Reports menu, click CC-NOC Synchronization.
Page 150 2. Select a Last Discovered Date, and then click Get Targets. The targets that were discovered on or earlier than the Last Discovered Date are displayed under Targets Discovered. • If you want to purge a target from the CC-SG database, select the target you want to purge, and then click Purge. •...
Page 151: Chapter 11: System Maintenance
Figure 135 Enter Maintenance Mode 2. Type a Broadcast message or accept the default that is provided. This message will display to all logged in users to warn them that they will be logged off once CC-SG enters maintenance mode.
Page 152: Backup Cc-Sg
SG. This produces the largest sized backup files. • Standard – Only creates a back up of critical Data on CC-SG. This backup includes CC- SG configuration information, Device and Node configurations and User configurations. This produces the smallest sized backup file.
Page 153: Restore Cc-Sg
Figure 137 Restore CommandCenter Screen 2. If you want to restore from a backup stored off of the CC-SG system, you will first need to upload it to make it available. Click Upload. An open dialog screen appears. You can retrieve the file from anywhere on your client’s network.
Page 154: Saving And Deleting Backup Files
1. From the Available Backups table, select the backup you want to save to your PC. 2. Click Save to File. A Save dialog appears. 3. Specify a location to save your CC-SG backup file, then click Save. The backup file will be copied to you client PC.
Page 155: Reset Cc-Sg
The restart command is used to restart the CC-SG software. Restarting CC-SG will log all active users out of CC-SG. Note: Restart will not cycle power to the CC-SG. To perform a full reboot you will need to access the Diagnostic Console or the power switch on the unit itself.
Page 156: Upgrade Cc-Sg
Broadcast message field (for example, you might give users a brief time period to finish their tasks in CC-SG or tell them why you are restarting the system). All users will be disconnected when you restart CC-SG.
Page 157: Restarting Cc-Sg After Shutdown
End CC-SG Session Log Out To exit CC-SG at the end of a session, or to refresh the database in case you or another user have made changes while you were logged in, log off from CC-SG entirely, then log in again.
Page 158 OMMAND ENTER ECURE ATEWAY DMINISTRATOR UIDE This page intentionally left blank.
Page 159: Chapter 12: Advanced Administration
3. Select Message of the Day Content if you want to type a message in CC-SG, or select Message of the Day File if you want to load the message from an existing file.
Page 160: Application Manager
Application Manager The Application Manager provides an interface for administrators to add access applications to CC-SG, edit existing applications and set the default application for accessing nodes on Raritan devices. 1. On the Administration menu, click Applications. The Application Manager screen appears.
Page 161: Deleting An Application
6. In the Open dialog window, browse for the location of your application file (usually a .jar or .cab file), select the file, and then click Open. The selected application will then be loaded on to CC-SG. Editing an Application: 1.
Page 162: Default Applications
3. On the drop-down menu, select a default application to use when connecting to highlighted Interface or Port Type. If you select Auto-Detect, CC-SG will auto-detect the application based on the client browser. 4. After all default applications have been configured, click Update to save your selection to CC-SG.
Page 163: Firmware Manager
DVANCED DMINISTRATION Firmware Manager CC-SG stores firmware for Raritan devices in order to update the devices under its control. The firmware manager is used to upload and delete device firmware files to and from CC-SG. Upload Firmware This command allows you to upload different versions of firmware to your system. When new firmware versions become available, they are posted on the Raritan website.
Page 164: Delete Firmware
Figure 151 Configuration Manager Network Settings Screen 3. Type the CC-SG hostname in the Host Name field. Please refer to Chapter 1 of this guide or hostname rules. Once Update Configuration is selected, the field will be updated to reflect...
Page 165: Figure 152 Primary/Backup Network
When both NICs are used, a level of network redundancy is provided. For example, if LAN1 is connected and is receiving a Link Integrity signal, CC-SG uses this NIC for all communications. In the event of a LAN1 failure, if LAN2 is connected, CC-SG migrates the assigned (possibly by DHCP) IP address to LAN2.
Page 166: Figure 153 Active/Active Network
While configuring both NICs, specify a default gateway address for only one NIC and leave the other blank. When a NIC fails, CC-SG attempts to route the packet from the other NIC based on the current IP routing table. This routing may not be successful, especially if firewalls are involved.
Page 167: Log Configuration
2. Click the Logs tab. Figure 154 Configuration Manager Logs Screen 3. To assign an external log server for CC-SG to use, type the IP address into the Server Address field under Primary Server. 4. Click the Level to Forward drop-down arrow and select an event severity level. All events of this level or higher will be sent to the logging server.
Page 168: Purging Cc-Sg's Internal Log
Purging CC-SG’s Internal Log: The Logs tab can also be used to clear CC-SG’s log of events. This command only clears CC- SG’s log of events, it will not purge events recorded by external logging servers. 1. On the Administration menu, click Configuration. The Configuration Manager screen appears.
Page 169: Time/Date Configuration
Note: Network Time Protocol (NTP) is the protocol used to synchronize the attached computer’s date and time data with a referenced NTP server. When CC-SG is configured with NTP, it can synchronize its clock time with the publicly available NTP reference server and maintain correct and consistent time.
Page 170: Modem Configuration
2. Type the IP address of the CC-SG in the Server Address field. 3. Type the IP address of the client that will dial into CC-SG in the Client Address field. 4. If you are using call-back dialing, type the call-back number that CC-SG dials to connect to the client in the Client Phone field.
Page 171: Figure 158 Modems Tab
(dialed-in) side. Click OK to save the settings. Configure the Dial-Up Connection The following procedure illustrates creating an inbound dial-up connection to CC-SG from a Windows XP client machine: 1. On the start menu, click My Network Places.
Page 172: Figure 160 Create A New Connection
Client phone under the Modem tab in Configuration Manager on CC-SG. 7. A smart card is not necessary to dial into CC-SG. If you are not using one, click Do not use my smart card for this connection, and then click Next.
Page 173: Figure 163 Specify Dial-Up Script
DVANCED DMINISTRATION Configure the Call-back Connection If the CC-SG uses a call-back connection, you need to use a script file that is described below. To supply the script file for call-back: 1. On the Start menu, click My Network Places.
Page 174: Figure 164 Connecting To Cc-Sg
4. Type a username of ccclient and password of cbupass. Figure 165 Entering username and password 5. If not filled in already, enter the phone number used to connect to CC-SG. This is NOT the dial-back number. 6. Click Dial. If using call-back, the modem will dial CC-SG and then CC-SG will dial your client PC.
Page 175: Connection Mode
Connection earlier in this chapter, then a window similar to the one below will be displayed: 8. Wait 1 or 2 minutes and in a supported browser, enter the IP address of CC-SG that was configured as the Server address under the Modem tab in Configuration Manager on CC- SG and login to CC-SG.
Page 176: Figure 167 Configuration Manager Connection Screen - Direct Mode
Click the Direct Mode radio button to connect to a device directly. b. Click the Proxy Mode radio button to connect to a device via your CC-SG unit. c. Click the Both radio button if you want to connect to some devices directly, but others through Proxy Mode.
Page 177: Snmp
Because CC-SG pushes its own set of Raritan traps, you must update all SNMP managers with a custom MIB file that contains Raritan SNMP trap definitions. Please refer to Appendix D: SNMP Traps. This custom MIB file can be found on the CD included with your CC-SG unit and also under Firmware Upgrades on http://www.raritan.com/support.
Page 178: Figure 169 Configuration Settings Device Settings Screen
5. Under Traps Configuration, check the box marked Enable SNMP Traps to enable sending SNMP traps from CC-SG to a SNMP host. 6. Check the checkboxes before the traps you want CC-SG to push to your SNMP hosts: Under Trap Sources, there is a list of SNMP traps grouped into two different categories:...
Page 179: Cluster Configuration
Devices in a CC-SG cluster must be aware of the IP of the Primary CC-SG node in order to be able to notify the Primary node of status change events. If the Primary node fails, the Secondary node immediately assumes all Primary node functionality.
Page 180: Figure 170 Cluster Configuration Screen
4. Click Create Cluster. 5. Click Yes when prompted if you want to continue. The CC-SG you are currently using will become the Primary node and a default name will be provided unless you previously entered a name in the Cluster Name field.
Page 181: Remove Secondary Cc-Sg Node
Primary Nodes. You should then remove a Primary Node and reset it as a Secondary Node. Remove Secondary CC-SG Node 1. To remove Secondary Node status from a CC-SG unit and reassign it to a different unit in your configuration, select the Secondary CC-SG Node in the Cluster Configuration table, and then click Remove “Backup”...
Page 182: Recover A Failed Cc-Sg Node
2. Click Advanced. The Advanced Settings window appears. Figure 172 Cluster Configuration Advanced Settings 3. For Time Interval, enter how often CC-SG should check its connection with the other node. Note: Setting a low Time Interval will increase the network traffic generated by heartbeat checks.
Page 183: Configure Security
AES encrypted connections to CC-SG. Type the encryption key length you want to use in the Key Length field. The default key length is 128. 4. Type the port number for accessing CC-SG via SSH in the SSH Server Port field. Please refer to SSH Access to CC-SG, later in this chapter, for additional information.
Page 184: Login Settings
Strong password rules require users to observe strict guidelines when creating passwords, which makes the passwords more difficult to guess and, in theory, more secure. Strong passwords are not enabled in CC-SG by default. In order to use strong passwords, administrators must first check Strong Passwords Required For All Users.
Page 185: Lockout Settings
This feature applies to users who are authenticated and authorized locally by CC-SG and does not apply to users who are remotely authenticated by external servers. Please refer to Chapter 9: Configuring Remote Authentication for additional information. Failed login attempts due to insufficient user licenses also do not apply.
Page 186: Portal
2. Click the Portal tab. Logo A small graphic file can be uploaded to CC-SG to act as a banner on the login page. The maximum size of the logo is 998 by 170 pixels. To upload logo: 1. Click Browse in the Logo area of the Portal tab. An Open dialog appears.
Page 187: Certificate
Click Preview if you want to preview the text contained in the file. It will appear in the banner message field above. 3. Click Update to save your Restricted Service Banner changes to CC-SG. After your Logo and Restricted Service Agreement settings have been updated, they will appear on the login screen the next time a user accesses a client.
Page 188: Figure 177 Security Manager Certificate Screen
Private Key and submit it by clicking Export. Generate Certificate Signing Request The following explains how to generate a CSR and a private key on CC-SG. The CSR will be submitted to the Certificate Server who will issue a signed certificate. A root certificate will also be exported from the Certificate Server and saved in a file.
Page 189: Figure 178 Generate Certificate Signing Request Screen
12: A HAPTER DVANCED DMINISTRATION 2. Type the requested data for the CSR into the fields. Figure 178 Generate Certificate Signing Request Screen 3. Click OK to generate the CSR or Cancel to exit the window. The CSR and Private Key appear in the corresponding fields of the Certificate screen.
Page 190: Ip-Acl
10. Click Browse next to CA file: and select the root certificate file that was saved in Step 6. 11. Type raritan in the Password field if the CSR was generated by CC-SG. If a different application generated the CSR, use the password for that application.
Page 191: Figure 181 Security Manager Ip-Acl Screen
12: A HAPTER DVANCED DMINISTRATION 2. Click the IP-ACL tab. Figure 181 Security Manager IP-ACL Screen 3. To change the order of the line items in the Access Control List, select the line item, and then click Up or Down. Connecting users will be allowed or denied according to the first rule that applies (from top to bottom).
Page 192: Notification Manager
6. Type the account name’s password in the Password and Re-enter Password fields. 7. Type a valid email address that will identify messages from CC-SG in the From field. 8. Type the number of times emails should be re-sent should the send process fail in the Sending retries field.
Page 193: Task Manager
Reports that are scheduled are sent via email to the recipients that you specify. All reports that have a Finished status are stored on CC-SG for 30 days and can be viewed in HTML format by selecting Scheduled Reports under the Reports menu. Please refer to...
Page 194: Create A New Task
Create a New Task To schedule a new task: 1. On the Administration menu, click Tasks. The Task Manager screen appears 2. Click New. 3. In the Main tab, type a name (1-32 characters, alphanumeric characters or underscores, no spaces) and description for the task. 4.
Page 195: View A Task, Details Of A Task, And Task History
9. Click the Retry tab. 10. If a task fails, CC-SG can retry the task at a later time as specified in the Retry tab. Type the number of times CC-SG should retry to execute the task in the Retry count field. Type the time that should elapse between retries in the Retry Interval field.
Page 196: Commandcenter Noc
Add a CC-NOC Note: To create a valid connection, the time settings on both the CC-NOC and CC-SG should be synchronized. The best method of achieving this synchronization is to use a common NTP (Network Time Protocol) server. For this reason, the CC-NOC and CC-SG are required to be configured to use an NTP server.
Page 197 IP Range From and IP Range To fields. This IP range represents the range of addresses CC-SG is interested in and instructs CC-NOC to send events for these devices to CC-SG. This range is related to the discovery range that is configured in the CC-NOC. Please refer to Raritan’s CommandCenter NOC Administrator Guide for details.
Page 198: Edit A Cc-Noc
1. On the Access menu, click CC-NOC Configuration. The CC-NOC Configuration screen appears. 2. Select the CC-NOC you want to delete from CC-SG, and then click Delete. You are prompted to confirm the deletion. 3. Click Yes to delete the CC-NOC. A CC-NOC Deleted Successfully message confirms that CC-NOC has been deleted.
Page 199: Ssh Access To Cc-Sg
To access CC-SG via SSH: 1. Launch an SSH client, such as Putty. 2. Specify the IP address of the CC-SG and specify 22 for the port, and open the connection. You can configure the port for SSH access in Security Manager Manager earlier in this chapter for additional information.
Page 200: Ssh Commands
SSH Commands The following table describes all commands available in SSH. You must be assigned the appropriate privileges in CC-SG to access each command. activeports List active ports. activeusers List active users. backup device <[-host <host>] | [-id <device_id>]> backup_name [description] Backup device configuration.
Page 201: Command Tips
DMINISTRATION more [-p <page_size>] Make paging pingdevice <[-id <device_id>] | [host]> Ping device restartcc minutes [message] Restart CC-SG restartdevice <[-id <device_id>] | [host]> Restart device restoredevice <[-host <host>] | [-id <device_id>]> [backup_id] Restore device configuration shutdowncc minutes [message] Shutdown CC-SG.
Page 202: Create An Ssh Connection To An Sx Device
You can create an SSH connection to an SX device to perform administrative operations on the device. Once connected, the administrative commands supported by the SX device are available. Note: Before you connect, ensure that the SX device has been added to the CC-SG. 1. Type to ensure the SX has been added to CC-SG.
Page 203: Use Ssh To Connect To A Node Via A Serial Out Of Band Interface
Exit a Session To exit the entire SSH connection to CC-SG, type Figure 188 Listinterfaces in SSH to connect to the node associated with the interface. ESCRIPTION Terminates connection and returns to SSH prompt. Gets Write Access. Allows SSH user to execute commands at target server while browser user can only observe proceedings.
Page 204: Diagnostic Console
1. Launch a SSH client, such as Putty, on a client PC that has network connectivity to the CC- 2. Specify the IP address, or IP hostname (if CC-SG has been registered with a DNS server) of the CC-SG, and specify 23 for the port.
Page 205: Accessing Administrator Console
This screen dynamically displays information about the health of the system and whether CC- SG and its sub-components are working. • The time in the upper-right corner of the screen is the last time at which the CC-SG data was polled. •...
Page 206: Figure 192 Administrator Console
password. Please refer to Diagnostic Console Passwords (Admin) later in this chapter for additional information on setting password strength. 3. The main Administrator Console screen appears. You can perform initial system network interface configuration, edit Message of the Day in the Status window, and view log files. The File Menu provides a means of leaving the Administrator Console: Navigating Administrator Console The following table provides the various navigation means within the Diagnostic Console menus.
Page 207: Figure 193 Editing Motd For Status Console
Diagnostic Console from the port. For SSH clients, you can also configure which port number should be used, as long as no other CC-SG service is using the desired port. To edit Diagnostic console configuration: 1.
Page 208: Figure 194 Edit Diagnostic Console Configuration
In Network Interface Configuration, you can perform initial setup tasks, such as setting the hostname and IP address of the CC-SG. Click with the mouse or use the TAB and arrow keys to navigate. Press the Enter key to select a value.
Page 209: Figure 195 Editing Network Interfaces
8. Repeat these steps for the second network interface if you selected Active/Active Mode. 9. Select Save to save your changes. CC-SG will restart, logging off all CC-SG GUI users and terminating their sessions. A Warning screen will be presented informing of the impending...
Page 210 1. Click Operation, Network Interfaces, and then click Ping. 2. Enter the IP address or hostname (if DNS is appropriately configured on the CC-SG) of the target you want to check in the Ping Target field.
Page 211: Figure 196 Editing Static Routes
12: A HAPTER DVANCED DMINISTRATION 2. Enter the IP address or hostname of the target you wish to check in the Traceroute Target field. 3. Optionally, select: OPTION Verbose No DNS Resolution Use ICMP (vs. normal UDP) 4. Optionally, type values for how many hops the traceroute command will use in outgoing probe packets (default is 30), the UDP destination port to use in probes (default is 33434), and the size for the traceroute packets.
Page 212: Figure 197 Selecting Log Files To View
1. Click Operation, Admin, then System Logfile Viewer. 2. The Logviewer screen is divided into 4 main areas (see screen below): • List of Logfiles currently available on the system. If list is longer than the display window, the list can be scrolled using the arrow keys. •...
Page 213: Figure 198 Selecting Log Files To View
12: A HAPTER DVANCED DMINISTRATION Use Default Color Scheme Use Default Filters Export View When View is selected with Individual Windows, the LogViewer displays: Figure 198 Selecting Log Files to View 4. While viewing log files, type q, CTRL-Q or CTRL+C to return to the previous screen. 5.
Page 214: Figure 200 Displaying Information
OMMAND ENTER ECURE ATEWAY DMINISTRATOR UIDE 6. Type i for info to display system information. Note: System load is static as of the start of this Admin Console session – use the TOP utility to dynamically monitor system resources. Figure 200 Displaying Information 7.
Page 215: Figure 202 Specifying A Regular Expression For A Log File
9. Select F1 to get help on all LogViewer options. Pressing CTRL+C and CTRL+Q terminates this LogViewer session. Restarting CC-SG (Admin) You can restart CC-SG, which will log off all current CC-SG users and terminate their sessions to remote target servers. Important: It is HIGHLY recommended to restart CC-SG in the CC-SG GUI instead, unless it is absolutely necessary to restart it here.
Page 216: Figure 203 Restarting Cc-Sg In Diagnostic Console
Figure 203 Restarting CC-SG in Diagnostic Console Rebooting CC-SG (Admin) This option will reboot the entire CC-SG, which simulates a power cycle. Users will not receive a notification. CC-SG, SSH, and Diagnostic Console users (including this session) will be logged off.
Page 217: Figure 205 Power Down Cc-Sg In Diagnostic Console
SSH, and Diagnostic Console users (including this session) will be logged off. Any connections to remote target servers will also be terminated. The only way to power the CC-SG unit back on is to press the power button on the front panel of the unit.
Page 218: Figure 206 Admin Password Reset For Cc-Sg Gui In Diagnostic Console
Figure 206 Admin Password Reset for CC-SG GUI in Diagnostic Console Resetting CC-SG Factory Configuration (Admin) This option will reset all or parts of the CC-SG system back to their factory default values. All active CC-SG users will be logged off without notification, and SNMP processing will stop. It is highly recommended that CC-SG be placed in Maintenance Mode prior to initiating this operation.
Page 219 Factory Default values. This option is only valid and effective if the previous option is also selected. As the CC-SG Database is being rebuilt (in the previous option), the following values will be migrated to the new version of the Database (if they can be read and are available;...
Page 220: Figure 208 Configuring Password Settings
Account Configuration menu. The operation in these menus only applies to Diagnostic Console accounts (status and admin) and passwords – it has no effect on the regular CC-SG GUI accounts or passwords.
Page 221: Figure 209 Configuring Accounts
12: A HAPTER DVANCED DMINISTRATION 3. Select either Regular, Random, or Strong for the admin and status (if enabled) passwords. PASSWORD SETTING Regular These are standard. Passwords must be longer than 4 characters with few restrictions. This is the system default password configuration.
Page 222 New Password Displaying Disk Status (Utilities) This option displays status of CC-SG disks, such as size of disks, if they are active and up, state of the RAID-1, and amount of space currently used by various file systems. To display disk status of the CC-SG: 1.
Page 223: Figure 210 Displaying Disk Status Of Cc-Sg In Diagnostic Console
The status of both md0 and md1 arrays are [UU]). Displaying Top Display (Utilities) This option displays the list of processes and their attributes that are currently running on CC-SG, as well as overall system health.
Page 224: Figure 212 Ntp Not Configured In Cc-Sg Gui
Displaying NTP (Network Time Protocol) Status (Utilities) This option displays the status of the NTP time daemon if it is configured and running on CC-SG. To display status of the NTP daemon on the CC-SG: 1. Click Operation, Utilities, and then click NTP Status Display.
Page 225: Appendix A: Specifications
A: S PPENDIX PECIFICATIONS Appendix A: Specifications (G1, V1, and E1) G1 Platform General Specifications Form Factor Dimensions (DxWxH) Weight Power Mean Time Between Failure (MTBF) KVM Admin Port Serial Admin Port Console Port Hardware Specifications Processor Memory Network Interfaces Hard Disk &...
Page 226: V1 Platform
V1 Platform General Specifications Form Factor Dimensions (DxWxH) Weight Power Operating Temperature Mean Time Between Failure (MTBF) KVM Admin Port Serial Admin Port Console Port Hardware Specifications Processor Memory Network Interfaces Hard Disk & Controller CD/ROM Drive Environmental Requirements Humidity Altitude Vibration Shock...
Page 227: E1 Platform
A: S PPENDIX PECIFICATIONS E1 Platform General Specifications Form Factor Dimensions (DxWxH) Weight Power Operating Temperature Mean Time Between Failure (MTBF) KVM Admin Port Serial Admin Port Console Port Hardware Specifications Processor Memory Network Interfaces Hard Disk & Controller CD/ROM Drive Environmental Requirements Humidity Altitude...
Page 228 OMMAND ENTER ECURE ATEWAY DMINISTRATOR UIDE This page intentionally left blank.
Page 229: Appendix B: Cc-Sg And Network Configuration
CC-SG and its associated components is provided. For those customers who just want to know what ports to open on a firewall to allow access to CC-SG and the targets that it controls, the following ports should be opened:...
Page 230: Figure 214 Cc-Sg Deployment Elements
OMMAND ENTER ECURE ATEWAY DMINISTRATOR UIDE CC Clients Internet (Unsecured Network) CC-NOC CC Clients CC-SG Cluster Peer Firewall Internal Network CC-SG Raritan Device Serial Out-of-Band Node Access In-Band Access Internal Network Raritan Device Figure 214 CC-SG Deployment Elements...
Page 231: Cc-Sg Communication Channels
CC-SG and Raritan Devices A main role of CC-SG is to manage and control Raritan devices (for example, Dominion KX, KSX, etc.). Typically, CC-SG communicates with these devices over a TCP/IP network (local,...
Page 232: Access To Infrastructure Services
Each CC-SG in the cluster may be on a separate LAN. However, the inter-connection between the units should be very reliable and not prone to periods of congestion. Communication Direction Port Number CC-SG → Local Broadcast 10000 CC-SG → Remote LAN IP 10000 CC-SG ↔...
Page 233: Pc Clients To Nodes
B: CC-SG PPENDIX ETWORK ONFIGURATION The first mode is the primary means for users and administrators to connect to CC-SG. The other two modes are less frequently used. These modes require the following networking configuration: Communication Direction Port Number Client → CC-SG GUI Client →...
Page 234: Cc-Sg & Snmp
1088, 1098, 2222, 4444, 4445, 8009, 8083 and 8093 In addition to these ports, CC-SG may have a couple of TCP and UDP ports in the 32xxx (or higher) range open. External access to these ports is not required and can be blocked.
Page 235: Security And Open Port Scans
ONFIGURATION Security and Open Port Scans As part of the CC-SG Quality Assurance process, several open port scanners are applied to the product and Raritan makes certain that its product is not vulnerable to these known attacks. All the open or filtered/blocked ports are listed in the above sections. Some of the more common...
Page 237: Appendix C: User Group Privileges
C: U PPENDIX ROUP RIVILEGES Appendix C: User Group Privileges > S MENU Secure Gateway This menu is available for all users. My Profile Message of the Day Print Logout Exit Users This menu and the User tree are available only for users with the User Management privilege.
Page 238 > S MENU >> Configuration >> Backup >> Restore >> Copy Configuration > Restart Device > Ping Device > Pause Management > Device Power Manager > Launch Admin > Launch User Station Admin > Disconnect Users OMMAND ENTER ECURE EQUIRED RIVILEGE Upgrade Management...
Page 239 C: U PPENDIX ROUP RIVILEGES > S MENU > Topological View > Change View > Create Custom View Device, Port and > Tree View > Port Manager > Connect > Configure Ports > Bookmark Port > Disconnect Port > Bulk Copy >...
Page 240 > S MENU Nodes This menu and the Nodes tree is available only for users with any one of the following privileges: Device, Port and Node Management Node In-Band Access Node Out-of-Band Access Node Power Control Add Node (Editing Nodes) Delete Node <interfaceName>...
Page 241 C: U PPENDIX ROUP RIVILEGES > S MENU > Show Chat Session > End Chat Session > Change View > Create Custom View Any of the > Tree View Associations This menu is available only for users with the User Security Management privilege >...
Page 242 > S MENU Reports This menu is available for all users. Audit Trail Error Log Access Report Availability Report > Users > Active Users > Locked Out Users > User Data > Users in Groups > Group Data > AD Users Group Report >...
Page 243 C: U PPENDIX ROUP RIVILEGES > S MENU CC-NOC Synchronization Access CC-NOC Configuration Administration This menu is available only for users with one of the following privilege(s): CC Setup and Control Combination of Device, Port and Node Management, User Management, and User Security Management Guided Setup Message of the Day Setup...
Page 244 > S MENU > Exit Maintenance Mode View Window Help *None means that no particular privilege is required. Any user who has access to CC-SG will be able to view and access these menus and commands. OMMAND ENTER ECURE EQUIRED RIVILEGE...
Page 245: Appendix D: Snmp Traps
CC-SG user authentication failure CC-SG detected a LAN Card Failure CC-SG detected a hard disk failure CC-SG detected a connection failure to a leaf node CC-SG detected a leaf node that is reachable CC-SG detected a device with incompatible firmware...
Page 246 OMMAND ENTER ECURE ATEWAY DMINISTRATOR UIDE...
Page 247: Appendix E: Troubleshooting
Appendix E: Troubleshooting • To launch CC-SG from your web browser, it requires a Java plug-in. If your machine has an incorrect version, CC-SG will guide you through the installation steps. If your machine does not have a Java plug-in, CC-SG cannot automatically launch. In this case, you must uninstall or disable your old Java version and provide serial port connectivity to CC-SG to ensure proper operation.
Page 248 OMMAND ENTER ECURE ATEWAY DMINISTRATOR UIDE...
Page 249: Appendix F: Two-Factor Authentication
UTHENTICATION Appendix F: Two-Factor Authentication As part of CC-SG RADIUS based remote authentication, CC-SG can be configured to point to a RSA RADIUS Server which supports two-factor authentication via an associated RSA Authentication Manager. CC-SG acts as a RADIUS client and sends user authentication requests to RSA RADIUS Server.
Page 250 OMMAND ENTER ECURE ATEWAY DMINISTRATOR UIDE...
Page 251: Appendix G: Faqs
Is the status of CC-SG No. Because CC-SG software resides on a dedicated server, limited by the status of the even if a device being proxied by the CC-SG is turned off, you devices which it proxies? will still be able to access CC-SG.
Page 252 Check your licensing restrictions. There is no specified limit to can be created for CC-SG? the number of user accounts that can be created for CC-SG, but the number is not limitless. The size of the database, the performance of the processor, and the amount of memory on the hosting server will determine how many user accounts can actually be created.
Page 253 There is a session-specific ID that is sent out each time you log on, I receive a message begin to log on to CC-SG. This ID has a time-out feature, so if that states my “login is you do not log on to the unit before the time-out occurs, the incorrect”...
Page 254 CC-SG. If, instead, the CIM is moved to another server, an administrator must rename it. Interoperability How does CC-SG integrate...
Page 255 (for (Linux) upon with CC-SG is running. Syslog will record such example, COM2): What event, but what the user types at the CC-SG console itself will happens to the logging, be lost. does CC-SG capture local...
Page 256 OMMAND ENTER ECURE ATEWAY DMINISTRATOR UIDE...
Page 257: Appendix H: Keyboard Shortcuts
H: K PPENDIX EYBOARD HORTCUTS Appendix H: Keyboard Shortcuts The following keyboard shortcuts can be used in the Director Client. PERATION Refresh Print panel Help Insert row in Associations table 255-80-5140-00 EYBOARD HORTCUT Ctrl + P Ctrl + I...
Page 258 North American Headquarters Raritan Raritan U.K. 400 Cottontail Lane 36 Great St. Helen's Somerset, NJ 08873 London EC3A 6AP,United Kingdom U.S.A. Tel. (44) 20-7614-7700 Tel. (732) 764-8886 Fax (44) 20-7614-7701 or (800) 724-8090 Email: sales.uk@raritan.com Fax (732) 764-8887 Website: Raritan.co.uk Email: sales@raritan.com Website: Raritan.com Raritan Italy...

This manual is also suitable for:

Commandcenter secure gateway

Raritan CC-SG Administrator's Manual

Chapter 1: Introduction

Chapter 2: Accessing CC-SG

Chapter 3: Configuring CC-SG with Guided Setup

Chapter 4: Creating Associations

Chapter 5: Adding Devices and Device Groups

Chapter 6: Configuring Nodes and Interfaces

Chapter 7: Adding and Managing Users and User Groups

Chapter 8: Policies

Chapter 9: Configuring Remote Authentication

Chapter 10: Generating Reports

Quick Links

Secure Gateway

Need help?

Questions and answers

Related Manuals for Raritan CC-SG

Summary of Contents for Raritan CC-SG