Page 1
S E P T E M B E R 2 0 0 3 L S 1 0 1 6 A L S 1 0 3 2 A ® BLACK BOX Advanced Console Server Version 2.1.4 Revision 1a User Guide C U S T O M E R...
Page 2
This manual is published by Black Box Corporation, which reserves the right to make improvements or changes in the products described in this manual as well as to revise this publication at any time and without notice to any person of such revision or change.
Local and Wide Area Networking. UNIX and Linux users will find the configuration process very familiar. It is not necessary to be a UNIX expert, however, to get the BLACK BOX ® Advanced Console Server up and running. There are two audiences or user levels for this...
• Appendix B - Cabling, Hardware, and Electrical Specifications has detailed information and pinout diagrams for cables used with the BLACK BOX ® Advanced Console Server. • Appendix C - The pslave Configuration File contains example files for the various config- urations as well as the master file.
Preface • Appendix H- Web User Management covers default and optional configuration, and the addition/deletion of users, groups, and access limits. • Appendix I - Connect to Serial Ports from Web enables this process, based on how the serial port is configured. •...
Step A, B, C, and are nested within the Step 1, 2, 3, etc. For example: Step 1: Modify files. You will modify four Linux files to let the BLACK BOX ® Advanced Console Server know about its local environment. Step A: Modify pslave.conf.
Page 17
Preface Example: ls [OPTION]... [FILE]... Pipes The pipe (|) indicates that one of the words separated by this character should be used in the command. Example: netstat {--statistics|-s} [--tcp|-t] [--udp|-u] [--raw|-w] When a configuration parameter is defined, the Linux command syntax conventions will be also used, with a difference.
Do not ignore this information. DANGER! Indicates a direct danger which, if not avoided, may result in personal injury or damage to the sys- tem. Security Issue. Indicates security- related information where it is rele- vant. BLACK BOX ® Advanced Console Server...
Command Line Interface (CLI) - only for certain configuration parameters With the BLACK BOX ® Advanced Console Server set up as a Console Access Server, you can access a server connected to the BLACK BOX ® Advanced Console Server through the server’s serial console port from a workstation on the LAN or WAN.
Introduction and Overview What’s in the box There are several models of the BLACK BOX ® Advanced Console Server. Black Box will ship either Cable Package #1 or #2 with the product according to current availability. RJ-45 to DB-9 F...
S U P P O R T I N F O R M A T I O N Cable Package #1 Cable Package #2 Manual Figure 3: The BLACK BOX ® Advanced Console Server 32-Port, its cables, connectors and other box contents User Guide...
I N F O R M A T I O N Cable Package #1 Cable Package #2 Manual Figure 4: The BLACK BOX ® Advanced Console Server16-port, its cables, connectors and other box contents BLACK BOX ® Advanced Console Server...
Introduction and Overview Safety Instructions Read all the following safety guidelines to protect yourself and your BLACK BOX ® Advanced Console Server. DANGER! In order to avoid shorting out your BLACK BOX ® Advanced Console Server when disconnecting the network cable, first unplug the cable from the and then from the network jack.
Page 24
AWG. Working inside the BLACK BOX ® Advanced Console Server Do not attempt to service the BLACK BOX ® Advanced Console Server yourself, except when following instructions from Black Box Technical Support personnel. In the latter case, first take the following precautions: Turn the BLACK BOX ®...
Introduction and Overview Battery WARNING: There is the danger of explosion if the battery is replaced incorrectly. Replace the battery only with the same or equivalent type recommended by the manufacturer. Dispose of used batteries according to the manufacturer's instructions. WARNUNG: Bei Einsetzen einer falschen Batterie besteht Explosionsgefahr.
Introduction and Overview FCC Warning Statement The BLACK BOX ® Advanced Console Server has been tested and found to comply with the limits for Class A digital devices, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
Page 27
Si se tiene que utilizar una extensión, utilice una que tenga tres cables con clavija para conexión a tierra. ¡Importante! Para proteger al BLACK BOX ® Advanced Console Server de fluc- tuaciones en corriente eléctrica, utilice una fuente eléctrica de respaldo.
Trabajar dentro del BLACK BOX ® Advanced Console Server No intente dar servicio al BLACK BOX ® Advanced Console Server, solo que este bajo la dirección de Soporte Técnico de Black Box. Si este es el caso, tome las siguientes precau- ciones: Apague el BLACK BOX ®...
Introduction and Overview Batería ¡Peligro! Una batería nueva puede explotar, si no esta instalada correctamente. Remplace la batería cuando sea necesario solo con el mismo tipo recomendado por el fabricante de la batería. Deshacerse de la batería de acuerdo a las instruc- ciones del fabricante de la batería.
Page 30
Introduction and Overview This page has been left intentionally blank. BLACK BOX ® Advanced Console Server...
Introduction Chapter 2 - Installation, Configuration, and Usage This chapter will allow you to install and configure the BLACK BOX ® Advanced Console Server as the default CAS configuration. Please read the entire chapter before beginning. A basic installation and configuration should take a half hour at the most, either done manually or with the Wizard.
DHCP enabled (if there is no DHCP Server, IP for Ethernet is 192.168.160.10 with a Net- mask of 255.255.255.0) • CAS configuration • socket_server in all ports (access method is telnet) • 9600 bps, 8N1 • No Authentication BLACK BOX ® Advanced Console Server...
Advanced Console Administrator can supply you with these. If there is outside Server, NameServer, access to the LAN that the BLACK BOX ® Advanced Console and Gateway Server will be connected with, you will need the gateway IP address as well.
There are eight key tasks that you will need to perform to install and configure the BLACK BOX ® Advanced Console Server: Task 1: Connect the BLACK BOX ® Advanced Console Server to the Network and other Devices. Task 2: Configure the COM Port Connection and Log In.
Page 35
Chapter 3 - Additional Features. Custom Wizard Further configuration of the BLACK BOX ® Advanced Console Server can be done through one of several customized wizards. These procedures are explained under their respective topic heading in Chapter 3 - Additional Features.
This Quick Start gives you all the necessary information to quickly configure and start using the BLACK BOX ® Advanced Console Server as a Console Access Server (CAS). The complete version of this process is listed later in this chapter under The Installation and Configuration Process.
Page 37
Chapter 2 - Installation, Configuration, Usage Step 2: Power on the BLACK BOX ® Advanced Console Server. After the BLACK BOX ® Advanced Console Server finishes booting, you will see a login prompt on the console screen. Step 3: Enter root as login name and tslinux as password.
Page 38
From there, either select to continue configuration using the vi editor or use the browser or CLI method (if appropriate). The BLACK BOX ® Advanced Console Server is now configured as a CAS with its new IP address, with no authentication, and accepting telnet to the serial ports. You can telnet the CAS IP + serial port 1 with the following command: telnet <IP assigned by DHCP Server or by you>...
Chapter 2 - Installation, Configuration, Usage Configuration using a Web browser The BLACK BOX ® Advanced Console Server comes with DHCP client enabled. If you have a DHCP Server installed on your LAN, you can skip Step 2 below. If not, the DHCP request will fail and an IP address pre-configured on the Console server’s Ethernet interface...
Step 4: Enter root as login name and tslinux as password. Step 5: Click the Submit button. This will take you to the Configuration & Administration Menu page, shown in the following figure: Link for changing password Figure 6: Configuration & Administration Menu page BLACK BOX ® Advanced Console Server...
Chapter 2 - Installation, Configuration, Usage This page gives a brief description of all menu options. A menu of links is provided along the left side of the page. A summary of what each link leads to is shown on Table 3: Configuration Section through...
Page 42
The configuration was saved in flash. The new configuration will be valid and run- ning. The BLACK BOX ® Advanced Console Server is now configured as a CAS with its assigned (by DHCP Server or you) IP address, with no authentication, and accept- ing telnet to the serial ports.
Chapter 2 - Installation, Configuration, Usage Table 3: Configuration Section Link Name Description of Page Contents Configuration This section contains the configuration tools Unit Description, Ethernet, DNS, Name Service Access, Data Buffering General Configuration for the syslog-ng Syslog SNMP Configuration for the SNMP server Configuration of Portslave package Serial Ports Configuration of User Groups for Serial Ports...
Resets the equipment Uses an FTP server to load/save a kernel image Download/ Upload Image Uses flash memory or an FTP server to load or save the BLACK BOX ® Load/Save Advanced Console Server’s configuration Configuration Makes the configuration changes effective Configuration Set the BLACK BOX ®...
Page 45
Shows information about the kernel, time, CPU, and memory System Information Note: The link Connect to Serial Ports is only available for all BLACK BOX ® Advanced Console Server models. See “Appendix I - Connect to Serial Ports from Web” on page 415.
Chapter 2 - Installation, Configuration, Usage Configuration using Telnet The BLACK BOX ® Advanced Console Server comes with DHCP client enabled. If you have a DHCP Server installed on your LAN, you can skip Step 2 below. If not, the DHCP request will fail and an IP address pre-configured on the Console server’s Ethernet interface...
Page 47
Chapter 2 - Installation, Configuration, Usage Step 4: Enter root as login name and tslinux as password. Step 5: Type wiz and press Enter. A Configuration Wizard screen will appear on your telnet screen, asking you a series of questions. *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D *********...
Page 48
DHCP and assigned an IP address. Don’t worry! The new configuration will be valid. The BLACK BOX ® Advanced Console Server is now configured as a CAS with its assigned (by DHCP or you) IP address, with no authentication, and accepting telnet to the serial ports.
Chapter 2 - Installation, Configuration, Usage The Installation and Configuration Process Task 1: Connect the BLACK BOX ® Advanced Console Server to the Network and other Devices Power Users Connect a PC or terminal to the BLACK BOX ® Advanced Console Server using the console cable.
Page 50
PC (or another terminal) to the BLACK BOX ® Advanced Console Server via an Ethernet connection in order to manage the BLACK BOX ® Advanced Console Server. The workstation used to access the BLACK BOX ® Advanced Console Server through telnet or ssh uses a LAN connection.
Page 51
Your workstation and BLACK BOX ® Advanced Console Server must be on the same physical LAN. Connect one RJ-45 cable from the Ethernet port of the BLACK BOX ® Advanced Console Server to the hub, and another from the hub to the workstation used to manage the servers.
Your PC, considered here to be a “dumb terminal, ” should be configured to use 9600 bps, 8 data bits, no parity, 1 stop bit, and no flow control (as shown in the following figure). BLACK BOX ® Advanced Console Server...
Step 3: Power on the BLACK BOX ® Advanced Console Server. Step 4: Click OK on the Properties window. You will see the BLACK BOX ® Advanced Console Server booting on your screen. After it finishes booting, you will see a login prompt.
When the BLACK BOX ® Advanced Console Server finishes booting, a prompt will appear (a flashing underline cursor) in your HyperTerminal window. You will modify the following Linux files to let the BLACK BOX ® Advanced Console Server know about its local environ- ment:...
Page 55
Replace to match hostname from Obtain IP address previous step 127.0.0.1 localhost from your System 192.168.160.10 LS1016A Administrator 129.6.15.28 ntphost Figure 11: Contents of the /etc/hosts file Step 5: Modify /etc/resolv.conf. This file must contain the domain name and nameserver information for the network.
Page 56
The BLACK BOX ® Advanced Console Server has support for shadow password, but it is not active by default. To activate shadow password follow the steps listed below: Step A: Create an empty file called /etc/shadow.
Task 4: Edit the pslave.conf file This is the main configuration file (/etc/portslave/pslave.conf) that contains most product parameters and defines the functionality of the BLACK BOX ® Advanced Console Server. Only three parameters need to be modified or confirmed for a basic configuration: •...
Page 58
Appendix (pslave.conf.cas, etc.) as reference. This is the IP address of the Ethernet interface. Use it if you don’t have conf.eth_ip DHCP Server in your LAN. An example value would be: 200.200.200.1 BLACK BOX ® Advanced Console Server...
Page 59
Chapter 2 - Installation, Configuration, Usage all.authtype This parameter controls the authentication required by the BLACK BOX ® Advanced Console Server. The authentication required by the device to which the user is connecting is controlled separately. There are several authentication type options: none (no authentication) •...
OK. If there is no reply see Appendix E - Software Upgrades and Troubleshooting. Step 2: Telnet to the server connected to the first port of the BLACK BOX ® Advanced Console Server. (This will only work if you selected socket_server as your all.protocol parameter.)
Chapter 2 - Installation, Configuration, Usage While still in the DOS window, type the following and then press Enter: telnet <IP assigned to the BLACK BOX ® Advanced Console Server by DHCP or you> 7001 An example would be: telnet 192.168.160.10 7001 If everything is configured correctly, a telnet session should open on the server connected to port 1.
<CAS hostname> is the hostname configured in the workstation where the telnet client will run (through /etc/hosts or DNS table). It can also be just the IP address of the BLACK BOX ® Advanced Console Server (Ethernet's interface) configured by the user or learned from DHCP.
<CAS hostname> is the hostname configured in the workstation where the ssh client will run (through /etc/hosts or DNS table). It can also be just the IP address of the BLACK BOX ® Advanced Console Server (Ethernet's interface) configured by the user or learned from DHCP.
(whenever necessary). To exit the session, select “Disconnect” from the Java window. See the Step-by-Step Process section of Appendix I - Con- nect to Serial Ports from Web for more details. BLACK BOX ® Advanced Console Server...
Chapter 3 - Additional Features Introduction Chapter 3 - Additional Features After the Configuration Wizard section in this chapter, each of the following sections is listed alphabetically and shows how to configure the option using vi, the custom Wizard (when available), browser, where appropriate, and the Command Line Interface (CLI), when available.
The configuration wizard application is a quicker and easier way to configure the BLACK BOX ® Advanced Console Server. It is recommended that you use this application if you are not familiar with the vi editor or if you just want to do a quick installation of the BLACK BOX ®...
Page 67
• Either just press the ENTER key to execute whatever is in between the brackets, or • Type n to NOT reset the current configurations to the Black Box defaults, or • Type y to reset to Black Box default configurations.
Page 68
Step 4: Enter Hostname and then press the Enter key. This is an alias for your BLACK BOX ® Advanced Console Server that allows you to refer to the BLACK BOX ® Advanced Console Server by this name rather than its IP address.
Page 69
Chapter 3 - Additional Features Step 6: If DHCP client is disabled, enter IP Address of your BLACK BOX ® Advanced Console Server and then press the Enter key. If the DHCP client is enabled, skip this step. This question will only appear if DHCP client is disabled.
Page 70
As directed by the prompt, type c to go back to very beginning of this application to change the parameters. Type q to exit. Step 14: If you typed y in Step 11, choose whether to activate your configurations. BLACK BOX ® Advanced Console Server...
Page 71
Step 16: Type 'y' if you want to save to flash. Type 'n' if you don't want to save to flash. You can now continue BLACK BOX ® Advanced Console Server configurations using the Web browser by typing in the IP address of the BLACK BOX ® Advanced Console Server.
Port Speed • First RADIUS/TacacsPlus Authentication Server • First Accounting Server • RADIUS/TacacsPlus secret • Protocol (if the protocol is Socket SSH, Socket Telnet, or Socket Raw) • Socket Port (keep the “Incremented” option on) BLACK BOX ® Advanced Console Server...
Access method is how a user accesses a server connected to one of the serial ports on the BLACK BOX ® Advanced Console Server (CAS profile) or how a user connected to one of the serial ports accesses a server in the network (TS profile or Dial-In profile).
Page 74
Access Method all.ipno This is the default IP address of the BLACK BOX ® Advanced Console Server's serial ports. Any host can access a port using its IP address as long as a path to the address exists in the host's routing table.
Page 75
TCP connection keep-alive timer. If no traffic passes through the BLACK BOX ® Advanced Console Server for this period of time, the BLACK BOX ® Advanced Console Server will send a line status message to the remote device to see if the connection is still up.
Figure 13: Port Selection page Step 4: Select port(s). On the Port Selection page, choose all ports or an individual port from the dropdown menu. This will take you to the Serial Port Configuration page. BLACK BOX ® Advanced Console Server...
Chapter 3 - Additional Features Step 5: Click the CAS profile button. Click the CAS profile button in the wizards section. The default CAS profile parameters are now loaded. Step 6: Scroll down to the Profile section. You can change the settings for all.ipno, all.socket_port, and all.protocol in this section.
Page 78
Go to the link Administration > Load/Save Configuration and click the Save to Flash button. Wizard Method Step 1: Bring up the wizard. At the command prompt, type the following to bring up the Access Method custom wizard: wiz --ac cas BLACK BOX ® Advanced Console Server...
Page 79
Chapter 3 - Additional Features This will bring up Screen 1: Screen 1: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** INSTRUCTIONS for using the Wizard: You can: 1) Enter the appropriate information for your system and press ENTER.
Page 80
The '+' after the numerical value causes the interfaces (or ports) to be numbered consecutively. (e.g. interface 1 of your system is assigned port 7001, interface 2 has the value 7002, etc.) all.socket_port[7001+] : BLACK BOX ® Advanced Console Server...
Page 81
Chapter 3 - Additional Features Screen 4: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** ALL.PROTOCOL - The possible protocols are telnet, ssh1/ssh2, or raw data. (e.g.
Page 82
CONF.GROUP - Used to combine users into a group. This simplifies the parameter, all.users. You can define more than one group. (e.g. groupName: user1, user2) conf.group[#] :sales: john, jane Would you like to create another group? (y/n) [n] : BLACK BOX ® Advanced Console Server...
Page 83
Chapter 3 - Additional Features Screen 7: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* ************************************************************ Current configuration: (The ones with the '#' means it's not activated.) all.ipno : # all.socket_port : 7001+ all.protocol : socket_server...
Page 84
In that case, please reconnect to the unit by the new IP address, and manually issue a saveconf to save your configurations to flash.) Do you want to activate your configurations now? (y/n) [y] : BLACK BOX ® Advanced Console Server...
Page 85
Chapter 3 - Additional Features Screen 10: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Flash refers to a type of memory that can be erased and reprogrammed in units of memory known as blocks rather than one byte at a time;...
Page 86
To configure users: config configure line <serial port number> users <string> To configure the poll_interval: config configure line <serial port number> pollinterval <number> To configure tx_interval: config configure line <serial port number> txinterval <num- ber> BLACK BOX ® Advanced Console Server...
Page 87
Chapter 3 - Additional Features To configure idletimeout: config configure line <serial port number> idletimeout <num- ber> To configure conf.group: config configure conf group <string> Tip. You can configure all the parameters for a serial port in one line. config configure line <serial port number> tty <string> ipno <string>...
For the terminal server configuration, the possible protocols are login (which requests username and password), rlogin (receives username from the BLACK BOX ® Advanced Console Server and requests a password), telnet, ssh, ssh2, or socket_client. If the protocol is configured as telnet or socket_client, the parameter socket_port needs to be configured.
Page 89
Chapter 3 - Additional Features Browser Method Step 1: Follow the steps 1 to 4 in the section titled Configuration for CAS, “Browser Method” on page Step 2: Click the TS Profile button in the Wizard section. Configure the following parameters: Protocol (telnet, ssh, rlogin or socket client) Profile section: Socket port (23 for telnet, 22 for ssh, 513 for rlogin)
Page 90
********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Current configuration: (The ones with the '#' means it's not activated.) all.protocol : rlogin all.socket_port : 23 all.telnet_client_mode : 0 all.userauto : # Set to defaults? (y/n) [n] : BLACK BOX ® Advanced Console Server...
Page 91
Chapter 3 - Additional Features Screen 3: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** ALL.PROTOCOL - Users can access the servers through the serial port using ssh, ssh2, telnet, login, rlogin, or socket_client.
Page 92
Type 'c' to go back and CORRECT these parameters or 'q' to QUIT : Typing 'c' repeats the application, typing 'q' exits the entire wiz application If you type 'y' Discard previous port-specific parameters? (y/n) [n] : BLACK BOX ® Advanced Console Server...
Page 93
Chapter 3 - Additional Features Note: Answering yes to this question will discard only the parameter(s) which you are currently configuring if they were configured for a specific port in a previous session. For instance, if you are currently configuring parameter, all.x, and there was a specific port, s2.x, configured;...
Page 94
If you don't save to flash and if you were to reboot the system, all your new configurations will be lost and you will have to reconfigure the system. Do you want to save your configurations to flash? (y/n) [n] : BLACK BOX ® Advanced Console Server...
Page 95
Chapter 3 - Additional Features CLI Method To configure certain parameters for a specific serial port: Step 1: At the command prompt, type in the appropriate command to configure desired parameters. To activate the serial port. <string> should be ttyS<serial port number> : config configure line <serial port number>...
/usr/local/sbin/pppd. all.ipno This is the default IP address of the BLACK BOX ® Advanced Console Server's serial ports. Any host can access a port using its IP address as long as a path to the address exists in the host's routing table. An example value would be 192.168.1.101+.
Page 97
Chapter 3 - Additional Features Example value: %j novj \ proxyarp modem asyncmap 000A0000 \ noipx noccp login auth require-pap refusechap\ mtu %t mru %t \ cb-script /etc/portslave/cb_script \ plugin /usr/lib/libpsr.so PPP options when user has already been authenticated. all.pppopt Example value: %i:%j novj \ proxyarp modem asyncmap 000A0000 \...
Page 98
Click on the Administration > Run Configuration link, check the Serial Ports/ Ethernet/Static Routes box and click on the Activate Configuration button. Step 8: Save it in the flash. Go to the link Administration > Load/Save Configuration and click the Save to Flash button. BLACK BOX ® Advanced Console Server...
Page 99
Chapter 3 - Additional Features CLI Method To configure certain parameters for a specific serial port: Step 1: At the command prompt, type in the appropriate command to configure desired parameters. To activate the serial port. <string> should be ttyS<serial port number> : config configure line <serial port number>...
With the BLACK BOX ® Advanced Console Server, authentica- tion can be performed locally, or with a remote Radius, Tacacs, or ldap database, or kerberos.
Page 101
TacacsPlus server is down) Note that this parameter controls the authentication required by the BLACK BOX ® Advanced Console Server. The authentication required by the device to which the user is connecting is controlled separately. This address indicates the location of the Radius/TacacsPlus all.authhost1...
BLACK BOX ® Advanced Console Server and the Radius/ TacacsPlus servers. Note: If you want to dial in to the serial port on a BLACK BOX ® Advanced Console Server series with CHAP authentication, you need to do the following: 1.Configure Sxx.authtype as local.
Page 103
Chapter 3 - Additional Features Step 3: Click the Submit button. At this point, the configuration file is written in the RAMdisk. Step 4: Make changes effective. Click on the Administration > Run Configuration link, check the Serial Ports/ Ethernet/Static Routes box and click on the Activate Configuration button. Step 5: Save it in the flash.
Page 104
In that case, you must enter a valid value or # if you do not wish to configure the value. Press ENTER to continue... BLACK BOX ® Advanced Console Server...
Page 105
Chapter 3 - Additional Features Screen 2: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Current configuration: (The ones with the '#' means it's not activated.) all.authtype : none all.authhost1 : 192.168.160.3 all.accthost1 : 192.168.160.3...
Page 106
: ALL.AUTHHOST2 - This IP address indicates where the SECOND Radius or TacacsPlus authentication server is located. all.authhost2[200.200.200.2] : BLACK BOX ® Advanced Console Server...
Page 107
Chapter 3 - Additional Features Screen 5: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** ALL.ACCTHOST2 - This IP address indicates where the SECOND Radius or TacacsPlus accounting server is located. all.accthost2[200.200.200.3] : ALL.RADTIMEOUT- This is the timeout (in seconds) for a Radius or TacacsPlus authentication query to be answered.
Page 108
For instance, if you are currently configuring parameter, all.x, and there was a specific port, s2.x, configured; then, answering yes to this question will discard s2.x. Type 'c' to CONTINUE to set these parameters for specific ports or 'q' to QUIT : BLACK BOX ® Advanced Console Server...
Page 109
Chapter 3 - Additional Features Typing 'c' leads to Screen 8, typing 'q' leads to Screen 9. Screen 8: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** You have 8 available ports on this system.
Page 110
<serial port number> tty <string> To configure authtype: config configure line <serial port number> authtype <string> To configure authhost1: config configure line <serial port number> authhost1 <string> To configure accthost1: config configure line <serial port number> accthost1 <string> BLACK BOX ® Advanced Console Server...
Page 111
Chapter 3 - Additional Features To configure authhost2: config configure line <serial port number> authhost2 <string> To configure accthost2: config configure line <serial port number> accthost2 <string> To configure radtimeout: config configure line <serial port number> timeout <number> To configure radretries: config configure line <serial port number>...
This makes the network appear as a single system, with the same accounts on all hosts. The objective of this feature is to allow the administrator to manage BLACK BOX ® Advanced Console Server accounts on a NIS server. The NIS client feature needs these following files/commands: /etc/yp.conf...
Chapter 3 - Additional Features You will need to configure the NIS server. Command : vi /etc/yp.conf Example : NIS server has IP address 192.168.160.110, to add the following line in the file ypserver 192.168.160.110 Step 3: Edit the /etc/nsswitch.conf file. Change the /etc/nsswitch.conf file ("System Databases and Name service Switch "configuration file) to include the NIS in the lookup order of the databases.
3. You wish to authenticate the user first using NIS. If the user was not found or the NIS server is down, then use the local database: passwd: nis [UNAVAIL=continue TRYAGAIN=continue] files BLACK BOX ® Advanced Console Server...
[UNAVAIL=continue TRYAGAIN=continue] files CAS Port Pool This feature is available for the BLACK BOX ® Advanced Console Server 2.1.3 onward. CAS Port Pooling allows you to access a free serial port from a pool in addition to the original fea- ture where you could access a specific serial port.
4000 // TCP port # for the pool s3.ipno 10.0.0.3 // IP address for specific allocation s3.pool_ipno 10.2.0.1 // IP address for the pool s3.serverfarm serial-3 // alias for specific allocation s3.pool_serverfarm pool-2 // alias for the pool BLACK BOX ® Advanced Console Server...
Page 117
Chapter 3 - Additional Features s4.tty ttyS4 s4.protocol socket_ssh s4.socket_port 7004 // TCP port # for specific allocation s4.pool_socket_port 4000 // TCP port # for the pool s4.ipno 10.0.0.4 // IP address for specific allocation s4.pool_ipno 10.2.0.1 // IP address for the pool s4.serverfarm serial-4 // alias for specific allocation s4.pool_serverfarm pool-2 // alias for the pool In the example above, there are two pools:...
Terminal Servers so that one Master BLACK BOX ® Advanced Console Server can be used to access all BLACK BOX ® Advanced Console Servers on a LAN. The Master BLACK BOX ® Advanced Console Server can manage up to 1024 serial ports, so that the fol- lowing can be clustered: •...
Chapter 3 - Additional Features Parameters Involved and Passed Values The Master BLACK BOX ® Advanced Console Server must contain references to the Slave ports. The configuration described earlier for Console Access Servers should be followed with the following exceptions for the Master and Slaves:...
Page 120
Clustering Table 7: Master Black Box Configuration (where it differs from the CAS standard) Value for this Parameter Description example s33.ipno This parameter must be created in the 0.0.0.0 Master BLACK BOX ® Advanced Console Server file for every Slave port, unless con- figured using all.ipno.
0.0.0.0 etc. for s68-s96 The Slave BLACK BOX ® Advanced Console Servers do not need to know they are being accessed through the Master BLACK BOX ® Advanced Console Server. (You are creating vir- tual terminals: virtual serial ports.) Their port numbers, however, must agree with those assigned by the Master.
Master pslave.conf file. Administrators should consider this approach to configure multiple BLACK BOX ® Advanced Console Server. Using this feature, each unit has a simpli- fied pslave.conf file where a Master include file is cited. This common configuration file con- tains information for all units, properly divided in separate sections, and would be stored on BLACK BOX ®...
Page 123
Chapter 3 - Additional Features one central server. This file, in our example shown in Figure 17: Example of Centralized Man- agement, is /etc/portslave/TScommon.conf. It must be downloaded to each BLACK BOX ® Advanced Console Server. Figure 17: Example of Centralized Management The abbreviated pslave.conf and /etc/hostname files in each unit, for the example are:...
Page 124
Steps for using Centralized Configuration Step 1: Create and save the /etc/portslave/pslave.conf and /etc/hostname files in each BLACK BOX ® Advanced Console Server. Step 2: Execute the command signal_ras hup on each unit. BLACK BOX ® Advanced Console Server...
Step 7: Execute the saveconf command. Note: The included file /etc/portslave/TScommon.conf cannot contain another include file (i.e., the parameter conf.include must not be defined). Also, <max ports of BLACK BOX ® Advanced Console Server> + N(+) is done same way as serial port. Enhanced Clustering With Enhanced Clustering, the CAS ports in the slave box can be configured as ssh or telnet and can have any type of authentication available.
Page 126
Slave box). The Master BLACK BOX ® Advanced Console Server box will issue a series of iptables com- mands to populate the nat table with the necessary rules to perform NAT translation for remote ports. Two chains will be created: •...
Page 127
<slave_port> -j SNAT --to <master_ip> ..At any time the BLACK BOX ® Advanced Console Server administrator can issue an iptables command to view, change (at his own risk), or delete the rules in the nat table. If the adminis- trator issues a “fwset restore”...
Page 128
Clustering How it works The Master box (BLACK BOX ® Advanced Console Server) will perform two translation for each packet. The destination IP address is translated in the PREROUTING stage. The source IP address is translated in the POSTROUTING stage.
Page 129
Chapter 3 - Additional Features ssh -l <username1> <slave1_port1_ip> ssh -l <username2> <slave2_port1_ip> Note: In the old clustering implementation <username?> and <server?> must be valid in the Master box. In the new clustering they must be valid in the Slave. In the Master box there is no meaning anymore for remote port's serverfarm and authtype parameters.
Page 130
7001+ s[1-32].tty ttyS[1-32] # Remote CAS serial ports, slave-1 (32 socket_ssh ports). This kind of configuration can be used for ssh only; just one entry is neces- sary. s33.tty 192.168.170.2 s33.socket_port 7000 BLACK BOX ® Advanced Console Server...
Page 131
Chapter 3 - Additional Features # Remote CAS serial ports, slave-2 (32 socket_server ports) s65.tty 192.168.170.3:7101 s66.tty 192.168.170.3:7102 ..s96.tty 192.168.170.3:7132 s65.socket_port 8001 s66.socket_port 8002 s96.socket_port 8032 # Remote CAS serial ports, slave-3 (32 socket_ssh ports) s[97-128].tty 192.168.170.[101-132] Slave-1 box Configuration # Primary ethernet IP address conf.eth_ip 192.168.170.2 conf.eth_mask 255.255.255.0...
Page 132
7101+ s[1-32].tty ttyS[1-32] Slave-3 box Configuration # Primary ethernet IP address conf.eth_ip 192.168.170.4 conf.eth_mask 255.255.255.0 conf.eth_mtu 1500 # Local CAS serial ports (32 socket_ssh ports) all.protocol socket_ssh all.authtype local all.ipno 192.168.170.101+ s[1-32].tty ttyS[1-32] BLACK BOX ® Advanced Console Server...
Page 133
Chapter 3 - Additional Features Example of starting CAS session commands The serverfarm, socket_port, or tty must be provided to select which serial port is to be con- nected to in the Slave box 1. ssh -l <username>:<slave-1-port[1-32] -p 7000 64.186.161.108 The master_port (socket_port in the Master) will select which serial port is to be connected to in the Slave boxes 1 and 2.
CronD CronD CronD is a service provided by the BLACK BOX ® Advanced Console Server system that allows automatic, periodically-run custom-made scripts. It replaces the need for the same commands to be run manually. Parameters Involved and Passed Values The following parameters are created in the /etc/crontab_files file: Active or inactive.
The command saveconf, which reads the /etc/config_files file, should then be run. saveconf copies all the files listed in the file /etc/config_files from the ramdisk to /proc/flash/script. Step 5: Reboot the BLACK BOX ® Advanced Console Server. Browser Method To configure CronD with your browser: Step 1: Point your browser to the Console Server.
Page 136
This will take you to the Configuration and Administration page. Step 3: Click on the Edit Text File link. Click on this link on the Link Panel. You can then pull up the appropriate file and edit Figure 18: Edit Text File page BLACK BOX ® Advanced Console Server...
<nn>, this name will be used. For example, if the serverfarm is called bunny, the data buffering file will be named bunny.data. The shell script /bin/build_DB_ramdisk creates a 48 Mbyte ramdisk for the BLACK BOX ® Advanced Console Server. Use this script as a model to create customized ramdisks for your environment.
If local data buffering, a file is created on the BLACK BOX ® Advanced Console Server; if remote, a file is created through NFS in a remote server. All data received from the port is captured in this file. If local data buffering, this parameter means the maximum file size (in bytes).
Page 139
Chapter 3 - Additional Features conf.nfs_data_buffering This is the Remote Network File System where data cap- tured from the serial port will be written instead of being written to the local directory /var/run/ DB. The directory tree to which the file will be written must be NFS- mounted, so the remote host must have NFS installed and the administrator must create, export and allow reading/ writing to this directory.
The parameter all.data_buffering has to be with a non-zero value for this parameter to be meaningful. Configuration for CAS vi Method Files to be modified: • pslave.conf • syslog-ng.conf BLACK BOX ® Advanced Console Server...
Chapter 3 - Additional Features Browser Method To configure Data Buffering with your browser: Step 1: Point your browser to the Console Server. In the address or location field of your browser type the Console Access Server’s IP address. For example: http://10.0.0.0 Step 2: Log in as root and type the Web root password configured by the Web server.
Step 12: Click the Save Configuration to Flash button. Wizard Method Step 1: Bring up the wizard. At the command prompt, type the following to bring up the Data Buffer custom wizard: wiz --db BLACK BOX ® Advanced Console Server...
Page 143
Chapter 3 - Additional Features Screen 1: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** INSTRUCTIONS for using the Wizard: You can: 1) Enter the appropriate information for your system and press ENTER.
Page 144
Then if a session is established to the serial port, the data in the buffer is shown (dont_show_DBmenu must be 2), cleared, and data transmission is resumed. Linear buffering is impos- sible if flow control is set to none. Default is cir. all.DB_mode[cir] : BLACK BOX ® Advanced Console Server...
Page 145
Chapter 3 - Additional Features ALL.DONT_SHOW_DBMENU - When 0, a menu with data buffering options is shown when a non-empty data buffering file is found. When 1, the data buffering menu is not shown. When 2, the data buffering menu is not shown but the data buffering file is shown if not empty.
Page 146
(The ones with the '#' means it's not activated.) conf.nfs_data_buffering : # all.data_buffering : 0 all.DB_mode : cir all.dont_show_DBmenu : 0 all.DB_timestamp : 0 all.syslog_buffering : 0 all.syslog_sess : 0 Are these configuration(s) all correct? (y/n) [n] : BLACK BOX ® Advanced Console Server...
Page 147
Chapter 3 - Additional Features If you type 'n' Type 'c' to go back and CORRECT these parameters or 'q' to QUIT : Typing 'c' repeats the application, typing 'q' exits the entire wiz application If you type 'y' Discard previous port-specific parameters? (y/n) [n] : Note: Answering yes to this question will discard only the parameter(s) which you are currently configuring if they were configured for a specific port in a previous session.
Page 148
If you don't save to flash and if you were to reboot the system, all your new configurations will be lost and you will have to reconfigure the system. BLACK BOX ® Advanced Console Server...
Page 149
Chapter 3 - Additional Features Do you want to save your configurations to flash? (y/n) [n] : CLI Method To configure certain parameters for a specific serial port. Step 1: At the command prompt, type in the appropriate command to configure desired parameters.
The DHCP client on the Ethernet Interface can be configured in two different ways, depend- ing on the action the BLACK BOX ® Advanced Console Server should take in case the DHCP Server does not answer the IP address request: 1.
Page 151
• Add all other necessary options to the file /etc/network/dhcpcd_cmd (some options are described below). In both cases if the IP address of the BLACK BOX ® Advanced Console Server or the default gateway are changed, the BLACK BOX ®...
To configure DHCP via your Web browser: Step 1: Point your browser to the Console Server. In the address or location field of your browser type the Console Access Server’s IP address. For example: http://10.0.0.0 BLACK BOX ® Advanced Console Server...
Page 153
Chapter 3 - Additional Features Step 2: Log in as root and type the Web root password configured by the Web server. This will take you to the Configuration and Administration page. Step 3: Click the General link on the Link Panel. This takes you to the General page.
Dual Power Management Dual Power Management The BLACK BOX ® Advanced Console Server comes with two power supplies which it can self-monitor. If either of them fails, two actions are performed: sounding a buzzer and generat- ing a syslog message. This automanagement can be disabled (no actions are taken) or enabled...
Chapter 3 - Additional Features Configuration for TS vi Method Same as for CAS. Configuration for Dial-in Access vi Method Same as for CAS. User Guide...
Console server works as the interface between the global network and the “slave” Console servers). The BLACK BOX ® Advanced Console Server uses the Linux utility iptables to set up, main- tain and inspect both the filter and the NAT tables of IP packet rules in the Linux kernel.
If no rule is found, the default action for that chain will be taken. Syntax An iptables tutorial is beyond the scope of this manual. For more information on iptables, see the iptables man page (not included with the BLACK BOX ® Advanced Console Server) or the how-to: http://www.netfilter.org http://www.iptables.org...
Page 158
The exact output is affected by the other arguments given. Flush the selected chain. This is equivalent to deleting all the rules - - flush one-by-one. BLACK BOX ® Advanced Console Server...
Page 159
Chapter 3 - Additional Features Zero the packet and byte counters in all chains. It is legal to specify - - zero the -L, --list (list) option as well, to see the counters immediately before they are cleared. (See above.) New chain.
Page 160
(calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet. The following additional options can be specified: BLACK BOX ® Advanced Console Server...
Page 161
Chapter 3 - Additional Features Match Extensions - -in-interface[!][name] Optional name of an interface via which a packet is received (for packets entering the INPUT and FORWARD chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+"...
Page 162
Flags are: SYN ACK FIN RST URG PSH ALL NONE. Hence the command iptables -A FORWARD -p tcp - -tcp-flags SYN,ACK,FIN,RST SYN will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset. BLACK BOX ® Advanced Console Server...
Page 163
Chapter 3 - Additional Features [!] - -syn Only match TCP packets with the SYN bit set and the ACK and FIN bits cleared. Such packets are used to request TCP connection initiation; for example, block- ing such packets coming in an interface will prevent incoming TCP connections, but outgoing TCP con- nections will be unaffected.
Page 164
This target is only valid in the nat table, in the POSTROUTING chain. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one option: BLACK BOX ® Advanced Console Server...
Page 165
Chapter 3 - Additional Features DNAT (nat table only) - -to-source <ipaddr>[-<ipaddr>][:port-port] This can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies -p tcp or -p udp).
In the Address or Location field of your browser type the IP Address or the alias of your console server. Step 2: Log in. Log in as root, and type the password configured for the root user. This will take you to the Configuration and Administration page. BLACK BOX ® Advanced Console Server...
Page 167
Chapter 3 - Additional Features Step 3: Select the IPTables link. On the Configuration section of this page, select the IPTables link. The following page will appear. Figure 22: First IP Tables page The options in this page are: List all the chains of the table selected. List Chains Save in File Save the all the IP tables rules, chains and tables to the file...
Page 168
Figure 24: IP Tables Rules Table (table: filter, chain: INPUT) Step 7: Click the button Append Rule to start. The page which follows is for configuring the rule. There are several parameters related to a rule: BLACK BOX ® Advanced Console Server...
Page 169
Chapter 3 - Additional Features Figure 25: IP Tables Append Rule (table: filter, chain: INPUT) Note: For many parameters, there is a checkbox called inverted. Checking this box will invert the sense of the parameter. Target Indicates the action to be performed when the IP packet matches the rule.
Page 170
Step 9: Repeat steps 7 and 8 to add as many rules as necessary. Step 10: Click on the link [IP Tables Chains Table] if there are rules to be added in other chains. Repeat steps 6 to 8 to add rules for other chains. BLACK BOX ® Advanced Console Server...
Page 171
Chapter 3 - Additional Features Step 11: Click on the link [IP Tables] if the nat table must be edited. Select the nat table and click on the List Chains button. Repeat steps 5 to 8 to edit the chains and rules in the nat table. The tables presented on the Web page are the same as in the filter table, with the difference that there are more options in the Append/Insert/Replace Rule page: DNAT/SNAT options...
In the address or location field of your browser type the Console Access Server’s IP address. For example: http://10.0.0.0 Step 2: Log in as root and type the Web root password configured by the Web server. This will take you to the Configuration and Administration page. BLACK BOX ® Advanced Console Server...
Page 173
Chapter 3 - Additional Features Step 3: Select the General link. Click on the General link on the Link Panel to the left of the page in the Configuration section. This will take you to the General page. Step 4: Scroll down to the Data Buffering section. You can change the Data Buffering Facility value (conf.DB_facility).
Page 174
(Please see the 'Syslog-ng Configuration to use with Alarm Feature' section under Generating Alarms in Chapter 3 of the system's manual for the syslog-ng configuration file.) all.alarm[0] : BLACK BOX ® Advanced Console Server...
Page 175
Chapter 3 - Additional Features Screen 2: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Current configuration: (The ones with the '#' means it's not activated.) all.alarm : 0 Set to defaults? (y/n) [n] : Screen 3:...
Page 176
Type 'c' to CONTINUE to set these parameters for specific ports or 'q' to QUIT : Typing 'c' leads to Screen 5, typing 'q' leads to Screen 6. BLACK BOX ® Advanced Console Server...
Page 177
Chapter 3 - Additional Features Screen 5: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** You have 8 available ports on this system. Type 'q' to quit, a valid port number[1-8], or anything else to refresh : Note: The number of available ports depends on the system you are on.
Page 178
To configure alarm: config configure line <serial port number> alarm <number> Tip. You can configure all the parameters for a serial port in one line. config configure line <serial port number> tty <string> alarm <number> BLACK BOX ® Advanced Console Server...
Chapter 3 - Additional Features Step 2: Activate and Save. To activate your new configurations and save them to flash, type: config write (This is essentially typing signal_ras hup and saveconf from the normal terminal prompt.) Syslog-ng Configuration to use with Alarm Feature This configuration example is used for the alarm feature.
Page 180
# Example to send a pager to phone number 123 (Pager server at 10.0.0.1) with message # carrying the current date, the hostname of this BLACK BOX ® Advanced Console Server and the message that was received from the source : destination d_pager { pipe("/dev/cyc_alarm"...
Alarm, Sendmail, Sendsms and Snmptrap Alarm This feature is available only for the Console Server Application. The BLACK BOX ® Advanced Console Server sends messages using pager, e-mail, or snmptrap if the serial port receives messages with specific string. To configure this feature: Step 1: Activate alarm in Portslave configuration file.
Page 182
Sendmail sends a message to a SMTP server. It is not intended as a user interface routine; it is used only to send pre-formatted messages. Sendmail reads all parameters in the command line. If the SMTP server does not answer the SMTP protocol requests sent by sendmail, the message is dropped. BLACK BOX ® Advanced Console Server...
Page 184
Regarding the international country code, don't forget that its necessity is to be considered respective to the SMS gateway location (the host this client program is connecting to), not the location where the client is run from. BLACK BOX ® Advanced Console Server...
Page 185
Chapter 3 - Additional Features -d dest (cont.) If there are any doubts, please contact the SMS server administrator for your network. Please always include the area code (even when sending to a destination in the same “area”, i.e., on the same network). The number without the area code, though syntactically correct and accepted by the network, may never get delivered.
Page 186
COPYRIGHT: SMSLink is (c) Les Ateliers du Heron, 1998 by Philippe Andersson. Example to send a pager message to phone number 123 (Pager server at 10.0.0.1) with mes- sage: sendsms -d 123 -m "Hi. This is a test message send from BLACK BOX ® Advanced Console Server using sendsms" 10.0.0.1 Snmptrap Snmptrap is an SNMP application that uses the TRAP-PDU Request to send information to a network manager.
Page 187
For example, to send a Link Down trap to server at 10.0.0.1 with interfaces.iftable.ifentry.ifde-scr: snmptrap -v 1 -c public 10.0.0.1 "" 2 0 "" .1.3.6.1.2.1.2.2.1.2.1 s "BLACK BOX ® Advanced Console Server: serial port number 1 is down" Optional. It sends INFORM-PDU. Required. They are: SNMP server IP address and community.
Configuration of access method parameters Configuration of alarm parameter all <cas or ts> Configuration of all parameters auth Configuration of authentication parameters Configuration of data buffering parameters help Print this help message Configuration of power management parameters. BLACK BOX ® Advanced Console Server...
Chapter 3 - Additional Features Table 10: General Options for the Help Wizard Option Description Configuration of syslog parameters Configuration of sniffing parameters Configuration of serial setting parameters sset <cas or ts> Configuration of terminal login display parameters Configuration of other parameters specific to the TS profile Step 1: Bring up the wizard.
Page 192
Parameters Modified ip <string> Configuration of the IP of the Ethernet interface. conf.eth_ip Configuration of the mask for the Ethernet network. mask <string> conf.eth_mask mtu <number> Configuration of the Maximum Transmission Unit conf.eth_mtu size. BLACK BOX ® Advanced Console Server...
Page 193
Chapter 3 - Additional Features (Refer to Appendix C for more info on the parameters.) Synopsis 3 - Configuration of other Conf. Parameters config configure conf [options] or in CLI mode: configure conf [options] Table 13: Help CLI Options - Synopsis 3 Option Actual Parameter Modified conf.DB_facility...
Page 194
For example: • To find out possible commands that can come after config, type: config ? • To find out what parameters are configurable through CLI, type: config configure line <serial port number> ? BLACK BOX ® Advanced Console Server...
The ntpclient is a Network Time Protocol (RFC-1305) client for UNIX- and Linux-based com- puters. In order for the BLACK BOX ® Advanced Console Server to work as a NTP client, the IP address of the NTP server must be set in the file /etc/ntpclient.conf.
Step 3: Click on the Edit Text File link. Click on this link on the Link Panel or on the Configuration section of the Configuration and Administration page. (See .) You can then pull up the appropriate file and edit it. BLACK BOX ® Advanced Console Server...
Console Server that has a dual power supply. Supported Cards The BLACK BOX ® Advanced Console Server supports the 16-bit PC Cards. The 32-bit Card- Bus PC Cards are not supported. For an updated list of supported cards, please check the Black Box Web site.
Note: Before changing the /etc/network/interfaces file, unload the network client driver using cardctl eject. The factory default /etc/network/interfaces has the following lines: # auto eth1 # iface eth1 inet static address 192.168.0.42 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255 gateway 192.168.0.1 BLACK BOX ® Advanced Console Server...
Note: Do not use ifconfig to change the network settings for the PCMCIA device. Otherwise, you may be unable to unload the network driver during cardctl eject and the BLACK BOX ® Advanced Console Server may hang. The correct way is to change the /etc/network/interfaces file.
Modem PC Cards The modem device gets the /dev/ttySn name, where n is the number of embedded serial devices plus 1. For instance, if the BLACK BOX ® Advanced Console Server has 32 onboard serial devices, the modem card becomes the /dev/ttyS33.
Page 201
Chapter 3 - Additional Features When a modem card is detected, cardmgr starts a script which loads mgetty for the modem device automatically. mgetty provides the login screen to the remote user. mgetty may also be configured to start PPP (pppd) and let PPP login the caller. The steps to allow PPP connec- tions are: Step 1: Enable login and PAP authentication in /etc/mgetty/login.config.
Step 9: Insert the pcmcia modem if not inserted yet. Step 10: Run ps to see that mgetty is running. The BLACK BOX ® Advanced Console Server is ready to receive dial in calls. Step 11: Establish PPP connection with the BLACK BOX ® Advanced Console Server.
Page 203
Chapter 3 - Additional Features Server Side BLACK BOX ® Advanced Console Server Setup Step 1: Enable authentication. Enable the desired authentication in /etc/mgetty/login.config. For instance, you may want the following authentication in /etc/mgetty/login.config to enable PAP and system password database authentication:...
Page 204
Step B: Make script executable. Type chmod 755 /etc/ppp/ppplogin. Step C: Save this file to flash. Save this file to flash so the next time the BLACK BOX ® Advanced Console Server gets rebooted, you won't lose the new file. Add /etc/ppp/ppplogin into /etc/config_files.
Page 205
-> Properties -> Advanced -> add &c0s0=1 to Extra Settings. Step 4: Call your BLACK BOX ® Advanced Console Server. Step A: Dial to the BLACK BOX ® Advanced Console Server modem using either the normal username or the ppp username that you created in Step 5 when configuring the server side.
PCMCIA • Log in through character mode: Log in with username and password. You will get the BLACK BOX ® Advanced Console Server shell prompt. • Log in through ppp: Click on Done on the Terminal Window. ISDN PC Cards You can establish synchronous PPP connections with ISDN cards.
Page 207
/etc/pcmcia/isdn stop ippp0 /etc/pcmcia/isdn start ippp0 Step 6: You can dial from the remote system to the BLACK BOX ® Advanced Console Server, and get a PPP connection. Step 7: To hang up the connection from the BLACK BOX ® Advanced Console Server side,...
For the same cost saving reasons explained in Establishing a Callback with your Modem PC Card, the ISDN card in the BLACK BOX ® Advanced Console Server can be configured to call- back client machines after receiving dial in calls.
Page 209
“AVM ISDN Internet (PPP over ISDN)” modem, type the phone number you dial to connect to the BLACK BOX ® Advanced Console Server, and enter mary as User name and marypasswd as password.).
Windows is rebooted to apply the changes. The Windows side is done. Now you can dial from Windows to the BLACK BOX ® Advanced Console Server. Go to Start- > Settings-> “Network and Dial-up Connections” and select the dial-up that you created. After the “Dialing”...
Page 211
Chapter 3 - Additional Features Step 1.2: Configure the DIALIN_REMOTENUMBER. If your ISDN line supports caller id, it is recommended that you also configure the DIALIN_REMOTENUMBER and enable secure calls. Otherwise skip to Step 1.3. DIALIN_REMOTENUMBER="8358662" # Remote phone from which you will # receive calls SECURE="on"...
Page 212
Step 2: Dial to the BLACK BOX ® Advanced Console Server: isdnctrl dial ippp0 Step 3: As soon the BLACK BOX ® Advanced Console Server authenticates the user mary, the BLACK BOX ® Advanced Console Server will disconnect and callback.
Chapter 3 - Additional Features Ports Configured as Terminal Servers There are TS-specific parameters that are required to be configured when using the serial ports with the TS profile. The configuration of these TS-specific parameters are described in this section. Additional configuration for TS is described in Access Method and Serial Settings in Chapter 3, and in Appendix C –...
Page 214
W I Z A R D ********* *********************************************************** CONF.LOCALLOGINS - This parameter is only necessary when authentication is being performed for a port. When set to 1, it is possible to log into the system directly by BLACK BOX ® Advanced Console Server...
Page 215
Chapter 3 - Additional Features placing a '!' before users' login name, then using their normal password. This is useful if the Radius authentica- tion server is down. conf.locallogins[0] : Screen 5: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Current configuration:...
Page 216
In that case, please reconnect to the unit by the new IP address, and manually issue a saveconf to save your configurations to flash.) Do you want to activate your configurations now? (y/n) [n]: BLACK BOX ® Advanced Console Server...
Page 217
Chapter 3 - Additional Features Screen 8: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Flash refers to a type of memory that can be erased and reprogrammed in units of memory known as blocks rather than one byte at a time;...
Page 218
<serial port number> tty <string> host <string> term <string> locallogins <number> To activate your new configurations and save them to flash, type: config write (This is essentially typing signal_ras hup and saveconf from the normal terminal prompt.) BLACK BOX ® Advanced Console Server...
Chapter 3 - Additional Features Serial Settings This feature controls the speed, data size, parity, and stop bits of all ports. It also sets the flow control to hardware, software, or none; the DCD signal; and tty settings after a socket connec- tion to that serial port is established.
In the address or location field of your browser type the Console Access Server’s IP address. For example: http://10.0.0.0 Step 2: Log in as root and type the Web root password configured by the Web server. This will take you to the Configuration and Administration page. BLACK BOX ® Advanced Console Server...
Page 221
Chapter 3 - Additional Features Step 3: Select the Serial Ports link. Click on the Serial Ports link on the Link Panel to the left of the page or in the Configuration section of the page. This will take you to the Port Selection page. Step 4: Select port(s).
Page 222
W I Z A R D ********* *********************************************************** Current configuration: (The ones with the '#' means it's not activated.) all.speed : 9600 all.datasize : 8 all.stopbits : 1 all.parity : none all.flow : none all.dcd : 0 all.DTR_reset : 100 BLACK BOX ® Advanced Console Server...
Page 223
Chapter 3 - Additional Features all.sttyCmd : # Set to defaults? (y/n) [n] : Screen 3: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** ALL.SPEED - The data speed in bits per second (bps) of all ports.
Page 224
ON. A value greater or equal to 100 specifies for how long (in milliseconds) the DTR signal will be turned off before it is turned back on again when a connection to the serial port is closed. all.DTR_reset[100] : BLACK BOX ® Advanced Console Server...
Page 225
Chapter 3 - Additional Features ALL.STTYCMD - Tty settings after a socket connection to that serial port is established. The tty is programmed to work as a CAS profile and this user specific configuration is applied over that serial port. Parameters must be separated by space.(e.g.
Page 226
Note: The number of available ports depends on the system you are on. Typing in a valid port number repeats this program except this time it's configuring for the port number you have chosen. Typing 'q' leads to Screen 9. BLACK BOX ® Advanced Console Server...
Page 227
Chapter 3 - Additional Features Screen 9: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** (Note: If you are NOT connected to this unit through a console, and you have just reconfigured the IP of this unit, activating the new configurations may cause you to lose connection.
<serial port number> flow <string> To configure dcd: config configure line <serial port number> dcd <number> To configure DTR_reset: config configure line <serial port number> dtr_reset <number> To configure sttyCmd: config configure line <serial port number> sttycmd <string> BLACK BOX ® Advanced Console Server...
Chapter 3 - Additional Features Tip. You can configure all the parameters for a serial port in one line: config configure line <serial port number> tty <string> speed <number> datasize <number> stopbits <number> par- ity <string> flow <string> dcd <number> dtr_reset <num- ber>...
Page 230
Typing 'c' repeats the application, typing 'q' exits the entire wiz application. If you type 'y': Type 'c' to CONTINUE to set these parameters for specific ports or 'q' to QUIT : Typing 'c' leads to Screen 7 typing 'q' leads to Screen 8. BLACK BOX ® Advanced Console Server...
Page 231
Chapter 3 - Additional Features Screen 7: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** You have 8 available ports on this system. Type 'q' to quit, a valid port number[1-8], or anything else to refresh : Note: The number of available ports depends on the system you are on.
Page 232
<serial port number> tty <string> To configure speed: config configure line <serial port number> speed <number> To configure datasize: config configure line <serial port number> datasize <number> To configure stopbits: config configure line <serial port number> stopbits <number> BLACK BOX ® Advanced Console Server...
Chapter 3 - Additional Features To configure parity: configure line <serial port number> parity <string> To configure flow: config configure line <serial port number> flow <string> To configure dcd: config configure line <serial port number> dcd <number> Tip. You can configure all the parameters for a serial port in one line: config configure line <serial port number>...
Page 234
To configure speed: config configure line <serial port number> speed <number> To conf igure datasize: config configure line <serial port number> datasize <number> To conf igure stopbits: config configure line <serial port number> stopbits <number> BLACK BOX ® Advanced Console Server...
Only characters from ‘^a’ to ‘^z’ (i.e. CTRL-A to CTRL-Z) will be accepted. If it is not defined, it will assume the value of all.escape_char. When multiple sessions are allowed for one port, the behavior of the BLACK BOX ® Advanced Console Server will be as follows: 1.
Page 236
(that can be in, out or i/o). When the user selects 3 - Send messages to another user, the BLACK BOX ® Advanced Con- sole Server will send the user’s messages to all the sessions, but not to the tty port. Everyone connected to that port will see all the “conversation”...
Typing all.escape_char or sN.escape_char from the sniff session or “send message mode” will make the BLACK BOX ® Advanced Console Server show the previous menu. The first regular sessions will not be allowed to return to the menu. If you kill all regular sessions using the option 4, your session initiates as a regular session automatically.
Step 4: Select port(s). On the Port Selection page, choose all ports or an individual port to configure, from the dropdown menu. Click the Submit button. This will take you to the Serial Port Configuration page. BLACK BOX ® Advanced Console Server...
Page 239
Chapter 3 - Additional Features Step 5: Scroll down to the Sniff Session section. You can configure the appropriate values here. Figure 26: Sniff Session section of the Serial Port Configuration page Step 6: Click on the Submit button. Step 7: Make the changes effective. Click on the Administration >...
Page 240
W I Z A R D ********* *********************************************************** Current configuration: (The ones with the '#' means it's not activated.) all.admin_users : # all.sniff_mode : out all.escape_char : ^z all.multiple_sessions : no Set to defaults? (y/n) [n] : BLACK BOX ® Advanced Console Server...
Page 241
Chapter 3 - Additional Features Screen 3: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** ALL.ADMIN_USERS - This parameter determines which users can open a sniff session, which is where other users connected to the very same port can see everything that the first user is doing.
Page 242
W I Z A R D ********* *********************************************************** Current configuration: (The ones with the '#' means it's not activated.) all.admin_users : # all.sniff_mode : out all.escape_char : ^z all.multiple_sessions : no Are these configuration(s) all correct? (y/n) [n] : BLACK BOX ® Advanced Console Server...
Page 243
Chapter 3 - Additional Features If you type 'N' Type 'c' to go back and CORRECT these parameters or 'q' to QUIT : Typing 'c' repeats the application, typing 'q' exits the entire wiz application If you type 'Y' Discard previous port-specific parameters? (y/n) [n] : Note: Answering yes to this question will discard only the parameter(s) which you are currently configuring if they were configured for a specific port in a previous session.
Page 244
If you don't save to flash and if you were to reboot the system, all your new configurations will be lost and you will have to reconfigure the system. Do you want to save your configurations to flash? (y/n) [n] : BLACK BOX ® Advanced Console Server...
Page 245
Chapter 3 - Additional Features CLI Method To configure certain parameters for a specific serial port: Step 1: At the command prompt, type in the appropriate command to configure desired parameters. To activate the serial port. <string> should be ttyS<serial port number> : config configure line <serial port number>...
Important! Check the SNMP configuration before gathering information about BLACK BOX ® Advanced Console Server by SNMP. There are different types of attacks an unauthorized user can implement to retrieve sensitive information contained in the MIB. By default, the SNMP configuration in BLACK BOX ®...
Page 247
• RFC2576 - Coexistence between Version 1, Version 2, and Version 3 of the Inter- net-standard Network Management Framework Private UCD SNMP mib extensions (enterprises.2021) • Information about memory utilization (/proc/meminfo) • Information about system status (vmstat) • Information about net-snmp packet 5. Private Black Box Vendor MIB ( enterprises.2925 ) User Guide...
SNMP • Black Box LS1032A-xx Remote Management Object Tree (blackbox.4). This MIB permits you to get informations about the product, to read/write some configura- tion items and to do some administration commands. (For more details see the blackbox.mib file.) Configuration for CAS, TS, and Dial-in Access...
Chapter 3 - Additional Features Syslog The syslog-ng daemon provides a modern treatment to system messages. Its basic function is to read and log messages to the system console, log files, other machines (remote syslog serv- ers) and/or users as specified by its configuration file. In addition, syslog-ng is able to filter messages based on their content and to perform an action (e.g.
In the address or location field of your browser type the Console Access Server’s IP address. For example: http://10.0.0.0 Step 2: Log in as root and type the Web root password configured by the Web server. This will take you to the Configuration and Administration page. BLACK BOX ® Advanced Console Server...
Page 251
Chapter 3 - Additional Features Step 3: Click Syslog on the Configuration section. Select the Syslog link. The following page will appear, giving information for configuring syslog: Figure 27: Syslog page 1 Step 4: Edit the configuration file and click on the Submit button Step 5: Make changes effective.
Page 252
********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Current configuration: (The ones with the '#' means it's not activated.) conf.facility : 7 conf.DB_facility : 0 Set to defaults? (y/n) [n] : BLACK BOX ® Advanced Console Server...
Page 253
Chapter 3 - Additional Features Screen 3: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** CONF.FACILITY - This value (0-7) is the Local facility sent to the syslog.
Page 254
In that case, please reconnect to the unit by the new IP address, and manually issue a saveconf to save your configurations to flash.) Do you want to activate your configurations now? (y/n) [y] : BLACK BOX ® Advanced Console Server...
Page 255
Chapter 3 - Additional Features Screen 6: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** Flash refers to a type of memory that can be erased and reprogrammed in units of memory known as blocks rather than one byte at a time;...
The Syslog Functions This section shows the characteristics of the syslog-ng that is implemented for all members of the BLACK BOX ® Advanced Console Server. It is divided into three parts: Syslog-ng and its Configuration Syslog-ng Configuration to use with Syslog Buffering Feature...
Page 257
Chapter 3 - Additional Features time_reopen(n) The time to wait before a dead connection is reestablished. The time to wait before an idle destination file is closed. time_reap(n) sync_freq(n) The number of lines buffered before written to file. (The file is synced when this number of messages has been written to it.) The number of seconds between two MARKS lines.
Page 258
- Selects whether to keep connections unix-dgram opened when syslog-ng is restarted. Can be used only with (filename [options]) unix_stream. Default: yes max-connections(n) - Limits the number of simultaneously opened connections. Can be used only with unix_stream. Default: 10. BLACK BOX ® Advanced Console Server...
Page 259
Chapter 3 - Additional Features c) tcp([options]) These drivers let you receive messages from the network, and as the name of the drivers show, you can use both TCP and UDP. None of tcp() and udp() drivers require positional parameters. By default they bind to 0.0.0.0:514, which means that syslog-ng will udp([options]) listen on all available interfaces.
Page 260
Tries to match the <string> to the hostname field of the log message. e) match(<string>) Tries to match the <string> to the message itself. Some Examples of Defining Filters 1) To filter by facility: filter f_facilty { facility(<facility name>); }; BLACK BOX ® Advanced Console Server...
Page 262
If no new messages are written to a file within 60 seconds (controlled by the time_reap global option), it's closed, and its state is freed. BLACK BOX ® Advanced Console Server...
Page 263
Chapter 3 - Additional Features Available macros in filename expansion: HOST - The name of the source host where the message originated from. FACILITY - The name of the facility the message is tagged as coming from. PRIORITY or LEVEL - The priority of the message. PROGRAM - The name of the program the message was sent by.
Page 264
$FULLDATE The complete date when the message was sent. $FACILITY The facility of the message. $PRIORITY or The priority of the message. $LEVEL $PROGRAM The message was sent by this program (BUFFERING or SOCK). BLACK BOX ® Advanced Console Server...
Page 265
<server IP address or name> Example to send a pager to phone number 123 (Pager server at 10.0.0.1) with message carry- ing the current date, the hostname of this BLACK BOX ® Advanced Console Server and the message that was received from the source:...
Page 266
\"<message - max. size 250 characters>\" Example to send a Link Down trap to server at 10.0.0.1 with message carrying the current date, the hostname of this BLACK BOX ® Advanced Console Server and the message that was received from the source: destination d_trap { pipe("/dev/cyc_alarm"...
Page 267
Chapter 3 - Additional Features template("snmptrap -v 1 -c public 10.0.0.1 \"\" \"\" 2 0 \"\" \ .1.3.6.1.2.1.2.2.1.2.1 s \"$FULLDATE $HOST $MSG\" ")); 4) To write in file : destination d_file { file(<filename>);}; Example send message to console : destination d_console { file("/dev/ttyS0");}; Example to write a message in /var/log/messages file: destination d_message { file("/var/log/messages");...
Page 268
5) To send e-mail and pager if message received from local syslog client has the string “root login”: log { source(sysl); filter(f_root); destination(d_mail1); destina- tion(d_pager); }; 6) To send messages with facility kernel and received from syslog clients (local and remote) to remote syslogd: BLACK BOX ® Advanced Console Server...
Page 269
Chapter 3 - Additional Features log { source(sysl); source(s_udp); filter(f_kern); destination(d- udp1); }; Syslog-ng Configuration to use with Syslog Buffering Feature This configuration example uses the syslog buffering feature, and sends messages to the remote syslogd (10.0.0.1). Step 1: Configure pslave.conf parameters. In the pslave.conf file the parameters of the syslog buffering feature are configured conf.DB_facility 1 all.syslog_buffering 100...
Page 270
# send info, notice and warning messages to remote server udp1 log { source(src); filter(f_local1); destination(d_udp1); }; # send error, critical and alert messages to remote server udp2 log { source(src); filter(f_critic); destination(d_udp2); }; BLACK BOX ® Advanced Console Server...
Example value: %h login: This text determines the format of the login banner that is issued all.issue when a connection is made to the BLACK BOX ® Advanced Console Server. \n represents a new line and \r represents a carriage return.
Step 6: Click on the Submit button. Step 7: Make the changes effective. Click on the Administration > Run Configuration link, check the Serial Ports/ Ethernet/Static Routes box and click on the Activate Configuration button. BLACK BOX ® Advanced Console Server...
Page 273
Chapter 3 - Additional Features Step 8: Click on the link Administration > Load/Save Configuration. Step 9: Click the Save Configuration to Flash button. The configuration was saved in flash. Wizard Method Step 1: Bring up the wizard. At the command prompt, type the following to bring up the Terminal Appearance custom wizard: wiz --tl Screen 1 will appear.
Page 274
\n represents a new line and \r respresents a carriage return. all.issue[\r\n\Welcome to terminal server %h port S%p \n\ \r\n\] : ALL.PROMPT - This text defines the format of the login prompt. all.prompt[%h login:] : BLACK BOX ® Advanced Console Server...
Page 275
Chapter 3 - Additional Features Screen 4: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** ALL.LF_SUPPRESS - This activates line feed suppression. When configured as 0, line feed suppression will not be performed.
Page 276
Type 'c' to CONTINUE to set these parameters for specific ports or 'q' to QUIT : Typing 'c' leads to Screen 7, typing 'q' leads to Screen 8. BLACK BOX ® Advanced Console Server...
Page 277
Chapter 3 - Additional Features Screen 7: *********************************************************** ********* C O N F I G U R A T I O N W I Z A R D ********* *********************************************************** You have 8 available ports on this system. Type 'q' to quit, a valid port number[1-8], or anything else to refresh : Screen 8: ***********************************************************...
Page 278
<serial port number> prompt <string> To configure lf_suppress: config configure line <serial port number> lf <number> To configure auto_answer_input: config configure line <serial port number> auto_input <string> To configure auto_answer_output: config configure line <serial port number> auto_output <string> BLACK BOX ® Advanced Console Server...
Page 279
Chapter 3 - Additional Features Tip. You can configure all the parameters for a serial port in one line. config configure line <serial port number> tty <string> issue <string> prompt <string> lf <number> auto_input <string> auto_output <string> Step 2: Activate and Save. To activate your new configurations and save them to flash, type: config write (This is essentially typing signal_ras hup and saveconf from the normal terminal...
Day 0 is a Sunday. The time fields specify when, in the local time currently in effect, the change to the other time occurs. If omitted, the default is 02:00:00. BLACK BOX ® Advanced Console Server...
Chapter 3 - Additional Features In the example below: GST+7DST+6M4.1.0/14:30.M10.5.6/10 Daylight Savings Time starts on the first Sunday of April at 2:30 p.m. and it ends on the last Saturday of October at 10:00 a.m. How to set Date and Time The date command prints or sets the system date and time.
Page 282
Time Zone This page has been left intentionally blank. BLACK BOX ® Advanced Console Server...
Users and Passwords Appendix A - New User Background Information A username and password are necessary to log in to the BLACK BOX ® Advanced Console Server. The user root is predefined, with a password tslinux. A password should be config- ured as soon as possible to avoid unauthorized access.
/mnt Location where packages not supplied with the operating system are stored. /opt /tmp Location where temporary files are stored. Contains most of the operating system files. /usr Contains operating system data files. /var BLACK BOX ® Advanced Console Server...
Appendix A - New User Background Information Basic File Manipulation Commands The basic file manipulation commands allow the user to copy, delete, and move files and cre- ate and delete directories. cp file_name destination Copies the file indicated by file_name to the path a) cp text.txt /tmp indicated by destination.
From the command mode, type “:” Exiting from vi. (colon). When you enter the vi program, you are automatically in command mode. To navigate to the part of the file you wish to edit, use the following keys: BLACK BOX ® Advanced Console Server...
Page 287
Appendix A - New User Background Information Table 15: vi navigation commands Moves the cursor to the left (left arrow). Moves the cursor to the next line (down arrow). Moves the cursor to the previous line (up arrow). Moves the cursor to the right (right arrow). Having arrived at the location where text should be changed, use these commands to modify the text (note commands “i”...
Appendix A - New User Background Information The Routing Table The BLACK BOX ® Advanced Console Server has a static routing table that can be seen using the commands: route netstat -rn The file /etc/network/st_routes is the BLACK BOX ® Advanced Console Server’s method for configuring static routes.
Ssh replaces its non-secure counterpart rsh and rlogin. There are two versions of the protocol, ssh and ssh2. The BLACK BOX ® Advanced Console Server offers both. The command to start an ssh client session from a UNIX workstation is: ssh -t <user>@<hostname>...
Page 290
-t -2 mycompany:7001@16-port (openssh earlier than 3.1p1 - BLACK BOX ® Advanced Console Serverssh -t mycom- pany:7001@16-port (openssh 3.1p1 or later - BLACK BOX ® Advanced Console Server version 2.1.0 or later -> ssh2 will be used) ssh -t -1 mycompany:7001@16-port (openssh 3.1p1 or later - BLACK BOX ®...
Page 291
Server_ip or Serial_port_ip> (if the ssh client is running under a session belonging to a username present only in the workstation’s database. In this case, the <user- name> indicated would have to be a username present in the BLACK BOX ® Advanced Console Server’s database).
Page 292
BLACK BOX ® Advanced Console Server’s ~/.ssh/authorized_keys2 file. • Password Authentication is performed if DSA key is not known to the BLACK BOX ® Advanced Console Server. Client start-up command: ssh -2 -t <TS_ip or Serial_port_ip>. BLACK BOX ® Advanced Console Server...
All files created or updated must have their full path and file name inside the file config_files and the command saveconf must be executed before rebooting the BLACK BOX ® Advanced Console Server. The Process Table The process table shows which processes are running. Type ps -a to see a table similar to that below.
The ts_menu script can be used to avoid typing long telnet or ssh commands. It presents a short menu with the names of the servers connected to the serial ports of the BLACK BOX ® Advanced Console Server. The server is selected by its corresponding number. ts_menu must be executed from a local session: via console, telnet, ssh, dumb terminal connected to a serial port, etc.
Page 295
Appendix A - New User Background Information accessed. This is used when there is clustering (one BLACK BOX ® Advanced Console Server master box and one or more BLACK BOX ® Advanced Console Server slave boxes). If the user selects 1, the following screen is displayed:...
Page 296
Type 'q' to quit, a valid option [1-6], or anything else to refresh -u <name> : Username to be used in the ssh/telnet command. The default username is that used to log onto the BLACK BOX ® Advanced Console Server. -h : Lists script options.
Appendix B - Cabling, Hardware, and Electrical Specifications The power requirements, environmental conditions and physical specifications of the BLACK BOX ® Advanced Console Server are listed below. Table 20: BLACK BOX ® Advanced Console Server power requirements Power Specifications LS1016A...
Appendix B - Cabling, Hardware, & Electrical Table 22: BLACK BOX ® Advanced Console Server physical conditions Physical Information LS1016A LS1032A External 17 in. x 8.5 in. x 1.75 in. 17 in. x 8.5 in. x 1.75 in. Dimensions Weight 6 lb.
Appendix B - Cabling, Hardware, & Electrical Rear Panel LEDs The Advanced Secure Console Port Server rear panel has connectors (serial, console and Ethernet) with some LEDs that have the following functionalities: Ethernet Connector Shows collision on the LAN every time the unit tries to transmit (collision) an Ethernet packet.
1 stop-bit to indicate the end of a character). The baud rate in a RS-232 line translates directly into the data speed in bits per second (bps). Usual BLACK BOX ® Advanced Console Server...
Appendix B - Cabling, Hardware, & Electrical transmission speeds range between 9,600 bps and 19,200bps (used in most automation and console applications) to 115,200 bps (used by the fastest modems). Cable Length The original RS-232 specifications were defined to work at a maximum speed of 19,200 bps over distances up to 15 meters (or about 50 feet).
(Black Box) Chassis Safety Ground Shell Shell Transmit Data (O) Receive Data (I) Data Terminal Ready (O) Data Set Ready (I) Data Carrier Detect (I) Request To Send (O) Clear To Send (I) Signal Ground BLACK BOX ® Advanced Console Server...
First, look up the proper cable for your application in the table below. Next, purchase stan- dard off-the-shelf cables from a computer store or cable vendor. For custom cables, refer to the cable diagrams to build your own cables or order them from Black Box or a cable vendor. Table 25: Which cable to use...
RJ-45 to RJ-45 crossover (custom). A sample is • All Black Box Console Ports included with the product (“straight-through”) This custom cable can be ordered from Black Box or other cable vendors using the provided wiring diagram. Cable Diagrams Before using the following cable diagrams refer to the tables above to select the correct cable for your application.
Appendix B - Cabling, Hardware, & Electrical Cable #1: Black Box RJ-45 to DB-25 Male, straight-through Application: This cable connects Black Box products (serial ports) to modems and other DCE RS-232 devices. It is included in both Cable Package #1 and #2.
Appendix B - Cabling, Hardware, & Electrical Cable #3: Black Box RJ-45 to DB-9 Female, crossover This cable connects Black Box products (serial ports) to console ports, terminals, printers and other DTE RS-232 devices. If you are using Cable Package #1, after connecting the appro- priate adapter to the RJ-45 straight-through cable, you will essentially have the cable shown in this picture.
This Adapter attaches to a Cat 3 or Cat 5 network cable. It is usually used in console manage- ment applications to connect Black Box products to a Sun Netra server or to a Cisco product. This cable is included in Cable Package #2.
This Adapter attaches to a Cat 3 or Cat 5 network cable. It is usually used in console manage- ment applications to connect Black Box products to a Sun Netra server or to a Cisco product. At one end of the adapter is the black CAT.5e Inline Coupler box with a female RJ-45 termi- nus, from which a 3-inch-long black Sun Netra-labeled cord extends, terminating in an RJ-45 male connector.
Appendix B - Cabling, Hardware, & Electrical RJ-45 Female to DB-25 Female Adapter The following adapter may be necessary. It is included in Cable Package #1. RJ-45 DB-25F Figure 36: RJ-45 Female to DB-25 Female Adapter RJ-45 Female to DB-9 Female Adapter The following adapter may be necessary.
Page 310
Appendix B - Cabling, Hardware, & Electrical This page has been left intentionally blank. BLACK BOX ® Advanced Console Server...
This chapter begins with a table containing parameters common to all profiles, followed by tables with parameters specific to a certain profile. You can find samples of the pslave config- uration files (pslave.conf, .cas, .ts, and .ras) in the /etc/portslave directory in the BLACK BOX ® Advanced Console Server box.
Page 312
The lock directory, which is /var/lock for /var/lock the BLACK BOX ® Advanced Console Server. It should not be changed unless the user decides to customize the operating system. BLACK BOX ® Advanced Console Server...
Page 313
Appendix C - The pslave Configuration File Table 26: Parameters Common to CAS, TS, & Dial-in Access Value for this Parameter Description Example all.dcd DCD signal (sets the tty parameter CLOCAL). Valid values are 0 or 1. If all.dcd=0, a connection request will be accepted regardless of the DCD signal and the connection will not be closed if the DCD signal is set to DOWN.
Page 314
Description made to the column BLACK BOX ® Advanced Console Server. \n represents a new line and \r represents a carriage return. Expansion characters can be used here. Value for this Example:...
Page 315
Appendix C - The pslave Configuration File Table 26: Parameters Common to CAS, TS, & Dial-in Access Value for this Parameter Description Example all.syswtmp It defines whether portslave must write yes/no login records. all.sttyCmd The TTY is programmed to work as config- commented ured and this user-specific configuration is applied over that serial port.
Page 316
This address indicates the location of the 200.200.200. Radius/TacacsPlus authentication server and is only necessary if this option is chosen in the previous parameter. A second Radius/ TacacsPlus authentication server can be configured with the parameter all.authhost2. BLACK BOX ® Advanced Console Server...
Page 317
Appendix C - The pslave Configuration File Table 26: Parameters Common to CAS, TS, & Dial-in Access Value for this Parameter Description Example all.accthost1 This address indicates the location of the 200.200.200. Radius/TacacsPlus accounting server, which can be used to track how long users are connected after being authorized by the authentication server.
Page 318
/etc/ldap.conf)kerberos (authentica- tion is performed using a kerberos server. The IP address and other details of the kerberos server are defined in the file /etc/krb5.conf) BLACK BOX ® Advanced Console Server...
Page 319
TacacsPlus server is down) Note that this parameter controls the authentication required by the BLACK BOX ® Advanced Console Server. The authentication required by the device to which the user is connecting is controlled separately.
Page 320
TacacsPlus server is tried before another is contacted. The default, if not configured, is all.secret This is the shared secret necessary for secret communication between the BLACK BOX ® Advanced Console Server and the Radius/ TacacsPlus servers. all.flow This sets the flow control to hardware, hard software, or none.
Appendix C - The pslave Configuration File CAS Parameters You can configure additional CAS features with the parameters given on the following tables. (The is used as an example in some parameters. In addition to the above parameters which are common to all local and remote access scenar- ios, you can also configure the following parameters for additional options.
Page 322
Value for this Parameter Description Example conf.nat_clustering_ip IP address of any BLACK BOX ® Advanced 64.186.161.10 Console Server interface (master box). It is a public IP address (e.g. Ethernet's interface IP address) and it is the one that must be used to connect the slave's serial ports.
Page 323
Appendix C - The pslave Configuration File Table 27: Mostly CAS-specific Parameters Value for this Parameter Description Example all.lf_suppress This can be useful because telneting (from DOS) from some OS such as Windows 98 causes produces an extra line feed so two prompts appear whenever you press Enter.
Page 324
If no traffic passes through the BLACK BOX ® Advanced Console Server for this period of time, the BLACK BOX ® Advanced Console Server will send a line status message to the remote device to see if the connection is still up.
Page 325
Example all.socket_port In the CAS profile, this defines an alternative 7001+ labeling system for the BLACK BOX ® Advanced Console Server ports. The “+” after the numerical value causes the serial interfaces to be numbered consecutively. In this example, serial interface 1 is assigned the port value 7001,serial interface 2 is assigned the port value 7002, etc.
Page 326
Data Buffering in Chapter 3). If local data buffering, a file is created on the BLACK BOX ® Advanced Console Server; if remote, a file is created through NFS in a remote server. All data received from the port is captured in this file.
Page 327
Appendix C - The pslave Configuration File Table 27: Mostly CAS-specific Parameters Value for this Parameter Description Example all.DB_mode When configured as cir for circular format, the buffer works like a revolving file at all times. The file is overwritten whenever the limit of the buffer size (as configured in all.data_buffering or s<n>.data_buffering) is reached.
Page 328
When 2, the data buffering menu is not shown but the data buffering file is shown if not empty. When 3, the data buffering menu is shown, but without the erase and show and erase options. BLACK BOX ® Advanced Console Server...
Page 329
Appendix C - The pslave Configuration File Table 27: Mostly CAS-specific Parameters Value for this Parameter Description Example all.alarm When non zero, all data received from the port are captured and sent to syslog-ng with level INFO and local[0+conf.DB_facility]facility. The syslogng.conf file should be set accordingly, for the syslog-ng to take some action (please Generating Alarms...
Page 330
Alias name given to the server connected to serial1 the serial port. Server_connected. s1.pool_ipno This is the default IP of the BLACK BOX ® 192.168.2.1 Advanced Console Server's pool of serial ports. Any host can access a port from the...
In the CAS profile, this defines an alternative 3000 labeling system for the BLACK BOX ® Advanced Console Server pool of ports. In this example, serial interface 1 is assigned to the pool identified by port value 3001. Using s<serial port #>.pool_socket_port one can...
Page 332
This parameter is only necessary when authentica- tion is being performed for a port. When set to one, it is possible to log in to the BLACK BOX ® Advanced Console Server directly by placing a “!” before your login name, then using your normal password.
Appendix C - The pslave Configuration File Table 28: TS Parameters Value for this Parameter Description Example all.telnet_client_ When the protocol is TELNET, this parameter con- mode figured as BINARY (1) causes an attempt to negoti- ate the TELNET BINARY option on both input and output with the Telnet server.
Page 334
Server, it will disconnect the user, then call the user back. The following three parameters must be configured in the Radius Server: attribute Service_type(6): Callback Framed; attribute Framed_Protocol(7): PPP; attribute Callback_Number(19): the dial number (example: 50903300). BLACK BOX ® Advanced Console Server...
Page 335
Appendix C - The pslave Configuration File Table 29: Dial-in configuration Parameters Parameter Description Value for this Example all.pppopt all.pppopt PPP options when %i:%j novj \ user has already been proxyarp modem asyncmap authenticated. 000A0000 \ noipx noccp mtu %t mru %t netmask%m \ idle %I maxconnect %T \ plugin /usr/lib/libpsr.so...
Page 336
Appendix C - The pslave Configuration File This page has been left intentionally blank. BLACK BOX ® Advanced Console Server...
Appendix D - Linux-PAM Introduction Appendix D - Linux-PAM Linux-PAM (Pluggable Authentication Modules for Linux) is a suite of shared libraries that enable the local system administrator to choose how applications authenticate users. In other words, without (rewriting and) recompiling a PAM-aware application, it is possible to switch between the authentication mechanism(s) it uses.
Page 338
These modules, when called by Linux-PAM, perform the various authentication tasks for the application. Textual information, required from or offered to the user can be exchanged through the use of the application-supplied conversation function. BLACK BOX ® Advanced Console Server...
Appendix D - Linux-PAM The Linux-PAM Configuration File Linux-PAM is designed to provide the system administrator with a great deal of flexibility in configuring the privilege-granting applications of their system. The local configuration of those aspects of system security controlled by Linux-PAM is contained in one of two places: either the single system file /etc/pam.conf or the /etc/pam.d/ directory.
Page 340
Password- This last module type is required for updating the authentication token associated with the user. Typically, there is one module for each ‘challenge/response’ based authentication (auth) module-type. BLACK BOX ® Advanced Console Server...
Page 341
Appendix D - Linux-PAM Control-flag The control-flag is used to indicate how the PAM library will react to the success or failure of the module it is associated with. Since modules can be stacked (modules of the same type execute in series, one after another), the control-flags determine the relative importance of each module.
Ignore When used with a stack of modules, the module’s return status will not contribute to the return code the application obtains. BLACK BOX ® Advanced Console Server...
If the first character of the module path is ‘/’, it is assumed to be a complete path. If this is not the case, the given module path is appended to the default module path: /lib/security. Currently, the BLACK BOX ® Advanced Console Server has the following modules available: Provides logdaemon style login access control.
Page 344
Provides standard Unix nologin authentication. pam_nologin This module should be used with extreme caution. Its action is to always pam_permit permit access. It does nothing else. pam_radius Provides Radius server authentication and accounting. BLACK BOX ® Advanced Console Server...
Page 345
Appendix D - Linux-PAM pam_rootok This module is for use in situations where the superuser wishes to gain access to a service without having to enter a password. pam_securetty Provides standard UNIX securetty checking. Running a well-regulated system occasionally involves restricting access pam_time to certain services in a selective manner.
(from the preceding auth module), and use that. If that doesn’t work, then the user will not be authenticated. (This option is intended for auth and password modules only). BLACK BOX ® Advanced Console Server...
In this case, the directory is filled with files-- each of which has a filename equal to a service-name (in lower-case)--the personal configura- tion file for the named service. The BLACK BOX ® Advanced Console Server Linux-PAM was compiled to use both /etc/pam.d/ and /etc/pam.conf in sequence.
The addition of the following line before those in the above example would provide a suitable warning to the administrator. # default; wake up! This application is not configured BLACK BOX ® Advanced Console Server...
Page 349
Appendix D - Linux-PAM OTHER auth required pam_warn.so OTHER password required pam_warn.so Having two “OTHER auth” lines is an example of stacking. On a system that uses the /etc/pam.d/ configuration, the corresponding default setup would be achieved with the following file: # default configuration: /etc/pam.d/other auth required pam_warn.so auth required pam_deny.so...
Page 350
Appendix D - Linux-PAM In addition to the normal applications: login, su, sshd, passwd, and pppd. Black Box also has made portslave a PAM-aware application. The portslave requires four services configured in pam.conf. They are local, remote, radius, and tacplus. The portslave PAM interface takes any parameter needed to perform the authentication in the serial ports from the file pslave.conf.
Appendix D - Linux-PAM # If Kerberos server is down, uses the local service kerberosdownlocal auth requisite pam_securetty.so kerberosdownlocal auth optionalpam_auth_srv.so kerberosdownlocal auth\ [ success=done new_authtok_reqd=done authinfo_unavail=ignore default=die ] \ pam_krb5.so no_ccache kerberosdownlocal auth requiredpam_unix2.so kerberosdownlocal account \ [ success=done new_authtok_reqd=done authinfo_unavail=ignore default=die ] \ pam_krb5.so no_ccache kerberosdownlocal account requiredpam_unix2.so kerberosdownlocal session \...
Page 352
# The PAM configuration file for the `radius' service radius auth requisite pam_securetty.so radius auth required pam_radius_auth.so radius auth optional pam_auth_srv.so BLACK BOX ® Advanced Console Server...
Page 353
Appendix D - Linux-PAM radius account required pam_radius_auth.so radius session required pam_radius_auth.so s_radius auth requisite pam_securetty.so s_radius auth required pam_radius_auth.so use_first_pass s_radius account required pam_radius_auth.so s_radius session required pam_radius_auth.so # The PAM configuration file for the `local' service local auth requisite pam_securetty.so local auth...
Page 354
# The PAM configuration file for the `passwd' service passwdpassword required pam_unix2.so md5 # The PAM configuration file for the `samba' service BLACK BOX ® Advanced Console Server...
Page 355
Appendix D - Linux-PAM sambaauth required pam_unix2.so sambaaccount required pam_unix2.so # The PAM configuration file for the `su' service suauth required pam_wheel.so suauth sufficient pam_rootok.so suauth required pam_unix2.so suaccount required pam_unix2.so susession required pam_unix2.so # Information for the PPPD process with the 'login' option. auth required pam_nologin.so...
Reference The Linux-PAM System Administrators’ Guide Copyright (c) Andrew G. Morgan 1996-9. All rights reserved. Email: morgan@linux.kernel.org BLACK BOX ® Advanced Console Server...
Users should upgrade the BLACK BOX ® Advanced Console Server whenever there is a bug fix or new features that they would like to have. Below are the six files added by Black Box to the standard Linux files in the /proc/flash directory when an upgrade is needed. They are: •...
Page 358
Note: Due to space limitations, the new zImage file may not be downloaded with a different name, then renamed. The BLACK BOX ® Advanced Console Server searches for a file named zImage when booting and there is no room in flash for two zImage files.
If the contents of flash memory are lost after an upgrade, please follow the instructions below to restore your system: Step 1: Turn the BLACK BOX ® Advanced Console Server OFF, then back ON. Step 2: Using the console, wait for the self test messages.
Page 360
ASCII instead of binary; problems with flash memory. If the BLACK BOX ® Advanced Console Server booted properly, the interfaces can be verified using ifconfig and ping. If ping does not work, check the routing table using the command route.
Page 361
Important! If any of the files listed in /etc/config_files is modified, the BLACK BOX ® Advanced Console Server administrator must execute the command saveconf before rebooting the BLACK BOX ® Advanced Console Server or the changes will be lost. If a file is created (or a filename altered), its name must be added to this file before executing saveconf and rebooting.
This will speed the resolution of most problems. Hardware Test A hardware test called tstest is included with the BLACK BOX ® Advanced Console Server firmware. It is a menu-driven program, run by typing tstest at the command prompt. The var- ious options are described below.
Appendix E - Upgrades and Troubleshooting <- Packets -> <- Errors -> From Sent Received Passes Data 2 <-> 2 4 <-> 5 5 <-> 4 When this test is run with a cable or connector without the DSR signal (see the pinout dia- gram for the cable or connector being used), errors will appear in the DSR column.
Single User Mode The BLACK BOX ® Advanced Console Server has a single user mode used when: • The name or password of the user with root privileges is lost or forgotten, After an upgrade or downgrade which leaves the BLACK BOX ®...
Page 365
0030B270 00E18000 Linux/PPC load: root=/dev/ram After printing “Linux/PPC load: root=/dev/ram,” the BLACK BOX ® Advanced Console Server waits approximately 10 seconds for user input. This is where the user should type “<sp>sin- gle” (spacebar, then the word “single”). When the boot process is complete, the Linux...
Appendix E - Upgrades and Troubleshooting your system. If your ftp server is on the same network as the BLACK BOX ® Advanced Con- sole Server, the gw and mask parameters are optional. config_eth0 ip 200.200.200.1 mask 255.255.255.0 gw 200.200.200.5 At this point, the DNS configuration (in the file /etc/resolv.conf) should be checked.
Page 367
Appendix E - Upgrades and Troubleshooting Firmware boot from ((F)lash or (N)etwork) [F] Boot type ((B)ootp,(T)ftp or Bot(H)) [T] Boot File Name [zvmppctsbin] Server's IP address [192.168.160.1] Console speed [9600] (P)erform or (S)kip Flash test [P] (S)kip, (Q)uick or (F)ull RAM test [F] Fast Ethernet ((A)uto Neg, (1)00 BtH, 100 Bt(F), 10 B(t)F, 10 Bt(H)) [A] Fast Ethernet Maximum Interrupt Events [0]...
Note: The Ethernet error mentioned in the above table will occur automati- cally if the Fast Ethernet link is not connected to an external hub during the boot. If the Fast Ethernet is not being used or is connected later, this error can be ignored. BLACK BOX ® Advanced Console Server...
Appendix F - Certificate for HTTP Security Introduction Appendix F - Certificate for HTTP Security The following configuration will enable you to obtaining a Signed Digital Certificate. A certifi- cate for the HTTP security is created by a CA (Certificate Authority). Certificates are most commonly obtained through generating public and private keys, using a public key algo- rithm like RSA or X509.
Page 370
The certificate must be installed in the GoAhead Web server, by following these instructions: Step A: Open a Black Box Terminal Server session and do the login. Step B: Join the certificate with the private key into the file /web/server.pem.
Page 371
Appendix F - Certificate for HTTP Security Step E: Save the configuration in flash. #saveconf Step F: The certification will be effective in the next reboot. User Guide...
Page 372
Appendix F - Certificate for HTTP Security This page has been left intentionally blank. BLACK BOX ® Advanced Console Server...
IPsec problems. It covers some basic aspects of tunneling, the kinds of tunnels sup- ported by the BLACK BOX ® Advanced Console Server IPsec implementation, how to configure the BLACK BOX ® Advanced Console Server and how to manage the IPsec and the IPsec connections.
Without this, they cannot sensibly trust each other and cannot create a genuinely secure link. In the BLACK BOX ® Advanced Console Server IPsec implementation there are two methods of authentication: 1. A shared secret provides authentication. If Alice and Bob are the only ones who know a secret and Alice receives a message which could not have been created without that secret, then Alice can safely believe the message came from Bob.
Appendix G - IPSEC The software parts The IPsec software has three main parts: KLIPS (kernel IPsec) Implements the IPsec code in the Linux kernel. The user space IPsec. It negotiate connections with other PLUTO systems. Various scripts provide and administrator interface to the scripts machinery.
# Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes BLACK BOX ® Advanced Console Server...
Page 377
Appendix G - IPSEC The variables set here are: Tells the IPsec code in the Linux kernel which network interface interfaces to use. The interfaces specified here are the only ones this gateway machine will use to communicate with other IPsec gateways.
Our example file has: # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # How to authenticate gateways authby=rsasig # Load all connection descriptions by default BLACK BOX ® Advanced Console Server...
Appendix G - IPSEC # Some will override this with auto=start auto=add Variables set here are: How persistent to be in (re)keying negotiations (0 means very). keyingtries For testing, you might wish to set this to some small number, per- haps even to 1, to avoid wasting resources on incorrectly set up connections.
Page 380
Many of the variables in this file come in pairs such as leftsubnet and rightsubnet, one for each end of the connection. The variables on the left side are: left The gateway's external interface. The one it uses to talk to the other gateway. This can be left=%defaultroute. BLACK BOX ® Advanced Console Server...
Page 381
Appendix G - IPSEC Leftnexthop Where left should send packets whose destination is right, typi- cally the first router in the appropriate direction. This need not always be se., If the two gateways are directly linked (packets can go from one to the other without IP routing by any intermediate device) then you need not set either leftnexthop or right- nexthop.
Appendix G - IPSEC Example file for BLACK BOX ® Advanced Console Server-to-network connection For an BLACK BOX ® Advanced Console Server -to-network connection, a simple network diagram looks like this: BLACK BOX ® Advanced Console Server interface e.f.g.h =left interface e.f.g.i =leftnexthop...
Page 383
Appendix G - IPSEC interfaces="%defaultroute" klipsdebug=none plutodebug=none plutoload=%search plutostart=%search # defaults that apply to all connection descriptions conn %default keyingtries=0 # How to authenticate gatways authby=rsasign # VPN connection for head office and branch office conn head-branch # identity we use in authentication exchanges leftid=@head.example.com leftrsasigkey=0x175cffc641f...
Once a connection descriptor is in the IPsec internal database, IPsec will accept the other end to start the security connection negotiation. You can also start its negotiation as explained in the next section. BLACK BOX ® Advanced Console Server...
Appendix G - IPSEC Starting and Stopping a Connection All the connections can be negotiated at boot time if these connections have the auto param- eter set to start. However if a certain connection doesn't have this option set you can set it. Once a connection descriptor is in the IPsec internal database, you can start its negotiation using the command: /usr/local/sbin/ipsec auto --up <connection name>...
DNS, or transmit it via an insecure method such as email. Debugging Commands IPsec look The output of ipsec appears as shown below: [root@henrique root]# ipsec look henrique Mon Oct 28 16:40:24 PST 2002 64.186.161.96/32 -> 64.186.161.128/32 => tun0x1006@64.186.161.128 esp0x4e1a10ce@64.186.161.128 (0) BLACK BOX ® Advanced Console Server...
64.186.161.96/32 and 64.186.161.128/32. You can also see the routing table for this host after the encryption information . IPsec whack The output of ipsec whack -status looks like this: [root@henrique root]# ipsec whack --status 000 interface ipsec0/eth0 64.186.161.96 000 "teste": 64.186.161.96[@micro]...64.186.161.128[@BLACK BOX ® Advanced Console Server ] User Guide...
As you can see, it shows almost the same information shown by the ipsec auto -up command. You can use this command if the up command doesn't show anything on the screen (it can happen depending on the BLACK BOX ® Advanced Console Server syslog configuration). IPsec and Road Warriors IPsec, Security for the Internet Protocol FreeS/WAN is a Linux implementation of the IPsec (IP security) protocols.
Appendix G - IPSEC Applications of IPsec Because IPsec operates at the network layer, it is remarkably flexible and can be used to secure nearly any type of Internet traffic. Two applications, however, are extremely wide- spread: • A Virtual Private Network, or VPN, allows multiple sites to communicate with the Con- sole Server securely over an insecure Internet by encrypting all communication between the sites and the Console Server.
IPsec software. “Road Warrior” remote access A common requirement is for connections between a Console Server and some set of remote machines. For example, one administrator may want to access the Console Server from wher- BLACK BOX ® Advanced Console Server...
Page 391
Appendix G - IPSEC ever he might be. We refer to the remote machines as “Road Warriors.” For purposes of IPsec, anyone with a dynamic IP address is a Road Warrior. Information exchange To set up a Road Warrior connection, you need some information about the system on the other end.
Page 392
Adding Road Warrior support so people can connect remotely to your Console Server is straightforward. conn gate-xy left=1.2.3.4 leftid=@acs.example.com leftrsasigkey=0s1LgR7/oUM... # allow connection attempt from any address # attempt fails if caller cannot authenticate right=%any # authentication information BLACK BOX ® Advanced Console Server...
# The network here looks like: BLACK BOX ® Advanced Console Server ----acsnexthop..right- nexthop----right====rightsubnet # If BLACK BOX ® Advanced Console Server and right are on the same Ethernet, omit leftnexthop and rightnexthop. conn sample # BLACK BOX ® Advanced Console Server left=10.0.0.1...
To build a connection, the Console Server and the other end must be able to authenticate each other. For FreeS/WAN, the default is public key authentication based on the RSA algo- rithm. IPsec does allow several other authentication methods. BLACK BOX ® Advanced Console Server...
IPsec implementations. Exchanging authentication keys Once your BLACK BOX ® Advanced Console Server's key is in ipsec.secrets, the next step is to send your public key to everyone you need to set up connections with and collect their public keys.
(Names must start with a letter and may contain only letters, digits, periods, underscores, and hyphens.) All subsequent non-empty lines which begin with white space are part of the section; comments within a section must BLACK BOX ® Advanced Console Server...
Page 397
Appendix G - IPSEC begin with white space too. There may be only one section of a given type with a given name. Lines within the section are generally of the following form: parameter=value (Note the mandatory preceding white space.) There can be white space on either side of the =.
The following parameters are relevant to both automatic and manual keying. Unless other- wise noted, for a connection to work, in general it is necessary for the two ends to agree exactly on the values of these parameters. BLACK BOX ® Advanced Console Server...
Page 399
Appendix G - IPSEC type The type of the connection. Currently the accepted values are: tunnel (the default) signifying a host-to-host, host-to-subnet, or subnet-to- subnet tunnel; transport, signifying host-to-host transport mode; and passthrough (supported only for manual keying), signifying that no IPsec processing should be done at all.
Page 400
Whether Perfect Forward Secrecy of keys is desired on the connection's keying channel. (With PFS, penetration of the key-exchange protocol does not compromise keys negotiated earlier.) Acceptable values are yes (the default) and no. BLACK BOX ® Advanced Console Server...
Page 401
Appendix G - IPSEC keylife How long a particular instance of a connection (a set of encryption/ authentication keys for user packets) should last, from successful negotia- tion to expiry. Acceptable values are an integer optionally followed by s (a time in seconds) or a decimal number followed by m, h, or d (a time in minutes, hours, or days respectively) (default 8.0h, maximum 24h).
At present, the only config section known to the IPsec software is the one named setup, which contains information used when the software is being started. Here's an example: config setup interfaces="ipsec0=eth1 ipsec1=ppp0" klipsdebug=none plutodebug=all manualstart= plutoload="snta sntb sntc sntd" plutostart= BLACK BOX ® Advanced Console Server...
Appendix G - IPSEC Parameters are optional unless marked “required.” The currently-accepted parameter names in a config setup section are: Recommended Configuration Certain parameters are now strongly-recommended defaults, but cannot (yet) be made sys- tem defaults due to backward compatibility. Recommended config setup parameters are: •...
The ipsec daemon is automatically initialized when you first boot your Console Server equip- ment after you have uncommented the IPsec lines in the /etc/inittab and /etc/config_files. Rebooting your BLACK BOX ® Advanced Console Server is not mandatory. However, you can start the IPsec daemon by using the command: /usr/local/sbin/ipsec setup This program accepts the options: --start, --stop, and --restart.
Introduction Appendix H- Web User Management In the BLACK BOX ® Advanced Console Server Web server, the user database is completely separated from the system’s (as defined in the /etc/passwd file), and the logic used for manag- ing permissions is also different. The Web’s user database is stored in the /etc/websum.conf file, and it has basically three lists: users, user groups and access limits.
Page 406
Appendix H - Web User Management Figure 43: Access Limit List default page BLACK BOX ® Advanced Console Server...
Appendix H - Web User Management How Web User Management works When a user logs in, the username and the password are encrypted and stored in the browser. Whenever a URL is requested, the User Manager will perform the following tasks: Task 1: Check the URL in the Access Limit List The Web server first scans for the full URL, and then it looks for the subdirectories, until reaching the root directory “/.”...
The access limits have privileges based on the functionality of the Web page. • There are four different groups (root, monitor, admin and user), each one with a specific privilege. • There is one root user (username is root and password is linux). BLACK BOX ® Advanced Console Server...
Appendix H - Web User Management Changing the Root Password The first thing to do after logging into a Web session the first time must be to change the root password. See Security Issue under Step 1: Click on the link Web User Management > Users. Step 2: Select the root user and click the Change Password button.
Step 5: Click on the Save Configuration button. This will save the users added in the file /etc/websum.conf Step 6: Click on the link Administration > Load/Save Configuration. Step 7: Click on the Save to Flash button. BLACK BOX ® Advanced Console Server...
Appendix H - Web User Management Adding and Deleting User Groups The default configuration already comes with four user groups, and, for most of the cases, they will be enough. However, you have the option of editing the user groups. Adding a group Step 1: Click on the link Web User Management >...
For example, a page with ADMINISTRATOR privilege should be placed in /adm. Adding an Access Limit Step 1: Click on the link Web User Management > Access Limits. Step 2: Click on the Add Access Limit button. BLACK BOX ® Advanced Console Server...
Appendix H - Web User Management Step 3: Configure the new access limit. Type the URL (or the subdirectory), and select the access privilege. If authentication is required to access the page, select COOKIE ACCESS; otherwise, select FULL ACCESS. If this page is confidential, check the Secure box. Step 4: Click on the Submit button.
Page 414
Appendix H - Web User Management This page has been left intentionally blank. BLACK BOX ® Advanced Console Server...
Appendix I - Connect to Serial Ports from Web Introduction Appendix I - Connect to Serial Ports from Web Depending on how the serial port is configured, connecting to a serial port will either open up a telnet or ssh connection. A serial port configured as socket_server or raw_data will open up a telnet connection while socket_ssh will open up a ssh connection.
IE will recognize it. If you choose not to install Sun Java through Netscape but do it separately, Netscape 7.0 should automatically detect the JRE, and this can be checked by the instructions mentioned above. BLACK BOX ® Advanced Console Server...
Appendix I - Connect to Serial Ports from Web Step-by-Step Process Step 1: Point your browser to the Console Server. In the address field of your browser type the Console Access Server’s IP address. For example: http://10.0.0.0 Step 2: Log in. Log in with a user configured in the Web User Management section, and its password.
Page 418
Closing the popup window will also disconnect you from the server. Step 9: Reconnect to port. Refresh the current page by clicking on the refresh icon at the upper right hand corner of the window. BLACK BOX ® Advanced Console Server...
BLACK BOX ® Advanced Console Server. Console Access Server With the BLACK BOX ® Advanced Console Server set up as a CAS you can access a server connected to the BLACK BOX ® Advanced Console Server through the server’s serial console port from a workstation on the LAN or WAN.
Page 420
Appendix J - Examples for Config Testing The following diagram, shows additional scenarios for the BLACK BOX ® Advanced Console Server: both remote and local authentication, data buffering, and remote access. BLACK BOX® Advanced Console Server User Figure 46: CAS diagram with various authentication methods As shown in the above figure, our “CAS with local authentication”...
Page 421
Appendix B - Cabling, Hardware, and Electrical Specifications for pin-out diagrams. Step 3: Confirm that server is set to same parameters as the BLACK BOX ® Advanced Console Server. The BLACK BOX ® Advanced Console Server has been set for communication at 9600 bps, 8N1.
COM port is emulated to the application. Terminal Server The BLACK BOX ® Advanced Console Server provides features for out-of-band management via the configuration of terminal ports. All ports can be configured as terminal ports. This allows a terminal user to access a server on the LAN.
Page 423
Appendix B - Cabling, Hardware, and Electrical Specifications for pin-out diagrams. Step 4: Confirm that terminals are set to same parameters as the BLACK BOX ® Advanced Console Server. The BLACK BOX ® Advanced Console Serverhas been set for communication at 9600 bps, 8N1.
LAN. Radius authentication is used in this example and ppp is chosen as the protocol on the serial (dial-up) lines. Black Box recommends that a maximum of two ports be configured for this option.
Page 425
Step 6: Perform a test dial-in. Try to dial in to the BLACK BOX ® Advanced Console Server from a remote computer using the username and password configured in step one. The computer dialing in must be configured to receive its IP address from the remote access server (the BLACK BOX ®...
Page 426
Appendix J - Examples for Config Testing This page has been left intentionally blank. BLACK BOX ® Advanced Console Server...
Appendix K - Wiz Application Parameters Terminal Server Profile Other Parameters (wiz --tso) • Host • Term • Conf.locallogins BLACK BOX ® Advanced Console Server...
Appendix L - Copyrights References Appendix L - Copyrights The Advanced Secure Console Port Server is based in the HardHat Linux distribution, developed by Montavista Software for embedded systems. Additionally, several other applications were incorporated into the product, in accordance with the free software philosophy.
Page 434
COPYRIGHT: This product includes software developed by Eric Young (eay@cryptsoft.com) IPtables Netfilter IPtables version 1.2.2. Extracted from the HardHat Linux distribution. http://www.netfilter.org Linux Kernel Linux Kernel version 2.4.18. Extracted from the HardHat Linux distribution http://www.kernel.org Net-SNMP SourceForge Net-SNMP project version 5.0.3 http://sourceforge.net/projects/net-snmp/ BLACK BOX ® Advanced Console Server...
Page 435
Appendix L - Copyrights NTP client http://doolittle.faludi.com/ntpclient/ OpenSSH OpenSSH version 3.5p1 http://www.openssh.org COPYRIGHT: This product includes software developed by the University of California, Berkeley and its contributors. OpenSSL OpenSSL Project version 0.9.6g http://www.openssl.org COPYRIGHT: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.
Page 436
Appendix L - Copyrights Tinylogin TinyLogin version 0.80 ftp://ftp.lineo.com/pub/tinylogin/ WEBS GoAhead WEBS version 2.1 (modified) http://goahead.com/webserver/webserver.htm Copyright (c) 20xx GoAhead Software, Inc. All Rights Reserved ZLIB zlib version 1.1.4 http://www.gzip.org/zlib/ BLACK BOX ® Advanced Console Server...
Glossary Glossary Authentication Authentication is the process of identifying an individual, usually based on a username and password. In security systems, authentication is distinct from authorization, which is the pro- cess of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.
Page 444
Usage setup of the Advanced Secure Console Port Server: either as a Console Access Server (CAS), a Terminal Server, or a Remote Access Server. RADIUS Protocol between an authentication server and an access server to authenticate users trying to connect to the network. BLACK BOX ® Advanced Console Server...
Page 445
Glossary RISC Reduced Instruction Set Computer. This describes a computer processor architecture that uses a reduced set of instructions (and achieves performance by executing those instructions very fast.) Most UNIX servers (Sun Sparc, HP, IBM RS6000, Compaq Alpha) were designed with a processor using a RISC architecture.
Page 446
A standard computer rack has an internal width of 17 inches. Rack space on a standard rack is measured in units of height (U). One U is 1.75 inches. A device that has a height of 3.5 inches takes 2U of rack space. BLACK BOX ® Advanced Console Server...
Index Index Access Method Filters Alarm Flash Memory Loss Authentication Gateway Basic Wizard default Generating Alarms Cable Length Hardware Specifications Clustering Hardware Test 32, 65 Command Line Interface HyperTerminal Configuration using a Web browser Connectors CronD Custom Wizard IP Address IPsec Data Buffers Default Configuration Parameters...
Page 448
Index Sendsms Snmptrap Netmask Syslog-n System Requirements Passwords Terminal Appearance Port Test Time Zone Radius authentication Upgrades Routing Table Using RS-232 Standard Using the Wizard through your Browser Secure Shell Session Wizard Sendmail BLACK BOX ® Advanced Console Server...
Page 449
This page has been left intentionally blank.