Using CiscoSecure with Oracle's Distributed Database Feature

Configuration Tasks

Pre-Oracle Installation Tasks

Oracle Installation

Post-Oracle Installation Tasks

CiscoSecure Installation

Replication Configuration

Replication Configuration Steps Specific to the Master Site

Replication Steps Specific to the Snapshot Sites

Network Access Server Configuration

Using CiscoSecure with Oracle's Distributed Database Feature

In This Document

This document provides an end-to-end configuration example of how one company established CiscoSecure using the Oracle Distributed Database feature. This document contains the following sections:

Scenario—This section describes the background information regarding this case study. Topics include:
- Network Topology
- Assumptions
Configuration Tasks—This section lists the sequential tasks that were performed. Topics include:

Note The purpose of this document is to show how one company used CiscoSecure with Oracle's Distributed Database feature. It is not intended, nor should it be used, as a substitute for an experienced database administrator.

Scenario

In this particular scenario, a customer wanted to implement the Oracle Distributed Database feature to authenticate and authorize their network users using CiscoSecure. They have over 20,000 users accessing 16 access servers. They decided to have one master site from which 16 snapshot sites obtain their information.

Network Topology

Their network topology (at least, as far as it relates to replication) is relatively simple: a basic star pattern topology. At the center of this star is the master site, NOC: a Sun Ultra 2 workstation, running Solaris 2.5.1, Oracle 7.3.4, and CiscoSecure 2.2.2. All data is entered and maintained in NOC's Oracle database. Sixteen snapshot sites spiral off from this master site, each one connected (over Ethernet) to a Cisco AS5200, which acts as the network access server (NAS) for that portion of the network. Snapshot sites also run Solaris 2.5.1 (Ultra 1 workstations) and CiscoSecure 2.2.2, but maintain an Oracle 7.3.4 read-only database, replicated periodically from the master site. Snapshot sites connect to the master site, NOC, over WAN links at T 1 speeds. Users dial in to the NAS and are authenticated by the snapshot site using the authentication information contained in its replicated database. Figure 1 shows the basic network topology for this company.

Figure 1: Network Diagram

Because of the logistics involved in setting up and testing this configuration, it was decided to first establish a functioning system via LAN. After this was established, the LAN was dismantled and the devices transferred to their respective WAN locations. The configuration information included in this document is derived from the LAN network setup.

Assumptions

The following prerequisites are assumed:

Solaris 2.5.1 is properly installed on the Sun workstations.
LAN/WAN network connectivity is already established.

Note Versions of Solaris prior to 2.5.1 might not work with the Oracle Distributed Database feature.

Configuration Tasks

There were seven basic configuration tasks performed in establishing CiscoSecure using the Oracle Distributed Database feature for this company:

Pre-Oracle Installation Tasks

The first task performed was to make sure that the Solaris operating system on each Sun workstation was installed properly and that each device, whether master or snapshot, was configured to support both Oracle Database Replication and CiscoSecure.

Complete these steps before installing Oracle on either the master or snapshot devices:

Check to see if the file system, in particular the partitions, are big enough to handle Oracle and CiscoSecure—For this particular installation, it was decided that the partition holding Oracle needed to be 3.6 gigabytes. This was determined based on the number of estimated users, the ratio being at least 1 gigabyte allocated for each 26,000 users. The partition holding CiscoSecure was configured for 150 megabytes.

Note The system administrator needs to monitor the disk space allocated for accounting records. Accounting records will periodically need to be archived.

Install the Solaris packages required by Oracle:
- SUNWarc
- SUNWbtool
- SUNWlibm
- SUNWlibms
- SUNWsprot
- SUNWtoo

: Use the pkginfo -i command if you need to check which packages are already installed.

Confirm that BIOS is configured to perform autoboot—Check the BIOS settings to be sure that:
- autoboot=true
- boot-device=disk
Install necessary Solaris OS patches—CiscoSecure will function erratically without the following Solaris OS patches:
- 103600-18
- 103640-12
- 103566-23

Note These patches must be installed in the order given above. These patches are available from the Sun website.

#df -k
Check partition size.

Need commands here for BIOS to perform autoboot.
Configure BIOS to perform autoboot.

/cdrom/cdrom0/solaris*/s0 pkgadd
Install the necessary Solaris packages.

cp /tmp/*.tar . mkdir install
cd install
ls
tar -xvf ..103600-18.tar
./installpatch .
Untar 103600-18.tar file and install the patch.

mkdir install
cd install
ls
tar -xvf ..103640-12.tar
./installpatch .
Untar 103640-12.tar file and install the patch.

tar -xvf ..103566-23.tar
./installpatch .
Untar 103566-23.tar file and install the patch.

Oracle Installation

Oracle needs to be installed on all devices, both master and snapshot devices, before CiscoSecure can be successfully installed. The version of Oracle used in this scenario was version 7.3.4. The installation procedure varies per version; the steps described below are specific to version 7.3.4. The procedure listed below is not intended to be an all-inclusive example; for more information about installing Oracle, refer to the Oracle Installation manual that came with your software.

Use the Solaris AdminTool to create the dba group.

Select edit, then add.

Define dba group. Enter:

Group name: dba

Group ID: <default value>

Members List: oracle

Use AdminTool to create a UNIX account that has username: oracle.

As before, select edit, then add.

Define Oracle user identity. Enter:

· User name: oracle

· User ID: 101

· Primary Group: dba

· Login Shell: Korn

· Path: /export/home/app/oracle/product/
7.3.4

Click OK.

Log in as root. Change directory to:
/export/home/app/oracle/product.

· Enter:
chgrp dba 7.3.4

Verify that the account exists.

Become the root user.

Change to the /etc directory and open the services file. This file lists all of the ports on the system.

Add two lines:

listener 1521/tcp
tnslsnr 1521/tcp oracle

Set UNIX system tuning parameters. From the /etc directory, open the `system' file.

Set the following system tuning parameters:

· set shmsys: shminfo_shmmax=28388608

· set shmsys: shminfo_shmmin=1

· set shmsys: shminfo_shmmni=100

· set shmsys: shminfo_shmseg=20

· set semsys: seminfo_semmns=200

· set semsys: seminfo_semmni=70

· set semsys: seminfo_semmsl=100

Reboot the system for these parameters to take effect.

mkdir /opt/bin
mkdir /oracle
At the root, create a first-level directory.

chown oracle /oracle
Give ownership to the Oracle user.

rlogin localhost -l oracle mkdir /oracle/app mkdir /oracle/app/oracle mkdir /oracle/app/oracle/product mkdir /oracle/app/oracle/product/7.3.4 mkdir /oracle/app/oracle/product/7.3.4/oradata
Become the Oracle user. Then prepare a structure for Oracle installation.

Add environmental information to the .profile file in the home directory of the Oracle user:

ORACLE_BASE=/oracle/app/oracle

ORACLE_HOME=$ORACLE_BASE/
product/7.3.4

ORACLE_SID=AST

ORACLE_TERM=vt100

LD_LIBRARY_PATH=${ORACLE_
HOME}/lib:/usr/ccs/lib:/usr/ucb/lib:/usr/openwin/lib

PATH=${ORACLE_HOME}/bin:/bin:/
opt/bin:/usr/bin:/usr/ccs/bin:/usr/ucb:/etc:/usr/openwin/bin:.

ORACLE_TERMINAL=/cdrom/
oracle734/orainst

export ORACLE_BASE ORACLE_HOME ORACLE_SID ORACLE_TERM PATH LD_LIBRARY_PATH ORACLE_TERMINAL

Use rlogin to verify changes.

Because so many systems needed Oracle installed, the Oracle installation CD was stored on system 10.0.0.0 in /export/home1/QA/oracle-cd /oracle/installcd.

This directory was shared using the UNIX share command. The other systems mounted this directory using the UNIX mount command.

Log in as Oracle user.

Use the cd $ORACLE_TERMINAL command to change directories.

Start Oracle installation using the orainst command.

The command orainst /m starts the GUI installation interface in MOTIF mode.

To install Oracle with a text-mode interface, use the orainst /c command. This command starts the installation in the character mode.

From the Install Type screen, select Custom Install.

Click OK.

From the Installation Activity Choice screen, select Install, Upgrade or De-Install Software.

Click OK.

From the Installation Options screen, select Install New Product - Create DB Objects.

Click OK.

From the Environment Variables screen, verify ORACLE_BASE and ORACLE_HOME:

· ORACLE_BASE:
/oracle/app/oracle

· ORACLE_HOME:
/oracle/app/oracle/product/7.3.4

Click OK.

From the Logging and Status screen, accept the defaults for the following fields:

· Installer Log

· SQL Log

· Makefile Log

· OS Log

Click OK to accept the default values.

From the Install Source screen, select Install from CD-ROM.

Click OK.

Enter the Oracle SID. This value should appear by default, if you have entered the environment settings.

· Each site must have a unique SID.

· SIDs are case-sensitive.

· SIDs cannot be longer than eight characters. (If you enter a SID larger than eight characters, installation will fail. Oracle documentation recommends that SIDs contain four characters or less for maximum compatibility.)

From the NLS screen, select American/English.

Click OK.

From the Relink All Executables? screen, click Yes.

The Information screen indicates where the post-installation steps will be stored. The default location is /oracle/app/oracle/product/7.3.4/orainst/
root.sh.

Click OK.

From the Software Asset Manager screen, select the nine Oracle components to be installed:

· Advanced Replication Option

· Oracle Server Manager

· Oracle 7 Distributed Database Option

· Oracle UNIX Installer

· Oracle 7 Server (RDBMS) 7.3.4.0.1

· PL/SQL V2 2.3.4.0.0

· SQL*Net V2

· SQL*Plus 3.3

· TCP/IP Protocol Adapter

Click Install.

From the DBA group screen, click OK to accept the default.

From the OSOPER Group screen, click OK to accept the default.

From the Create DB Objects: Storage Type, select Filesystem-Based Database.

Click OK.

From the Create DB Objects (F/S): Control File Distribution screen, select No.

(This particular parameter is specific to the customer. Oracle normally recommends Yes to allow for fault tolerance. If you select Yes, you will be prompted for three different mount points.)

From the Create DB Objects (F/S): Mount Point Locator screen, click OK to accept the default.

From the Character Set screen, select US7ASCII.

Click OK.

From the SYSTEM Password screen, enter the password for the system user.

Click OK.

Retype the password to confirm.

Click OK.

From the SYS Password screen, enter the password for the SYS Oracle User ID.

Click OK.

From the SYS Password screen, retype the password to confirm.

Click OK.

From the dba password screen, click No.

Oracle recommends MTS for system resource sharing, but this is an optional step.

From the Configure MTS and start an SQL*Net listener called "LISTENER" screen, click Yes.

For snapshot sites, click No.

From the Create DB Objects (F/S): Control File Locator screen, click Yes to accept the default.

From the DB Defaults screen, click OK to move to the next screen.

From the second DB Defaults screen, click OK to move to the next screen.

Edit the Default DB values.

From the Default DB screen, select No.

From the Create DB Objects (F/S): system File Locator screen, type in the pathname for the SYSTEM tablespace data file:

/oracle/oradata/AST/system01.dbf

Click OK.

From the System Data File Size screen, enter 40M.

Click OK.

From the Create DB Object (F/S): Redo Log Locator, type the path for the first redo log file:

/oracle/oradata/AST/redoAST01.log

Click OK.

From the Redo Log File Size screen, enter 500k.

Click OK.

From the Create DB Object (F/S): Redo Log Locator, type the path for the second redo log file:

/oracle/oradata/AST/redoAST02.log

Click OK.

From the Redo Log File Size screen, enter 500k.

Click OK.

From the Create DB Object (F/S): Redo Log Locator, type the path for the second redo log file:

/oracle/oradata/AST/redoAST03.log

Click OK.

From the Redo Log File Size screen, enter 500k.

Click OK.

From the Create DB Object (F/S): Rollback Segment File Locator screen, type the path for the rollback segment file:

/oracle/oradata/AST/rbs01.dbf

Click OK.

From the Rollback Segment File Size screen, enter 100M.

Click OK.

From the Create DB Object (F/S): Temporary Segment File Locator screen, type the path for the temporary segment file:

/oracle/oradata/AST/temp01.dbf

Click OK.

From the Temporary Segment File Size screen, enter 50M.

Click OK.

From the Create DB Object (F/S): USER Data File Locator screen, type the path for the User tablespace data file:

/oracle/oradata/AST/users01.dbf

Click OK.

From the USER Data File Size screen, type 200M.

Click OK.

This is the initial size of your actual CiscoSecure database. In a later configuration step, the database can be configured to automatically grow (autoextend).

From the Create DB Object (F/S): TOOLS Data File Locator screen, enter the path for the TOOLS tablespace data file:

/oracle/oradata/AST/tools01.dbf

Click OK.

From the TOOLS Data File Size screen, enter 15M.

Click OK.

From the DB Defaults screen, click OK to continue to the next screen.

From the second DB Defaults screen, click OK.

From the Default DB screen, click Yes to confirm files and sizes on the two previous screens.

From the Help Facility screen, click No.

The customer opted not to have the Help Facility. Oracle recommends that you click Yes here.

From the Demo Tables screen, click No.

The customer opted not to have the Demo Tables. Oracle recommends that you click Yes here.

From the X Libraries screen, click OK if the path to the X-Window Libraries is correct.

After this, Oracle installs on your system.

You will be asked if you want to relink the Client Shared Library. Click No.

From the Main Install screen, click Exit.

You will receive a message telling you that installation was successful.

Be sure you have enough disk space. If you run out of disk space, Oracle might not create all of the necessary .dbf files. In addition, Oracle will not send an error message informing you that there is not enough disk space.

Post-Oracle Installation Tasks

After Oracle is installed, additional configuration tasks need to be completed before CiscoSecure can be successfully installed. This section documents these post-Oracle installation configuration tasks.

These steps are performed for both master site and snapshot sites. In this example, we are showing the post-Oracle installation steps for one of the snapshot sites, AST.

Log in as root. Change directory to $ORACLE_HOME/orainst. Execute the root.sh script.

cd /var/opt/oracle AST: /oracle/app/oracle/product 7.3.4: Y
Modify the oratab file located at /var/opt/oracle. Change product version from 7.3.4:N to 7.3.4:Y.

cd /etc/init.d vi dbora #!/bin/sh ORA_HOME=/oracle/app/oracle/product/7.3.4 ORA_OWNER=oracle if [ ! -f $ORA_HOME/bin/dbstart -0 ! -d $ORA_HOME ] then echo "Oracle startup: cannot start" exit fi case "$1" in 'start') su - $ORA_OWNER -c $ORA_HOME/bin/dbstart su - $ORA_OWNER -c "lsnrctl start" ;; 'stop') su - $ORA_OWNER -c $ORA_HOME/bin/dbshut su - $ORA_OWNER -c "lsnrctl stop" ;; esac
Create a script to allow Solaris to autostart Oracle when you reboot the Sun workstation.

ln -s /etc/init.d/dbora /etc/rc0.d/K81dbora ln -s /etc/init.d/bora /etc/rc2.d/S79dbora
Create links.

export ORAENV_ASK=NO /opt/bin/oraenv
Log in as Oracle.

Add two lines to the Oracle user startup script .profile:

· export ORAENV_ASK=NO

· ./opt/bin/oraenv

job_queue_interval=30 job_queue_processes=4 shared_pool_size=6000000 <medium> compatible=7.3.0.0

Change directory to ORACLE_HOME/dbs. Edit the initAST.ora file. This file contains the Oracle tuning parameters:

· Comment out (add # symbol) to the statement: shared_pool_size=<small>

· Remove the comment out symbol (delete # symbol) from the statement: shared_pool_size=6000000 <medium>

Add these parameters to the initAST.ora file:

· job_queue_interval=30

· job_queue_processes=4

· compatible=7.3.0.0

dbora start
Log in as root. Type dbora start to start database. Test to see if the database instance is reachable by using tnsping.

Modify the tnsname.ora file on the Sun workstation, located in the following directory:

$ORACLE_HOME/network/admin

Put an entry for the system itself (in this case, AST) in the tnsname.ora file.

Verify changes by using tnsping. (In this case, tnsping AST)

:11421.es

Install Oracle client tools on the PC. Select Custom Installation and click OK.

Select Oracle7 Client Database Administrator Products.

After you install the tools you need, you must exit the program and reboot the system.

Create a connection from the PC where the tools are installed to the instance of Oracle on the Sun workstation. From the Oracle for Windows 95 program group, select the SQL*NetEasy configuration tool.

Choose Add Database Alias and click OK.

Type the alias; in this case, "AST." Click OK. (This is the TNS name.)

Select TCP/IP for the network protocol and click OK.

· Host Name: IP address of the system. In this case, 10.30.0.0

· Database instance: AST

(This is the SID name.)

Click OK to add. Click Cancel when complete.

Create the CSECURE user. From the Oracle Enterprise Manager program group, select the Security Manager tool and log in.

Username: sys

Service: TNS name (The TNS name was created in the previous steps using SQL*NetEasy.)

Click OK

From the General tab, select user/create.

· User: CSECURE

· Password: <CESECURE password>

· Tablespace: default values
(In this case, set default to USERS;
Set temporary to TEMP.)

Grant the CSECURE user privileges. From the Role/Privileges tab, select the following privileges:

· Connect

· Resource

Grant the CSECURE user object privileges. From the Object/Privileges tab, follow this path:

schema/sys/views

· Select dba_freespace, then highlight SELECT from available privileges. Click the down arrow to add.

· From the General tab, highlight SELECT from available privileges, then click Create.

· Select dba_users. Click the down arrow to add.

· From the General tab, click Create.

This customer chose not to autoextend the size of the database. To autoextend the size of the database, perform the following steps:

· From Oracle Enterprise manager, select the Storage Manager tool.

· Username: sys

· Service: AST (the TNS name)

· From Users tablespace, select the option tab for autoextend. Set the increment to the desired value.

Click OK. You need to do this for both the temporary tablespace and the RBS tablespace.

CiscoSecure Installation

After Oracle has been successfully installed on each Sun workstation and post-Oracle installation tasks have been completed, CiscoSecure is installed. In this particular scenario, the systems administrator created a temporary directory (/tmp) to hold the package file prior to installation. CiscoSecure installation steps are the same for both master site and snapshot sites. In this example, CiscoSecure is being installed on the master site, NOC.

The procedure documented here should be supplemented by the information contained in CiscoSecure ACS 2.2.2 for UNIX User Guide. Please refer to this manual for additional information.

Note Oracle should be running when you install CiscoSecure.

#pgktrans C* -d /tmp The following packages are available:
  1 CSCEacs   CiscoSecure Access Control Software
(                sun4) 2.2 (2)
Execute pgktrans on CiscoSecure to /tmp directory.

Select package(s) you wish to process (or `all' to process
all packages). (default all) [?,??,q]: 1
Type 1.

#cd /tmp
#ls
CSCEacs
Check to see that files were transferred to /tmp directory.

#pkgadd -d . The following packages are available:   1 CSCEacs   CiscoSecure Access Control Software
(                sun4) 2.2 (2)
Install CiscoSecure in the default directory.

Select package(s) you wish to process (or `all' to process
all packages). (default: all) [?,??,q]: 1 Processing package instance <CSCEacs> from </tmp>
. . .
Type 1.

To install this product, you must agree to accept the terms
of the enclosed license [accept=y,exit=n,exit=q]: y Checking patches . . .
Type y.

Is this a new install (y/n/q) (default: yes, q to quit)? y
Type y.

Enter the directory name in which to install CiscoSecure [?,q]
/opt/acs
Type /opt/acs for the CiscoSecure home directory.

Select an IP address to install CiscoSecure on
1 10.0.0.0
2 10.10.0.0
3 New Enter selection (default: 10.0.0.0) [?,??,q]
Press Enter to accept the default.

If the hostname of this server is not the same as its fully qualified domain name (FQDN), enter the FQDN, e.g., www.cisco.com. Otherwise, press enter to use the default (default noc) [?,q]
Because the snapshot sites were in a different domain than the NOC, this field was modified to put the FQDN as NOC.company.com.

Enter the AAA Server License key (default:<none>) [?,q]
Enter the AAA license key. For more information, refer to the CiscoSecure Installation manual.

Enter the TACACS+NAS name to use (default:<none>) [?,q]
Press Enter to accept the default.

Enter the TACACS+NAS Secret Key to use (default:<none>) [?,q]
Press Enter to accept the default, which is "SECRET12345."

Select any or all Token Cards to use
1 CryptoCard
2 Secure-Computing    SafeWord
3 SDI    SDI Token Card Enter selection (default: none) [?,??,q]:
Press Enter to accept the default.

Enter selection: 1 SQLAnywhere
2 Oracle
3 Sybase Enter selection (default: SQLAnywhere) [?,??,q] 2
Type 2 for Oracle.

Enter the username for the ORACLE DB account [?,q] csecure
Type csecure.

Enter the password for the ORACLE DB account [?,q] csecure
Enter the value you used when creating csecure user. (In this case, csecure was used.)

Enter the TNS Service name for the Oracle Server [?,q] noc
Type noc.

Enter the ORACLE_HOME directory [?,q] /oracle/app/oracle/product/7.3.4
Type /oracle/app/oracle/product/
7.3.4

Enter an available TCP/IP Port to be reserved for the CiscoSecure DB Server process (default: 9900) [0-65535,?,q]
Press Enter to accept the default.

Enter a unique name for the CiscoSecure DB Server Process (default:CSdbServer) [?,q]
Press Enter to accept the default.

Enter the number of connections to use for ORACLE RDBMS (default: 4) [?,q] 20
Type the number of connections minus 2 (n - 2) you have licensed from Cisco. For this customer, the number was 20.

Enter the directory path to use for the AAA server profile caching (default: /, q to quit)? /opt
Type /opt.

Do you want to modify any selections shown below? New CiscoSecure Install          YES
CiscoSecure Directory            /opt/acs
CiscoSecure IP Address           10.0.0.0
CiscoSecure Web Server Name      noc
Profile Cache Directory          /opt
AAA License Key                  <none>
TACTACS+ NAS Name                <none>
TACTACS+ NAS Secret Key          SECRET12345
Token Cards selected             none
Data Base                        ORACLE
DB User Account Name             csecure
DB User Account passwd           csecure
Oracle TNS Name                  noc
Oracle Home                   /orace/ap/oracle/product/7.3.4
CiscoSecure DB Server IP Address 10.0.0.0
CiscoSecure DB Server Port       9900
CiscoSecure DB Server Proc Name  CSdbServer
DB Server Connections  20 Modify any values [y,n,q]: n cs_install.log being written to /tmp directory . . .

Type n.

This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of <CSCEacs> [y,n,?] y . . .

Type y.

Installation is complete. However, further configuration may be necessary. For more information on the steps necessary to finish configuration, read the /opt/acs/DOCS/README.txt.file. Results of this installation are saved in the /tmp/cs_install.log file and in /opt/acs/logfiles/cs_install.log. Installation of <CSCEacs> was successful. The following packages are available:   1 CSCEacs   CiscoSecure Access Control Software
(                sun4) 2.2 (2)

Select package(s) you wish to process (or `all' to process
all packages). (default all) [?,??,q]: q

Type q.

Replication Configuration

After Oracle and CiscoSecure have been installed on all systems, one device (NOC) is selected as the master replication device. All other devices are then configured as snapshots of this master. The following steps explain how the master device is configured.

Follow the same initial procedure to configure both master and snapshot sites. The following configuration steps are used to configure both master and snapshot sites.

Ping all devices to check TCP/IP Connectivity.
Verify TCP/IP connectivity by pinging the master from all snapshot devices.

Log in to the master system as the Oracle user. Change to ORACLE_HOME/network/
admin directory. Open the tnsnames.ora file.

The TNS entries in the tnsnames.ora file need to be edited. For each snapshot site, you must add the following information:

· Name of the snapshot database.

· Snapshot host name or host address. (This field is not case-sensitive.)

· Port over which this database is running.

· System ID (SID). (This field is case-sensitive.)

Verify that this has worked by using the tnsping program. In this example, tnsping is testing connectivity from the master device to a snapshot, pym. This proves you have established one-way connectivity from the master to the snapshot.

Log in to a snapshot site. (In this example, the snapshot site is pym.) Modify the tnsnames.ora file for each snapshot to include the master site and then confirm connectivity from snapshot device to master using tnsping.

Files on the master site need to be modified to support replication. The files are located in the $ORACLE_HOME/dbs directory.

In the initSID.ora file (where SID is the SID for the master site), add the following two lines:

· job_queue_interval = 30

· job_queue_processes = 4

· Comment out (add # symbol) to the statement: shared_pool_size=<small>

· Remove the comment out symbol (delete # symbol) from the statement: shared_pool_size=<large>

Change the compatibility to 7.3.0.0.

Restart Oracle for these changes to take effect.

Replication takes additional space. Use the Storage Manager program (located in the Oracle Enterprise Manager program group).

· Log in as sys user.

· Service in this instance refers to the master site TNS name, noc.

You need to create a user that controls replication. Use the Security manager program (located in the Oracle Enterprise Manager program group).

· Log in as sys user.

· Service in this instance refers to the master site TNS name, noc.

From the Main menu, select User/Create.

From the Create User window, enter:

· Name: repadmin

· Profile: DEFAULT

· Password: Enter password, then verify password

· Tablespaces:
Default: USERS
Temporary: TEMP

Click Create.

You need to give the repadmin user privileges. Run SQL*Plus 3.3 (located in the Oracle for Windows 95 program group).

· Log in as sys user.

· Host string in this instance refers to the master site TNS name, noc.

Click OK.

Run this command: execute dbms_repcat_admin.grant_
admin_any_repgroup (userid => 'repadmin');

(This command is not case-sensitive, but it is space-sensitive.)

Replication Configuration Steps Specific to the Master Site

After you have completed the previous steps, you need to configure the following steps, which are specific to the master site.

You need to create a link from the master site to every snapshot site. (The following steps need to be repeated for each snapshot site.)

Run Schema Manager (located in the Oracle Enterprise Manager program group).

· Log in as repadmin.

· Service in this instance refers to the master site TNS name, noc.

· Click OK.

From the Create Object window, select Database Link.

Click OK.

From the Create Database Link window, enter:

· Name: Snapshot SID (case-sensitive) In this example: PYM

· Check the Public box.

· Username: repadmin

· Password: Password you assigned to the repadmin user.

· Service name: TNS name of the snapshot site. In this example, pym.

Click Create to create the link.

Verify the link. Expand the tree and click Test.

The system will display the following message if the link has been successfully established:

The database is active.

A connection needs to be established between the master database and the snapshot sites.

Use the Oracle Replication manager (located in the Oracle Replication manager program group).

Click Create.

A wizard screen will appear. Click Cancel and proceed with the following steps.

From the Create DB Connection screen:

· Log in as repadmin.

· Database in this instance refers to the master site TNS name, noc.

· Click Create.

Click to expand the directory tree. Highlight Master Groups.

Click Create.

From the Create Master Group window, click the General tab. Enter:

· Master Group Name: This value is arbitrary. In this case, Master-RO-Snapshot was entered.

Click the Objects tab.

Click Add.

From the Add Object(s) to Group window:

· Select the schema for the CiscoSecure user. In this case, CSECURE.

· Click the Tables check box to select tables as the object type to display.

· Select the following six tables:
CS_GROUP_PROFILE
CS_PASSWORD
CS_PRIVILEGE
CS_PROFILE
CS_PROFILE_BLOB
CS_USER_PROFILE
(Hold down the Ctrl key to select multiple tables.)

Click Add, then click Close.

The selected tables will be listed. From the Create Master Group window's Object tab, click Create.

From the Support for Group window, click OK to accept the default values.

The master group Master-RO-Snapshot is created.

Create snapshot logs so that only changes in the master database are replicated.

Highlight Snapshot Logs.

Click Create.

From the Create Snapshot Log window's General tab, select:

Schema: CSECURE

Table: Select one of the six. (Only one table can be done at a time.)

From the Tablespace and Extents tab, enter:

· Extent Characteristics:
Initial size: 1 M
Next size: 1 M
% Increase: 0
% Free: 10
% Used: 40

Click Create.

Repeat the previous two steps for the remaining five tables.

Oracle Replication Manager looks like this when all snapshot logs have been created.

Replication Steps Specific to the Snapshot Sites

After the master device is configured to support database replication, the snapshot sites are configured (in this scenario, 16 sites). The following steps explain how one of the snapshot devices, pym, was configured. As mentioned before, the first group of configuration steps are identical for both master and snapshot sites. The following configuration steps are used to configure snapshot sites.

Use SQL*Plus to connect to the database as CSECURE User.
Enter the command:

connect csecure/csecure@pym

(Once again, pym is the name of the snapshot site.

Fifteen tables were installed by CiscoSecure, including:

CS_GROUP_PROFILE
CS_PASSWORD
CS_PRIVILEGE
CS_PROFILE
CS_PROFILE_BLOB
CS_USER_PROFILE

Because the master database will replicate those tables, delete them. At the command line, type drop table table-name (where table-name is the name of the table). Repeat for each table. When finished, the screen will look like this.

Add the snapshot site, pym, to the Oracle Replication manager. Use Oracle Replication Manager (located in the Oracle Replication manager program group).

From the File menu, select Create New, then Database Connection to get to this screen.

· Log in as repadmin.

· Database in this instance refers to the snapshot site TNS name, pym.

· Click the Always prompt for password check box.

· Click Create.

Double-click repadmin@pym.

Double-click Configuration for this snapshot site.

Click Snapshot Groups, then Create.

From the Snapshot group Wizard - Master Link window, select:

· Public Links

· Master Definition Site
In this case, select:

NOC.WORLD

Click Next.

From the Snapshot Group Wizard - Master Group window, select a master group. In this case, select:

MASTER-RO-SNAPSHOT

Click Next.

Select the master database tables to be replicated at the snapshot sites.

Highlight all six tables.

Click Add.

The selected tables will move to the Snapshot Group Objects area.

Click Next.

Each table has to be edited individually.

From the Snapshot Group Wizard - Individualized Snapshot Settings window:

· Select a table from the Snapshots in the group list.

· Uncheck Updatable. (The snapshot sites are READ ONLY.)

· Check Tablespace & Extent Specs.

Click Edit.

From the Snapshot Group Wizard - Tablespace and Extent Characteristics window:

· Select the correct tablespace (in this case, USERS)

· Extent Characteristics:
Initial Size: 1 M
Next Size: 1 M
% Increase: 0
% Free: 10
% Used: 40

Click Back and repeat this for the remaining five tables.

Click Next.

Click Finish.

Confirm your selections.

Click OK.

A refresh group is automatically created along with the snapshot group. Use the refresh group to schedule the frequency of replication.

From Oracle Replication Manager, expand the directory tree following this path:

repadmin@pym
scheduling
refresh group

From the Edit menu, select Properties to open the Modify Refresh Group window.

From the Modify Refresh Group window, click the Scheduling tab, then click Interval Edit.

From the Set Interval window, select the appropriate refresh interval.

Click OK.

The selected interval appears in the Interval window.

· Clear the Update master before a refresh check box.

· Clear the Refresh after errors updating master check box.

Click Apply.

Telnet to UNIX host.

Add cache triggers.

Log in to pym as the root user. From the CiscoSecure directory, /opt/acs, change to the utils/bin directory.

Enter the command:

./CSdbTool cache_trigger_snap

When completed, this notification appears: "Successfully done."

Update indexes for snapshot sites.

Enter the command:

./CSdbTool ora_rep_indx_snap

When completed, this notification appears: "Successfully done."

Click the General tab, then click Refresh Now.

Use the CiscoSecure HTML interface to verify that the data has been replicated.

Enter:

· Username: superuser

· Password: <password>

Click Submit.

Click Member.

Click Browse.

User groups are displayed.

Click Log Off to exit.

Note When you delete the tables from a snapshot site, you also delete the RADIUS server profile for that site. You need to add the RADIUS server profile to the master site for each snapshot site.

Network Access Server Configuration

After database replication has occurred, users dial in to the network via a network access server (NAS) and are authenticated based on the information contained in the distributed databases. The following information is the running configuration from the NAS—in this case, a Cisco AS5200, running Cisco IOS Release 11.3. For more information about any of the commands displayed below, refer to the Cisco IOS Release 11.3 Command References.

NAS5200#sh run
 
Building configuration...
Current configuration:
!
version 11.3
service timestamps debug datetime
service timestamps log datetime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname NAS5200
!
aaa new-model
aaa authentication local-override
aaa authentication login default radius
aaa authentication login no_tacacs1 local
aaa authentication login vtymethod tacacs+ enable
aaa authentication ppp default radius
aaa authorization network radius
aaa accounting network start-stop radius
aaa accounting system start-stop radius
enable password cisco
!
username admin password 0 cisco
username cons password 0 cisco
username space password 0 cisco
username dang password 0 cisco
username evo password 0 cisco
username cisco password 0 cisco
ip domain-name cisco.com
isdn switch-type primary-5ess
chat-script cisco-default ABORT ERROR "" "AT Z" OK "ATDT \T" TIMEOUT 30 \c CONNE
chat-script sporter "" "at&fs0=1" "OK" ""
!
controller T1 0
 framing esf
 clock source line primary
linecode b8zs
 pri-group timeslots 1-24
!
controller T1 1
 shutdown
 clock source line secondary
!
interface Loopback0
 ip address 111.111.111.111 255.0.0.0
 no ip route-cache
 no ip mroute-cache
!
interface Ethernet0
 ip address 10.1.1.1 255.0.0.0
 no ip route-cache
 no ip mroute-cache
!
interface Virtual-Template1
 ip unnumbered Ethernet0
 no ip mroute-cache
 peer default ip address pool pool1
 ppp authentication chap
!
interface Serial0
 no ip address
 no ip route-cache
 no ip mroute-cache
 shutdown
!
interface Serial1
 no ip address
 no ip route-cache
 no ip mroute-cache
 shutdown
!
interface Serial0:23
 no ip address
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 isdn incoming--voice modem
!
interface Group-Async1
 description : Async1 & 2 -> NO PPP auth --> Line1& 2 MUST NOT PPP Autoselect /
 ip unnumbered Ethernet0
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 async mode interactive
 peer default ip address pool pool1
 no cdp enable
 ppp authentication chap
 group-range 1 12
!
router rip
  network 56.0.0.0
!
ip local pool pool1 10.2.3.4 10.6.7.8
no ip classless
access-list 10 permit 0.1.1.1 255.0.0.0
radius-server host 10.3.4.5 auth-port 1645 acct-port 1646
radius-server timeout 30
radius-server key SECRET12345
!
line con 0
 exec-timeout 0 0
 password cisco
 login authentication no_tacacs1
line 1 12
 autoselect ppp
 script startup sporter
 script dialer usr*
 script reset sporter
 modem InOut
 modem autoconfigure type usr_sportster
 transport input all
 telnet transparent
line aux 0
line vty 0
 password cisco
 login authentication loginlist
 width 110
line vty 1 4
 password cisco
 login authentication vtymethod
!
end

#df -k	Check partition size.
Need commands here for BIOS to perform autoboot.	Configure BIOS to perform autoboot.
/cdrom/cdrom0/solaris*/s0 pkgadd	Install the necessary Solaris packages.
cp /tmp/*.tar . mkdir install cd install ls tar -xvf ..103600-18.tar ./installpatch .	Untar 103600-18.tar file and install the patch.
mkdir install cd install ls tar -xvf ..103640-12.tar ./installpatch .	Untar 103640-12.tar file and install the patch.
tar -xvf ..103566-23.tar ./installpatch .	Untar 103566-23.tar file and install the patch.

	Use the Solaris AdminTool to create the dba group. Select edit, then add.
	Define dba group. Enter: Group name: dba Group ID: <default value> Members List: oracle
	Use AdminTool to create a UNIX account that has username: oracle. As before, select edit, then add. Define Oracle user identity. Enter: · User name: oracle · User ID: 101 · Primary Group: dba · Login Shell: Korn · Path: /export/home/app/oracle/product/ 7.3.4 Click OK.
	Log in as root. Change directory to: /export/home/app/oracle/product. · Enter: chgrp dba 7.3.4 Verify that the account exists.
	Become the root user. Change to the /etc directory and open the services file. This file lists all of the ports on the system. Add two lines: listener 1521/tcp tnslsnr 1521/tcp oracle
	Set UNIX system tuning parameters. From the /etc directory, open the `system' file. Set the following system tuning parameters: · set shmsys: shminfo_shmmax=28388608 · set shmsys: shminfo_shmmin=1 · set shmsys: shminfo_shmmni=100 · set shmsys: shminfo_shmseg=20 · set semsys: seminfo_semmns=200 · set semsys: seminfo_semmni=70 · set semsys: seminfo_semmsl=100 Reboot the system for these parameters to take effect.
mkdir /opt/bin mkdir /oracle	At the root, create a first-level directory.
chown oracle /oracle	Give ownership to the Oracle user.
rlogin localhost -l oracle mkdir /oracle/app mkdir /oracle/app/oracle mkdir /oracle/app/oracle/product mkdir /oracle/app/oracle/product/7.3.4 mkdir /oracle/app/oracle/product/7.3.4/oradata	Become the Oracle user. Then prepare a structure for Oracle installation.
	Add environmental information to the .profile file in the home directory of the Oracle user: ORACLE_BASE=/oracle/app/oracle ORACLE_HOME=$ORACLE_BASE/ product/7.3.4 ORACLE_SID=AST ORACLE_TERM=vt100 LD_LIBRARY_PATH=${ORACLE_ HOME}/lib:/usr/ccs/lib:/usr/ucb/lib:/usr/openwin/lib PATH=${ORACLE_HOME}/bin:/bin:/ opt/bin:/usr/bin:/usr/ccs/bin:/usr/ucb:/etc:/usr/openwin/bin:. ORACLE_TERMINAL=/cdrom/ oracle734/orainst export ORACLE_BASE ORACLE_HOME ORACLE_SID ORACLE_TERM PATH LD_LIBRARY_PATH ORACLE_TERMINAL
	Use rlogin to verify changes.
	Because so many systems needed Oracle installed, the Oracle installation CD was stored on system 10.0.0.0 in /export/home1/QA/oracle-cd /oracle/installcd. This directory was shared using the UNIX share command. The other systems mounted this directory using the UNIX mount command.
	Log in as Oracle user. Use the cd $ORACLE_TERMINAL command to change directories. Start Oracle installation using the orainst command. The command orainst /m starts the GUI installation interface in MOTIF mode. To install Oracle with a text-mode interface, use the orainst /c command. This command starts the installation in the character mode.
	From the Install Type screen, select Custom Install. Click OK.
	From the Installation Activity Choice screen, select Install, Upgrade or De-Install Software. Click OK.
	From the Installation Options screen, select Install New Product - Create DB Objects. Click OK.
	From the Environment Variables screen, verify ORACLE_BASE and ORACLE_HOME: · ORACLE_BASE: /oracle/app/oracle · ORACLE_HOME: /oracle/app/oracle/product/7.3.4 Click OK.
	From the Logging and Status screen, accept the defaults for the following fields: · Installer Log · SQL Log · Makefile Log · OS Log Click OK to accept the default values.
	From the Install Source screen, select Install from CD-ROM. Click OK.
	Enter the Oracle SID. This value should appear by default, if you have entered the environment settings. · Each site must have a unique SID. · SIDs are case-sensitive. · SIDs cannot be longer than eight characters. (If you enter a SID larger than eight characters, installation will fail. Oracle documentation recommends that SIDs contain four characters or less for maximum compatibility.)
	From the NLS screen, select American/English. Click OK.
	From the Relink All Executables? screen, click Yes.
	The Information screen indicates where the post-installation steps will be stored. The default location is /oracle/app/oracle/product/7.3.4/orainst/ root.sh. Click OK.
	From the Software Asset Manager screen, select the nine Oracle components to be installed: · Advanced Replication Option · Oracle Server Manager · Oracle 7 Distributed Database Option · Oracle UNIX Installer · Oracle 7 Server (RDBMS) 7.3.4.0.1 · PL/SQL V2 2.3.4.0.0 · *SQLNet V2 · SQLPlus 3.3* · TCP/IP Protocol Adapter Click Install.
	From the DBA group screen, click OK to accept the default.
	From the OSOPER Group screen, click OK to accept the default.
	From the Create DB Objects: Storage Type, select Filesystem-Based Database. Click OK.
	From the Create DB Objects (F/S): Control File Distribution screen, select No. (This particular parameter is specific to the customer. Oracle normally recommends Yes to allow for fault tolerance. If you select Yes, you will be prompted for three different mount points.)
	From the Create DB Objects (F/S): Mount Point Locator screen, click OK to accept the default.
	From the Character Set screen, select US7ASCII. Click OK.
	From the SYSTEM Password screen, enter the password for the system user. Click OK. Retype the password to confirm. Click OK.
	From the SYS Password screen, enter the password for the SYS Oracle User ID. Click OK.
	From the SYS Password screen, retype the password to confirm. Click OK.
	From the dba password screen, click No.
	Oracle recommends MTS for system resource sharing, but this is an optional step. From the Configure MTS and start an SQL*Net listener called "LISTENER" screen, click Yes. For snapshot sites, click No.
	From the Create DB Objects (F/S): Control File Locator screen, click Yes to accept the default.
	From the DB Defaults screen, click OK to move to the next screen.
	From the second DB Defaults screen, click OK to move to the next screen.
	Edit the Default DB values. From the Default DB screen, select No.
	From the Create DB Objects (F/S): system File Locator screen, type in the pathname for the SYSTEM tablespace data file: /oracle/oradata/AST/system01.dbf Click OK.
	From the System Data File Size screen, enter 40M. Click OK.
	From the Create DB Object (F/S): Redo Log Locator, type the path for the first redo log file: /oracle/oradata/AST/redoAST01.log Click OK.
	From the Redo Log File Size screen, enter 500k. Click OK.
	From the Create DB Object (F/S): Redo Log Locator, type the path for the second redo log file: /oracle/oradata/AST/redoAST02.log Click OK.
	From the Redo Log File Size screen, enter 500k. Click OK.
	From the Create DB Object (F/S): Redo Log Locator, type the path for the second redo log file: /oracle/oradata/AST/redoAST03.log Click OK.
	From the Redo Log File Size screen, enter 500k. Click OK.
	From the Create DB Object (F/S): Rollback Segment File Locator screen, type the path for the rollback segment file: /oracle/oradata/AST/rbs01.dbf Click OK.
	From the Rollback Segment File Size screen, enter 100M. Click OK.
	From the Create DB Object (F/S): Temporary Segment File Locator screen, type the path for the temporary segment file: /oracle/oradata/AST/temp01.dbf Click OK.
	From the Temporary Segment File Size screen, enter 50M. Click OK.
	From the Create DB Object (F/S): USER Data File Locator screen, type the path for the User tablespace data file: /oracle/oradata/AST/users01.dbf Click OK.
	From the USER Data File Size screen, type 200M. Click OK. This is the initial size of your actual CiscoSecure database. In a later configuration step, the database can be configured to automatically grow (autoextend).
	From the Create DB Object (F/S): TOOLS Data File Locator screen, enter the path for the TOOLS tablespace data file: /oracle/oradata/AST/tools01.dbf Click OK.
	From the TOOLS Data File Size screen, enter 15M. Click OK.
	From the DB Defaults screen, click OK to continue to the next screen.
	From the second DB Defaults screen, click OK.
	From the Default DB screen, click Yes to confirm files and sizes on the two previous screens.
	From the Help Facility screen, click No. The customer opted not to have the Help Facility. Oracle recommends that you click Yes here.
	From the Demo Tables screen, click No. The customer opted not to have the Demo Tables. Oracle recommends that you click Yes here.
	From the X Libraries screen, click OK if the path to the X-Window Libraries is correct. After this, Oracle installs on your system. You will be asked if you want to relink the Client Shared Library. Click No. From the Main Install screen, click Exit. You will receive a message telling you that installation was successful.

	Log in as root. Change directory to $ORACLE_HOME/orainst. Execute the root.sh script.
cd /var/opt/oracle AST: /oracle/app/oracle/product 7.3.4: Y	Modify the oratab file located at /var/opt/oracle. Change product version from 7.3.4:N to 7.3.4:Y.
cd /etc/init.d vi dbora #!/bin/sh ORA_HOME=/oracle/app/oracle/product/7.3.4 ORA_OWNER=oracle if [ ! -f $ORA_HOME/bin/dbstart -0 ! -d $ORA_HOME ] then echo "Oracle startup: cannot start" exit fi case "$1" in 'start') su - $ORA_OWNER -c $ORA_HOME/bin/dbstart su - $ORA_OWNER -c "lsnrctl start" ;; 'stop') su - $ORA_OWNER -c $ORA_HOME/bin/dbshut su - $ORA_OWNER -c "lsnrctl stop" ;; esac	Create a script to allow Solaris to autostart Oracle when you reboot the Sun workstation.
ln -s /etc/init.d/dbora /etc/rc0.d/K81dbora ln -s /etc/init.d/bora /etc/rc2.d/S79dbora	Create links.
export ORAENV_ASK=NO /opt/bin/oraenv	Log in as Oracle. Add two lines to the Oracle user startup script .profile: · export ORAENV_ASK=NO · ./opt/bin/oraenv
job_queue_interval=30 job_queue_processes=4 shared_pool_size=6000000 <medium> compatible=7.3.0.0	Change directory to ORACLE_HOME/dbs. Edit the initAST.ora file. This file contains the Oracle tuning parameters: · Comment out (add # symbol) to the statement: shared_pool_size=<small> · Remove the comment out symbol (delete # symbol) from the statement: shared_pool_size=6000000 <medium> Add these parameters to the initAST.ora file: · job_queue_interval=30 · job_queue_processes=4 · compatible=7.3.0.0
dbora start	Log in as root. Type dbora start to start database. Test to see if the database instance is reachable by using tnsping.
	Modify the tnsname.ora file on the Sun workstation, located in the following directory: $ORACLE_HOME/network/admin Put an entry for the system itself (in this case, AST) in the tnsname.ora file.
	Verify changes by using tnsping. (In this case, tnsping AST)
:11421.es	Install Oracle client tools on the PC. Select Custom Installation and click OK.
	Select Oracle7 Client Database Administrator Products. After you install the tools you need, you must exit the program and reboot the system.
	Create a connection from the PC where the tools are installed to the instance of Oracle on the Sun workstation. From the Oracle for Windows 95 program group, select the SQLNetEasy configuration tool. Choose Add Database Alias* and click OK.
	Type the alias; in this case, "AST." Click OK. (This is the TNS name.)
	Select TCP/IP for the network protocol and click OK.
	· Host Name: IP address of the system. In this case, 10.30.0.0 · Database instance: AST (This is the SID name.) Click OK to add. Click Cancel when complete.
	Create the CSECURE user. From the Oracle Enterprise Manager program group, select the Security Manager tool and log in. Username: sys Service: TNS name (The TNS name was created in the previous steps using SQL*NetEasy.) Click OK
	From the General tab, select user/create. · User: CSECURE · Password: <CESECURE password> · Tablespace: default values (In this case, set default to USERS; Set temporary to TEMP.)
	Grant the CSECURE user privileges. From the Role/Privileges tab, select the following privileges: · Connect · Resource
	Grant the CSECURE user object privileges. From the Object/Privileges tab, follow this path: schema/sys/views · Select dba_freespace, then highlight SELECT from available privileges. Click the down arrow to add. · From the General tab, highlight SELECT from available privileges, then click Create. · Select dba_users. Click the down arrow to add. · From the General tab, click Create.
	This customer chose not to autoextend the size of the database. To autoextend the size of the database, perform the following steps: · From Oracle Enterprise manager, select the Storage Manager tool. · Username: sys · Service: AST (the TNS name) · From Users tablespace, select the option tab for autoextend. Set the increment to the desired value. Click OK. You need to do this for both the temporary tablespace and the RBS tablespace.

#*pgktrans C -d /tmp** The following packages are available: 1 CSCEacs CiscoSecure Access Control Software ( sun4) 2.2 (2)	Execute pgktrans on CiscoSecure to /tmp directory.
Select package(s) you wish to process (or `all' to process all packages). (default all) [?,??,q]: 1	Type 1.
#cd /tmp #ls CSCEacs	Check to see that files were transferred to /tmp directory.
#pkgadd -d . The following packages are available: 1 CSCEacs CiscoSecure Access Control Software ( sun4) 2.2 (2)	Install CiscoSecure in the default directory.
Select package(s) you wish to process (or `all' to process all packages). (default: all) [?,??,q]: 1 Processing package instance <CSCEacs> from </tmp> . . .	Type 1.
To install this product, you must agree to accept the terms of the enclosed license [accept=y,exit=n,exit=q]: y Checking patches . . .	Type y.
Is this a new install (y/n/q) (default: yes, q to quit)? y	Type y.
Enter the directory name in which to install CiscoSecure [?,q] /opt/acs	Type /opt/acs for the CiscoSecure home directory.
Select an IP address to install CiscoSecure on 1 10.0.0.0 2 10.10.0.0 3 New Enter selection (default: 10.0.0.0) [?,??,q]	Press Enter to accept the default.
If the hostname of this server is not the same as its fully qualified domain name (FQDN), enter the FQDN, e.g., www.cisco.com. Otherwise, press enter to use the default (default noc) [?,q]	Because the snapshot sites were in a different domain than the NOC, this field was modified to put the FQDN as NOC.company.com.
Enter the AAA Server License key (default:<none>) [?,q]	Enter the AAA license key. For more information, refer to the CiscoSecure Installation manual.
Enter the TACACS+NAS name to use (default:<none>) [?,q]	Press Enter to accept the default.
Enter the TACACS+NAS Secret Key to use (default:<none>) [?,q]	Press Enter to accept the default, which is "SECRET12345."
Select any or all Token Cards to use 1 CryptoCard 2 Secure-Computing SafeWord 3 SDI SDI Token Card Enter selection (default: none) [?,??,q]:	Press Enter to accept the default.
Enter selection: 1 SQLAnywhere 2 Oracle 3 Sybase Enter selection (default: SQLAnywhere) [?,??,q] 2	Type 2 for Oracle.
Enter the username for the ORACLE DB account [?,q] csecure	Type csecure.
Enter the password for the ORACLE DB account [?,q] csecure	Enter the value you used when creating csecure user. (In this case, csecure was used.)
Enter the TNS Service name for the Oracle Server [?,q] noc	Type noc.
Enter the ORACLE_HOME directory [?,q] /oracle/app/oracle/product/7.3.4	Type /oracle/app/oracle/product/ 7.3.4
Enter an available TCP/IP Port to be reserved for the CiscoSecure DB Server process (default: 9900) [0-65535,?,q]	Press Enter to accept the default.
Enter a unique name for the CiscoSecure DB Server Process (default:CSdbServer) [?,q]	Press Enter to accept the default.
Enter the number of connections to use for ORACLE RDBMS (default: 4) [?,q] 20	Type the number of connections minus 2 (n - 2) you have licensed from Cisco. For this customer, the number was 20.
Enter the directory path to use for the AAA server profile caching (default: /, q to quit)? /opt	Type /opt.
Do you want to modify any selections shown below? New CiscoSecure Install YES CiscoSecure Directory /opt/acs CiscoSecure IP Address 10.0.0.0 CiscoSecure Web Server Name noc Profile Cache Directory /opt AAA License Key <none> TACTACS+ NAS Name <none> TACTACS+ NAS Secret Key SECRET12345 Token Cards selected none Data Base ORACLE DB User Account Name csecure DB User Account passwd csecure Oracle TNS Name noc Oracle Home /orace/ap/oracle/product/7.3.4 CiscoSecure DB Server IP Address 10.0.0.0 CiscoSecure DB Server Port 9900 CiscoSecure DB Server Proc Name CSdbServer DB Server Connections 20 Modify any values [y,n,q]: n cs_install.log being written to /tmp directory . . .	Type n.
This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of <CSCEacs> [y,n,?] y . . .	Type y.
Installation is complete. However, further configuration may be necessary. For more information on the steps necessary to finish configuration, read the /opt/acs/DOCS/README.txt.file. Results of this installation are saved in the /tmp/cs_install.log file and in /opt/acs/logfiles/cs_install.log. Installation of <CSCEacs> was successful. The following packages are available: 1 CSCEacs CiscoSecure Access Control Software ( sun4) 2.2 (2)
Select package(s) you wish to process (or `all' to process all packages). (default all) [?,??,q]: q	Type q.

Ping all devices to check TCP/IP Connectivity.	Verify TCP/IP connectivity by pinging the master from all snapshot devices.
	Log in to the master system as the Oracle user. Change to ORACLE_HOME/network/ admin directory. Open the tnsnames.ora file.
	The TNS entries in the tnsnames.ora file need to be edited. For each snapshot site, you must add the following information: · Name of the snapshot database. · Snapshot host name or host address. (This field is not case-sensitive.) · Port over which this database is running. · System ID (SID). (This field is case-sensitive.)
	Verify that this has worked by using the tnsping program. In this example, tnsping is testing connectivity from the master device to a snapshot, pym. This proves you have established one-way connectivity from the master to the snapshot.
	Log in to a snapshot site. (In this example, the snapshot site is pym.) Modify the tnsnames.ora file for each snapshot to include the master site and then confirm connectivity from snapshot device to master using tnsping.
	Files on the master site need to be modified to support replication. The files are located in the $ORACLE_HOME/dbs directory. In the initSID.ora file (where SID is the SID for the master site), add the following two lines: · job_queue_interval = 30 · job_queue_processes = 4 · Comment out (add # symbol) to the statement: shared_pool_size=<small> · Remove the comment out symbol (delete # symbol) from the statement: shared_pool_size=<large>
	Change the compatibility to 7.3.0.0. Restart Oracle for these changes to take effect.
	Replication takes additional space. Use the Storage Manager program (located in the Oracle Enterprise Manager program group). · Log in as sys user. · Service in this instance refers to the master site TNS name, noc.
	You need to create a user that controls replication. Use the Security manager program (located in the Oracle Enterprise Manager program group). · Log in as sys user. · Service in this instance refers to the master site TNS name, noc. From the Main menu, select User/Create.
	From the Create User window, enter: · Name: repadmin · Profile: DEFAULT · Password: Enter password, then verify password · Tablespaces: Default: USERS Temporary: TEMP Click Create.
	You need to give the repadmin user privileges. Run SQLPlus 3.3 (located in the Oracle for Windows 95 program group). · Log in as sys* user. · Host string in this instance refers to the master site TNS name, noc. Click OK.
	Run this command: execute dbms_repcat_admin.grant_ admin_any_repgroup (userid => 'repadmin'); (This command is not case-sensitive, but it is space-sensitive.)

	You need to create a link from the master site to every snapshot site. (The following steps need to be repeated for each snapshot site.) Run Schema Manager (located in the Oracle Enterprise Manager program group). · Log in as repadmin. · Service in this instance refers to the master site TNS name, noc. · Click OK.
	From the Create Object window, select Database Link. Click OK.
	From the Create Database Link window, enter: · Name: Snapshot SID (case-sensitive) In this example: PYM · Check the Public box. · Username: repadmin · Password: Password you assigned to the repadmin user. · Service name: TNS name of the snapshot site. In this example, pym. Click Create to create the link.
	Verify the link. Expand the tree and click Test. The system will display the following message if the link has been successfully established: The database is active.
	A connection needs to be established between the master database and the snapshot sites. Use the Oracle Replication manager (located in the Oracle Replication manager program group). Click Create. A wizard screen will appear. Click Cancel and proceed with the following steps.
	From the Create DB Connection screen: · Log in as repadmin. · Database in this instance refers to the master site TNS name, noc. · Click Create.
	Click to expand the directory tree. Highlight Master Groups. Click Create.
	From the Create Master Group window, click the General tab. Enter: · Master Group Name: This value is arbitrary. In this case, Master-RO-Snapshot was entered.
	Click the Objects tab. Click Add.
	From the Add Object(s) to Group window: · Select the schema for the CiscoSecure user. In this case, CSECURE. · Click the Tables check box to select tables as the object type to display. · Select the following six tables: CS_GROUP_PROFILE CS_PASSWORD CS_PRIVILEGE CS_PROFILE CS_PROFILE_BLOB CS_USER_PROFILE (Hold down the Ctrl key to select multiple tables.) Click Add, then click Close.
	The selected tables will be listed. From the Create Master Group window's Object tab, click Create.
	From the Support for Group window, click OK to accept the default values.
	The master group Master-RO-Snapshot is created.
	Create snapshot logs so that only changes in the master database are replicated. Highlight Snapshot Logs. Click Create.
	From the Create Snapshot Log window's General tab, select: Schema: CSECURE Table: Select one of the six. (Only one table can be done at a time.)
	From the Tablespace and Extents tab, enter: · Extent Characteristics: Initial size: 1 M Next size: 1 M % Increase: 0 % Free: 10 % Used: 40 Click Create. Repeat the previous two steps for the remaining five tables.
	Oracle Replication Manager looks like this when all snapshot logs have been created.

	Use SQLPlus to connect to the database as CSECURE User. Enter the command: connect csecure/csecure@pym* (Once again, pym is the name of the snapshot site.
	Fifteen tables were installed by CiscoSecure, including: CS_GROUP_PROFILE CS_PASSWORD CS_PRIVILEGE CS_PROFILE CS_PROFILE_BLOB CS_USER_PROFILE Because the master database will replicate those tables, delete them. At the command line, type drop table table-name (where table-name is the name of the table). Repeat for each table. When finished, the screen will look like this.
	Add the snapshot site, pym, to the Oracle Replication manager. Use Oracle Replication Manager (located in the Oracle Replication manager program group). From the File menu, select Create New, then Database Connection to get to this screen. · Log in as repadmin. · Database in this instance refers to the snapshot site TNS name, pym. · Click the Always prompt for password check box. · Click Create.
	Double-click repadmin@pym.
	Double-click Configuration for this snapshot site. Click Snapshot Groups, then Create.
	From the Snapshot group Wizard - Master Link window, select: · Public Links · Master Definition Site In this case, select: NOC.WORLD Click Next.
	From the Snapshot Group Wizard - Master Group window, select a master group. In this case, select: MASTER-RO-SNAPSHOT Click Next.
	Select the master database tables to be replicated at the snapshot sites. Highlight all six tables. Click Add.
	The selected tables will move to the Snapshot Group Objects area. Click Next.
	Each table has to be edited individually. From the Snapshot Group Wizard - Individualized Snapshot Settings window: · Select a table from the Snapshots in the group list. · Uncheck Updatable. (The snapshot sites are READ ONLY.) · Check Tablespace & Extent Specs. Click Edit.
	From the Snapshot Group Wizard - Tablespace and Extent Characteristics window: · Select the correct tablespace (in this case, USERS) · Extent Characteristics: Initial Size: 1 M Next Size: 1 M % Increase: 0 % Free: 10 % Used: 40 Click Back and repeat this for the remaining five tables. Click Next.
	Click Finish.
	Confirm your selections. Click OK.
	A refresh group is automatically created along with the snapshot group. Use the refresh group to schedule the frequency of replication. From Oracle Replication Manager, expand the directory tree following this path: repadmin@pym scheduling refresh group
	From the Edit menu, select Properties to open the Modify Refresh Group window.
	From the Modify Refresh Group window, click the Scheduling tab, then click Interval Edit.
	From the Set Interval window, select the appropriate refresh interval. Click OK.
	The selected interval appears in the Interval window. · Clear the Update master before a refresh check box. · Clear the Refresh after errors updating master check box. Click Apply.
	Telnet to UNIX host. Add cache triggers. Log in to pym as the root user. From the CiscoSecure directory, /opt/acs, change to the utils/bin directory. Enter the command: ./CSdbTool cache_trigger_snap
	When completed, this notification appears: "Successfully done."
	Update indexes for snapshot sites. Enter the command: ./CSdbTool ora_rep_indx_snap
	When completed, this notification appears: "Successfully done."
	Click the General tab, then click Refresh Now.
	Use the CiscoSecure HTML interface to verify that the data has been replicated. Enter: · Username: superuser · Password: <password> Click Submit.
	Click Member. Click Browse. User groups are displayed. Click Log Off to exit.

Table of Contents