|
|
This chapter describes the basic process of installing CiscoSecure for UNIX (CSU). See "Cisco AAA Case Study Overview" for information regarding this case study's network requirements and environment details for this case study. Figure 3-1 illustrates the general networking environment in which this CSU is implemented.
These sections focus on the following topics:
These processes of help you to install CiscoSecure for UNIX:
You must create an Oracle tablespace with a minimum size of 200 MB. The notes listed in this section are for reference.
 |
Note Ensure that an experienced Oracle database administrator (DBA) tunes and configures the database. |
For detailed Oracle installation notes, go to the following location:
Example of creating a Oracle tablespace:
<CSUserver>$su - oracle Sun Microsystems Inc. SunOS 5.5.1 Generic May 1996 <CSUserver>$$ORACLE_HOME/bin/svrmgrl Oracle Server Manager Release 2.3.4.0.0 - Production Copyright (c) Oracle Corporation 1994, 1995. All rights reserved. Oracle7 Server Release 7.3.4.0.1 - Production With the distributed option PL/SQL Release 2.3.4.0.0 - Production SVRMGR>connect internal Connected. SVRMGR>create tablespace cstb datafile '/export/home/ORADATA/cs.dbf' size 200m; Statement processed. SVRMGR>create user csecure identified by csecure default tablespace cstb; Statement processed. SVRMGR>grant dba to csecure identified by csecure; Statement processed. SVRMGR>exit Server Manager complete.
Before you install CiscoSecure for UNIX, make sure the Oracle server is running and you have the following five pieces of information:
<CSUserver>$env | grep ORACLE_HOME ORACLE_HOME=/opt/oracle/product/7.3.4
|
Note This environment variable should have been configured during Oracle installation by the DBA. |
<CSUserver>$ps -ef |grep smon oracle 819 1 0 Feb 26 ? 0:00 ora_smon_ciscosj
The command returns the ora_smon_<SID> process if the server is running. Notice the database instance specification of ciscosj. If the server is down, log in with the Oracle UNIX account (in this case, with username of csecure and password of csecure) and start the database by using Server Manager (svrmgrl) and Oracle listener (lsnrctl) as follows:
<CSUserver>$$ORACLE_HOME/bin/svrmgrl SVRMGR>connect internal SVRMGR>startup ORACLE instance started. Total System Global Area 4576056 bytes Fixed Size 39816 bytes Variable Size 4118448 bytes Database Buffers 409600 bytes Redo Buffers 8192 bytes Database mounted. Database opened.
<CSUserver>$$ORACLE_HOME/bin/lsnrctl start LSNRCTL for Solaris:Version 2.3.4.0.0 - Production on 12-APR-00 09:40:46 Copyright (c) Oracle Corporation 1994. All rights reserved. Starting /opt/oracle/product/7.3.4/bin/tnslsnr:please wait... TNSLSNR for Solaris:Version 2.3.4.0.0 - Production System parameter file is /opt/oracle/product/7.3.4/network/admin/listener.ora Log messages written to /opt/oracle/product/7.3.4/network/log/listener.log Listening on:(ADDRESS=(PROTOCOL=ipc)(DEV=10)(KEY=ciscoaus)) Listening on:(ADDRESS=(PROTOCOL=ipc)(DEV=13)(KEY=PNPKEY)) Listening on:(ADDRESS=(PROTOCOL=tcp)(DEV=15)(HOST=172.22.53.204)(PORT=1521)) Connecting to (ADDRESS=(PROTOCOL=IPC)(KEY=ciscosj)) STATUS of the LISTENER ------------------------ Alias LISTENER Version TNSLSNR for Solaris:Version 2.3.4.0.0 - Production Start Date 12-APR-00 09:40:50 Uptime 0 days 0 hr. 0 min. 0 sec Trace Level off Security OFF SNMP OFF Listener Parameter File /opt/oracle/product/7.3.4/network/admin/listener.ora Listener Log File /opt/oracle/product/7.3.4/network/log/listener.log Services Summary... ciscoaus has 1 service handler(s) The command completed successfully
<CSUserver>$sqlplus csecure/csecure@ciscosj SQL>select * from user_sys_privs; USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- CSECURE UNLIMITED TABLESPACE NO
|
Note Ensure that the assigned resource role/privilege for the username and password is as shown. |
The command returns a table with a column listing the privileges granted to the Oracle database account. The default tablespace assigned to the Oracle database account must be at least 200MB. The size is verified by the installation script.
Step 4 To confirm tnsnames service is operating correctly, invoke the tnsping utility as follows:
<CSUserver>$$ORACLE_HOME/bin/tnsping ciscosj TNS Ping Utility for Solaris: Version 2.3.4.0.0 - Production on 29-FEB-00 09:25:28 Copyright (c) Oracle Corporation 1995. All rights reserved. Attempting to contact (ADDRESS=(PROTOCOL=TCP)(Host=CSUserver)(Port=1521)) OK (80 msec)
Step 5 Ensure the number of Oracle RDBMS connections assigned to CiscoSecure is less than the PROCESSES variable defined in the initciscosj.ora file. This parameter specifies the maximum number of user processes that can simultaneously connect to an Oracle Server. If the value for PROCESSES is set to 20, then only 13 or 14 concurrent connections can be assigned to CiscoSecure. For this case study, at least four of the connections are reserved for mandatory background server processes. In addition, the PROCESSES variable is set to 50 and the number of Oracle RDBMS connections is set to 50 during the installation.
The general steps and output that follow apply to the installation dialog for CiscoSecure for UNIX (CSU) on a Sun Solaris workstation. Installation consists of the following steps:
1. Start the CSU installation process by invoking the pkgadd program.
2. Configure CSU logging by editing /etc/syslog.conf to enable AAA syslog function:
3. Create /var/log/csuslog file.
The process that follows illustrates the general installation sequence. Extraneous output was omitted where noted for brevity.
|
Note The following installation process requires approximately 20 minutes. |
<CSUserver>$pkgadd -d CiscoSecure-2.3.3.solaris
The following packages are available:
1 CSCEacs CiscoSecure Access Control Software
(sun4) 2.3(3)
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:1
Processing package instance <CSCEacs> from </opt/install/ciscosecure/CiscoSecure
-2.3.3.solaris>
CiscoSecure Access Control Software
(sun4) 2.3(3)
Copyright(c) 1996-1999 Cisco Systems, Inc.
CiscoSecure Access Control Server
Version 2.3(3)
All Rights Reserved.
Copyright (c) 1994-1999 Netscape Communications Corporation
Copyright (c) 1988-1999 Sybase, Inc.
Trade Mark WebLogic, Inc.
Notice:
By using this product, you agree to be bound by the terms of
the license supplied with this product. If you do not agree
to these terms, promptly return the unused product, manuals,
related equipment, and hardware (with proof of purchase) to
the place of purchase for a full refund.
To install this product, you must agree to accept the terms
of the enclosed license [accept=y,exit=n,exit=q]: y
checking patches...
************************************************************************
* Notice: *
* This installation program saves your Database files from a previous *
* CiscoSecure install. If you have not installed CiscoSecure before, *
* you should answer YES to the next question. If you have performed *
* a 'package remove' and are installing a new version of CiscoSecure *
* and want to retain your previous Database files, you should answer *
* NO to the next question. *
************************************************************************
Is this a new install (y/n/q) (default: yes, q to quit)?y
Enter the directory name in which to install CiscoSecure [?,q]/opt/ciscosecure
IP Address to use for CiscoSecure (default: 172.23.25.41) [?,q]
If the hostname of this server is not the same as its fully qualified domain
name (FQDN), enter the FQDN, e.g., www.cisco.com. Otherwise, press enter
to use the default (default: CSUserver) [?,q]
Enter the AAA Server License key (default: <none>) [?,q]
Enter the TACACS+ NAS name to use (default: <none>) [?,q]
Enter the TACACS+ NAS Secret key (default: SECRET12345) [?,q]ciscorules
Select any or all Token Cards to use
1 CryptoCard
2 Secure-Computing SafeWord
3 SDI SDI Token Card
Enter selection (default: none) [?,??,q]:
Choose Database
1 SQLAnywhere Sybase SQL Anywhere
2 ORACLE Oracle Enterprise
3 SYBASE Sybase Enterprise
Enter selection (default: SQLAnywhere) [?,??,q]:2
Enter the username for the ORACLE DB account [?,q]csecure
Enter the password for the ORACLE DB account [?,q]csecure
Enter the TNS service name for the Oracle Server [?,q]ciscosj
Enter the ORACLE_HOME directory [?,q]/opt/oracle/product/7.3.4
Enter an available TCP/IP Port to be reserved for the CiscoSecure DB Server
process (default: 9900) [0-65535,?,q]
Enter a unique name for the CiscoSecure DB Server Process (default:
CSdbServer) [?,q]
Enter the number of Connections to use for ORACLE RDBMS (default: 4) [?,q]50
Enter the directory Path to use for the AAA server profile caching
(default: /, q to quit)?
Modify any selections below?
New CiscoSecure Install YES
CiscoSecure Directory /opt/ciscosecure
CiscoSecure IP Address 172.23.25.41
CiscoSecure Web Server Name CSUserver
Profile Cache Directory /
AAA License Key <none>
TACACS+ NAS Name <none>
TACACS+ NAS Secret Key SECRET12345
Token Cards selected none
Data Base ORACLE
DB User Account Name csecure
DB User Account Passwd csecure
Oracle TNS Name ciscosj
Oracle Home /opt/oracle/product/7.3.4
CiscoSecure DB Server IP Address 172.23.25.41
CiscoSecure DB Server Port 9900
CiscoSecure DB Server Proc Name CSdbServer
DB Server Connections 50
Modify any values [y,n,q]: n
cs_install.log being written to /tmp directory
Using </opt/ciscosecure> as the package base directory.
## Processing package information.
## Processing system information.
6 package pathnames are already properly installed.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
This package contains scripts which will be executed with super-user
permission during the process of installing this package.
Do you want to continue with the installation of <CSCEacs> [y,n,?]y
Installing CiscoSecure Access Control Software as <CSCEacs>
## Executing preinstall script.
## Installing part 1 of 1.
|
Note Process output is omitted at this point because it is not relevant to the installation task presented in this chapter. |
[ verifying class <TSERVER> ] ## Executing postinstall script. Creating the initial database tables and views........ Loading properties from /opt/ciscosecure/config/CSConfig.ini Finished loading properties. Data Source = ORACLE Driver Type = JDBC-Weblogic-Oracle URL = jdbc:weblogic:oracle:ciscosj username = csecure password = ******** Connected to jdbc:weblogic:oracle:ciscosj Driver Weblogic, Inc. Java-OCI JDBC Driver (weblogicoci26) Version 2.5.4 sql = select tablespace_name, floor(sum(bytes)/(1024*1024)) from sys.dba_free_sp ace where tablespace_name = (select default_tablespace from sys.dba_users where username = USER) group by tablespace_name Total free space in CSTB tablespace is 199 MB. Creating /opt/ciscosecure/utils/sql.scripts/ora_init.sql% Executing SQL statements..
|
Note Process output is omitted at this point because it is not relevant to the installation task presented in this chapter. |
Successfully done. Initializing RADIUS data in the database........ Loading properties from /opt/ciscosecure/config/CSConfig.ini Finished loading properties. Data Source = ORACLE Driver Type = JDBC-Weblogic-Oracle URL = jdbc:weblogic:oracle:ciscosj username = csecure password = ******** Connected to jdbc:weblogic:oracle:ciscosj Driver Weblogic, Inc. Java-OCI JDBC Driver (weblogicoci26) Version 2.5.4 Radius data version: 23 Adding SERVER_LIST Adding DICTIONARY_LIST Adding SERVER.172.23.25.41 Adding DICTIONARY.IETF Adding DICTIONARY.Cisco Adding DICTIONARY.Ascend Adding DICTIONARY.Cisco11.1 Adding DICTIONARY.Cisco11.2 Adding DICTIONARY.Cisco11.3 Adding DICTIONARY.Ascend5 No update to dictionary list Update radius version: INSERT INTO cs_id (id, type) VALUES (?, ?) Successfully done. Installation is complete. However, further configuration may be necessary. For more information on the steps necessary to finish configuration, read the /opt/ciscosecure/DOCS/README.txt file. Results of this install are saved in the /tmp/cs_install.log file and in /opt/ciscosecure/logfiles/cs_install.log. NOTE: For AAA Server tuning, refer to http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23rg/app_b.htm#xtocid192003 Installation of <CSCEacs> was successful.
Step 2 Configure CSU logging by editing /etc/syslog.conf to enable AAA syslog function:
Enter the following command:
#added by rbrown@cisco.com on 02/28/00 local0.debug /var/log/csuslog
|
Note Do not use whitespace to separate the above statements in /etc/syslog.conf. Use only tabs. |
Step 3 Create /var/log/csuslog file.
Enter the touch command to create the csulog file.
<CSUserver>$touch /var/log/csuslog;chmod 777 csuslog
Step 4 Configure the AAA server for maximum level debugging.
Modify /opt/ciscosecure/config/CSU.cfg as follows:
NUMBER config_logging_configuration = 0x7fffffff
Step 5 Restart the AAA server.
Enter the following command to restart the AAA server:
<CSUserver>$/etc/rc0.d/K80CiscoSecure Stopping CiscoSecure Processes: CiscoSecure AutoRestart Stopped Fast Track Server Stopped Fast Track Admin Program Stopped Acme Server Stopped AAA Server Stopped DBServer Stopped <CSUserver>$/etc/rc2.d/S80CiscoSecure Starting CiscoSecure Processes: Fast Track Admin Started FastTrack Server (Delayed Start) DBServer Started AAA Server starts in 15 Seconds: 123456789012345 AAA Server Started Acme Server Started Cisco AutoRestart started
Step 6 Restart the syslog daemon.
Enter the follow command to restart the syslog daemon:
<CSUserver>$ps -ef |grep syslog
root 150 1 0 Feb 26 ? 0:00 /usr/sbin/syslogd
<CSUserver>$kill -HUP 150
These processes help you to accomplish basic user profile creation and verification:
Enter the following commands to add the user csu_test:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u csu_test -pw des,ciscorocks Profile Successfully Added
Step 2 Verify user csu_test.
Enter the following commands to verify settings for user csu_test:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u csu_test
User Profile Information
user = csu_test{
profile_id = 18
profile_cycle = 1
password = des "********"
}
Step 3 Configure the router for basic authentication.
Log in to the router and include the following commands:
aaa new-model aaa authentication login default group tacacs+ local tacacs-server host 172.22.53.201 key ciscorules
Step 4 Log in to the router and verify user access.
Enter the user name and password:
Username:csu_test Password:<password>
Step 5 Review the AAA server log.
Enter the tail command to assess the csulog file:
|
Note This CSU log fragment illustrates user csu_test being authenticated and permitted privilege level 15 access. |
<CSUserver>$tail -f /var/log/csuslog Feb 29 16:52:28 CSUserver last message repeated 20 times1 Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - ACCOUNTING request (55d45ae8) Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - acct_token_cache_session_add_del: user: csu_test Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - acct_token_cache_session_add_del: user: csu_test Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - AUTHENTICATION START request (8f414e3e) Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - Feb 29 16:52:30 CSUserver User Access Verification Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - Username: Feb 29 16:52:31 CSUserver CiscoSecure: WARNING - No swap files/partitions allocated Feb 29 16:52:33 CSUserver CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (8f414e3e) Feb 29 16:52:33 CSUserver CiscoSecure: DEBUG - Password: Feb 29 16:52:35 CSUserver CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (8f414e3e) Feb 29 16:52:35 CSUserver CiscoSecure: DEBUG - Authentication - LOGIN successful;[NAS = coe-ccie-35.cisco.com, Port = tty2, User = csu_test, Priv = 15]
Posted: Fri Jun 2 19:51:20 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.