CiscoSecure ACS Database Utilities

The CiscoSecure ACS provides a utility, CSUtil, that simplifies database management. You can use this utility to import username, password, and group information all at once from a standard text file to back up your database and to maintain your database. This appendix contains details on this utility.

Database Import Utility

This section describes how to import a text file into the CiscoSecure User Database. This allows you to add new users to the database and modify users' authentication information. The use of the CSUtil.exe allows you to add or modify information for many users. When the default location is used during installation, the import utility, CSUtil, is located in the following directory:

C:\Program Files\CiscoSecure ACS v2.0\Utils

Note You can also use the database replication feature to replicate user information from one CiscoSecure ACS to another CiscoSecure ACS. See the section "Database Replication" later in this appendix for more information.

Creating the Text File

You have two options for running the CSUtil program:

ONLINE--Database updates are performed while the CiscoSecure ACS continues to run. This slows down the performance of CSUtil.
OFFLINE--Database updates are written directly to the CiscoSecure User Database. CSAuth must be stopped to run in this mode. The import is much faster but services are down as long as CSAuth is stopped.

Each entry must have the following information on a single line using colons to delimit the fields:

Username
- ADD--Keyword to add user information to the CiscoSecure User Database. If the username already exists, no information is changed.
- UPDATE--Keyword to update the information associated with the existing username in the CiscoSecure User Database.
Note If the username does not exist, an error message is returned. Use the ADD keyword in this case.
- DELETE--Keyword to remove the user information from the CiscoSecure User Database.
Authentication type
- CSDB--Indicates that the name should be authenticated against the CiscoSecure User Database.
- EXT_NT--Indicates that the name should be authenticated against the Windows NT user database.
- EXT_NDS--Indicates that the name should be authenticated against the Novell NDS user database.
- EXT_SDI--Indicates that the name should be authenticated against the SDI user database.
- EXT_ANPI--Indicates that the name should be authenticated against the AXENT user database.
- EXT_Enigma--Indicates that the name should be authenticated against the Safe Word user database.
- CHAP--Indicates that a CHAP password is required for authentication.
User Group
- PROFILE--Indicates the group number to which the user is assigned. This must be a group number from 0 to 99, not a name.
Note If you do not provide a profile number, the user is added to the default group 0.

Here are examples of the syntax for the import text file:

CiscoSecure authentication

ADD:user01:CSDB:userpassword:PROFILE:1

Windows NT Database authentication

ADD:user02:NT::PROFILE:2

CHAP and CiscoSecure authentication

ADD:chapuser:CSDB:hello:CHAP:chappw:PROFILE:3

Note These entries are case-sensitive. The colons are mandatory delimiters.

Example import text file:

OFFLINE
ADD:user01:CSDB:userpassword:PROFILE:1
ADD:user02:NT::PROFILE:2
ADD:chapuser:CSDB:hello:CHAP:chappw:PROFILE:3
ADD:mary:EXT_NT:CHAP:achappassword
ADD:joe:EXT_SDI:
ADD:vanessa:CSDB:vanessaspassword
ADD:juan:CSDB_UNIX:unixpassword

Importing User Information from a Text File

The following are a list of command arguments used with CSUtil:

CSUtil [-q] [-c] [-d] [-g] [-i file] [-l file] [-m error] [-n] [-x]

-q: Quiet mode. Does not prompt; use before other options.
-c: Recalculate database CRC values.
-d: Dump whole database to dump.txt.
-g: Dump group information only to group.txt.
-i: Import users from import.txt or named file.
-l: Load database from dump.txt or named file (use -n -l to initialize and load).
-m: Decode error number to ASCII message.
-n: Create new database and index.
-x: Help information (display this message).

CSUtil processes parameters left to right, guaranteeing the order in which they are executed.

Enter the following command after you complete creation of the import text file.

Merge the import text file with the current CiscoSecure User Database:

: csutil -i filename.txt

Note

Overwrite the current CiscoSecure User Database with the import text file:

: csutil -n -i filename.txt

Note

Store group configurations in the groups.txt file and removes all users. It then reloads the group configurations and adds user information from the import.txt file:

: csutil -g -n -l groups.txt -i import.txt

Caution

All user information is destroyed. Group information still exists in the groups.txt file and can be used with the import.txt file to add new users with existing group information.There is no warning when information is overwritten.

Database Backup and Restore Utility

To facilitate backup and restoration of the CiscoSecure ACS's configuration data and database, the CSUtil.exe utility is provided in the CiscoSecure ACS's Utils directory.

csutil -b--Creates a complete backup of all of the CiscoSecure ACS's data
csutil -r--Restores a CiscoSecure ACS server from the backup file

CSUtils Backup

To perform a backup of the CiscoSecure ACS user and group data, execute the following instructions from the Windows NT command prompt (DOS window):

Net stop csauth--Stop the CSAuth authentication service to allow backup to take place.

Csutil -d users_and_groups.txt--Backup the users and groups data to a text file called users_and_groups.txt. To back up only the group data, use the command with a -g instead of a -d command switch.

Net start csauth--Restart the CSAuth authentication service.

The users_and_groups.txt file can then be backed up to tape and stored somewhere safe.

To use csutil -b to create a backup file, enter:

csutil -b directoryname

This creates the following files in Utils\SysBackups\directory_name\:

registry.dat
user.dat
user.idx
varsdb.mdb
A compressed backup file named with the current date and time in the format yyyymmddhhmm.zip. This is written to the CiscoSecure ACS\utils\dbcheckpoint directory. Each backup creates a new file that does not overwrite existing files. The data is stored in compressed format and, therefore, takes up very little space, and the system administrator must still perform the necessary file management to maintain adequate disk capacity.

We strongly recommend that you use the CSUTIL.exe utility to construct an automated procedure to perform regular system backups as part of a comprehensive disaster recovery regime.

CSUtils Restore

To restore from the backup file, execute the following instructions:

Net stop csauth
CSUtil -l users_and groups.txt
Net start csauth

We strongly recommend that the above procedure is carried out as a part of a general backup regime that includes backups of the Windows NT system Registry using the tools supplied with Windows NT for this purpose. Rapid recovery can then be achieved if a serious system failure occurs.

Database Maintenance

Unexpected database file size growth can cause problems with the database. To avoid these problems, the CiscoSecure ACS allows you to institute a database maintenance schedule that performs a database compaction on a periodic basis. To facilitate this maintenance, a Windows NT batch command file, DB_compact.cmd, is included in the Utils directory of the CiscoSecure ACS.

The VarsDB.MDB file used by the CiscoSecure ACS is based on Microsoft ODBC technology. In common with most RDMBS, ODBC uses a deletion scheme that does not actually remove records from the database when they are deleted--records are simply marked as deleted and do not show up in queries, and so forth. To actually purge the database of the deleted records, a separate process, called compaction, must be run. In small databases with low transaction rates, it is not particularly important to regularly compact the database, because the database will stay a relatively consistent size. In a large database environment with large numbers of deletions, the database file can grow significantly over time. If compaction is not carried out, this can have serious effects on the overall operation of the system.

In order to avoid unexpected and problematic database file size growth, it is prudent to institute a database maintenance regime that performs a database compaction on a periodic basis. In order to facilitate this, an NT batch command file, DB_compact.cmd, is included with the CiscoSecure ACS (in the Utils directory). This file executes the following commands:

net stop CSAuth--Stops the CiscoSecure ACS
csutil -d--Dumps the database to a temporary file (dump.txt)
csutil -n--Initializes the database
csutil -l--Reloads the database
net start CSAuth--Restarts the CiscoSecure ACS

Authentication service will be interrupted while these commands execute because the authentication service is stopped.

Note Before you run DB_compact.cmd, back up the CiscoSecure ACS database.

Although DB_compact.cmd should not have any negative effect on the CiscoSecure ACS operation, there is always the possibility with compaction operations that something could go wrong. It is, therefore, always a good idea to perform a database backup prior to executing a database compaction. Then, if something does go wrong during the DB_compact.cmd run, a current backup will be available and service can be restored quickly. See the section "Database Backup and Restore Utility" earlier in this appendix for information on how to back up the CiscoSecure ACS database.

Table of Contents

CiscoSecure ACS Database Utilities