UCS Administration and RBACd2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKCOM-2006.pdf · UCS...

2

UCS Administration and RBAC BRKCOM-2006

Jose Martinez

Technical Leader Services

@DonQnCoke

© 2013 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public

Agenda

UCS Management Introduction

SNMP and the UCS

Smart Call Home

XML and the UCS

Authentication Methods

Organization & Locales

Role-Based Access Control

4


Agenda

Multi-UCS Management

UCS in VMware Environments

Collection & Threshold Policies

Backups

5




Remote access to UCSM available via

– HTTP (Port 80)

– HTTPS (Port 443)

– SSH (Port 22)

– Telnet (Port 23 , disabled by default)

– SNMP (Port 161, disabled by default)

– CIM-XML (Port 5988 , disabled by default)

Multiple remote authentication mechanism available

7


UCS Management Introduction Model-Based Framework

8

GUI

Available

Comprehensive

Modular Reliable

Serviceable

CLI Standards

(SNMP, IPMI, etc)

Secure

Module Base

Open

XML API

Management

Information Tree

Data Management

Engine (DME)

Application

Gateways (AG)

Managed Endpoints

SNMP and the UCS


UCSM SNMP Evolution

UCSM 1.0(1) thru 1.2(1) releases

– IETF networking MIBs, such as the IF-MIB and the ENTITY-MIB were implemented

UCSM 1.3(1) release

– Reports equipment and logical faults

– UCS Fault MIB

– Sends SNMP Traps or Informs when UCSM fault is raised or cleared

UCSM 1.4(1) thru 2.1(1) releases

– 100% UCSM data model coverage via private MIBs

Subtitle: Size 18, Left Aligned

10


UCSM SNMP Features

Support for SNMPv1, SNMPv2c and SNMPv3

Cisco UCS supports read-only access to MIBs

If using SNMPv3 the following authentication protocols are available

– HMAC-MD5-96 (MD5)

– HMAC-SHA-96 (SHA)

If using SNMPv3 the privacy password offers a choice of DES or 128-bit AES encryption

Starting with UCSM 2.0(2m) SNMP defaults to v3 when enabled

Starting with UCSM 2.0(2m) non-secure SNMPv1/v2c access can be disabled while SNMP is still enabled


11


UCSM SNMP GUI Configuration

12


UCSM SNMP Fault Notification (Traps)

UCSM supports two Traps

– cucsFaultActiveNotif – Generated whenever a fault is active and the fault state changes

– cucsFaultClearNotif – Generated whenever a fault is cleared

Traps notifications include

– cucsFaultDescription

– cucsFaultAffectedObjectId

– cucsFaultCreationTime

– cucsFaultSeverity

– cucsFaultId

Traps are defined in the CISCO-UNIFIED-COMPUTING-NOTIFS-MIB


13


Cisco UCS SNMP MIB Files

14


Cisco UCS SNMP Traps Example

15


UCSM SNMP & Fault Suppression

Fault Suppression Introduced in 2.1(1)

Traps can be suppressed during a specific time periods

Suppression of transient faults for physical and logical entities


16

Smart Call Home


UCS Smart Call Home

Provides email-based notifications

Email format can be text or XML

Configuration dictates which faults or events generate alerts

Alert messages can be delivered to specific person or groups

UCSM executes appropriate CLI commands to attach to message automatically

Some messages result in automatic Service Request creation

http://www.cisco.com/en/US/docs/unified_computing/ucs/ts/faults/reference/TS_CallHomeFaults.html


18






Smart Call Home Architecture

19

Internet

Customer

Secure Authenticated

Access to Hosted Portal

Device Diagnostic

Library

Remediation

Recommendation

Engine

Diagnostics &

Parsing Engine

Smart Call Home Portal TAC

Automatic

SR

Remediation

Recommendation

Intelligent Monitoring

& Collection Engine

Secure Transport

Cisco

HTTPS Encryption & Certificate-

based authentication


UCS Smart Call Home GUI Configuration

20


UCS Smart Call Home GUI Configuration

21

XML and the UCS


UCSM XML API

Programmatic interface

Communicates over HTTP/HTTPS

Standard Request/Response cycle

Role Based Authentication

Object Model Hierarchy

Build-in Object Browser

Published Schema

High Availability

23


Copying the XML

The UCSM GUI allows administrators to copy the XML used to create any object

This can be helpful when developing scripts or creating applications with the XML API

24

Right-click


Copying the XML

25


Cisco UCSM Developer Network

Downloads

– UCS Platform Emulator

– goUCS Automation Tool

– XML API, Perl, Powershell code samples

Documentation

– Programming & Developer Guides

– White papers

– Reference Guides

Collaboration

– Blogs

– Videos

– Peer to peer forums

http://developer.cisco.com/web/unifiedcomputing/home

26


UCS Case Examples for UCS XML API

Manage Multiple UCS Systems

Monitor and Integrate the Event Stream

Automate Issue Remediation

Automate Deployment

Automate Backup

Firmware Image Management

27


UCS Ecosystem

Monitoring and Analysis

– BMC ProactiveNet Performance Mgmt

– CA Spectrum Infrastructure Manager

– EMC DCI

– HP Operations Manager / Open View

– IBM Tivoli Monitoring and Netcool

– Microsoft System Center Operation Manager

– ScienceLogic EM7

– Zenoss Enterprise

– Solarwinds Orion

– InfoVista 5View

Service Orchestration

– Cisco Intelligent Automation

– Cloupia Unified Infrastructure Controller

– BMC Cloud Lifecycle Manager

– DynamicOps Cloud Automation Center

– EMC Unified Infrastructure Manager

– HP Operations Orchestration

– IBM Service Delivery Manager

– VMware vCenter / vCloud Director

Deployment and Configuration

– BMC Blade Logic

– CA Spectrum Automation Manager

– HP Server Automation

– IBM Tivoli Provisioning Manager

– Symantec Altiris DS

28

UCSM Authentication Methods


Authentication Services

During login the UCSM

– Queries the local or remote authentication server

– Validates the user

– Checks for Roles and Locales assigned to user

A custom user attribute can be used to extend the schema of the remote authentication provider

– LDAP : CiscoAVPair customer attribute ; ID 1.3.6.1.4.1.9.287247.1

– RADIUS : The vendor ID for the Cisco RADIUS implementation is 009, the vendor ID for the attribute is 001. Multiple roles or locales can be passed via the cisco-avpair with the following syntax – shell:roles=“operations,network” shell:locales=“Exec,Finance”

– TACACS+ : The cisco-av-pair name is the string that provides the attribute ID for the provider. The following syntax can be use to pass multiple roles and locales – cisco-av-pair=shell:roles=“operations network” shell:locales*”Engineering”

30


UCSM Multiple Authentication Model

31

LDAP

RADIUS

TACACS+


Providers and Provider Groups

Providers

– Servers used by UCSM to authenticate users

– A total of 16 servers per authentication method

– Defined by IP or Hostname

32


Providers and Provider Groups

Provider Groups

– Providers can be separated into groups

– A single Provider can be present in more than one Provider Group

– A total of 16 Provider Groups can be defined per authentication method

– The administrator can set the order the Providers are queried

– If all Providers are unavailable or unreachable, then UCSM automatically falls back to the local authentication method using the local username and password

33


Authentication Domain and Realms

Domains

– Allows UCSM to leverage multiple authentication systems

– Up to eight (8) different domains per system

– Domains are always tied to a Realm

– Provider groups can be assigned

– If no provider group listed, then all servers within the Realm are used

Realms

– Defines the authentication protocol for a particular Domain

– Type : Local, Radius, TACACS+ or LDAP

34


Default and Console Authentication

Default and Console Authentication accessed via Native Authentication option

Default Authentication used when user login via SSH/Telnet/GUI/XML, but no domain was specified

Console Authentication used when user login via Console port in FI

Valid Real are Local, RADIUS, TACACS+, LDAP and None

Role policy defines what roles to assign if Provider didn’t supply roles

35


Login via Authentication Domain

For SSH, Telnet or XML the username has to include the domain in order to qualify it properly

– XML : <aaaLogin inName="ucs-server-mgmt\ciscolive" inPassword="Cisco12345" />

– Telnet : ucs-network-mgmt\ciscolive

– ssh ucs-network-mgmt\\[email protected]

For GUI a list of Domains can be selected from a pull down menu

36


Troubleshooting Provider Connection

Test command for individual server executed from NXOS CLI

37

F340-31-17-FI-A-A(nxos)# test aaa server ldap 14.17.111.100 jason passwd

user has failed authentication

Invalid credentials

F340-33-16-FI-B(nxos)# test aaa server ldap 14.17.111.110 jomartin passwd

can not find the LDAP server



Test command for server executed from NXOS CLI

38

F340-31-17-FI-A-A(nxos)# test aaa server ldap 14.17.111.100 jason password

user has been authenticated

Attributes downloaded from remote server:

User Groups:

CN=ucsadmin,OU=CiscoUCS,DC=jlill,DC=lab

Roles:

admin

F340-31-17-FI-A-A(nxos)# test aaa server ldap 14.17.111.100 jason password



User Groups:

CN=ucskvm,OU=CiscoUCS,DC=jlill,DC=lab

Roles:

kvm-only



Test command for Provider Group executed from NXOS CLI

39

F340-31-17-FI-A-A(nxos)# test aaa group jlill-dc jason password

Problem in validating the group

F340-31-17-FI-A-A(nxos)# test aaa group jlill-dc1 jason password



User Groups:

CN=ucsadmin,OU=CiscoUCS,DC=jlill,DC=lab

Roles:

admin



Debug output executed from the NXOS CLI

– debug <radius | tacacs+ | ldap>

– debug aaa all

Usually done with TAC assistance

Always turn all debugs OFF after troubleshooting

– undebug all

40



Ethanalyzer tool usage from NXOS level

– Selecting the mgmt interface we can sniff all traffic to/from the management port

– Cannot be used to sniff the 10GE ports in the motherboard

– Can be saved as pcap file to open in Wireshark

41


Active Directory Integration using LDAP

Release 1.4(1) introduced the ability to configure LDAP to an Active Directory environment without the need for AD schema changes

Pre-1.4(1) configurations need to be removed first

The use of editors, like ADSI Edit, makes it easier to collect information and edit the CiscoAVPair attribute

When using Active Directory as LDAP server you need to create a user account to bind to UCS. It should be given a non-expiring password.

Caveat – In 1.4 and 2.0 UCSM releases there was no way to map LDAP group to Read-Only Role. This was resolved in 2.1 release. There is a work-around available for 1.4 and 2.0 releases.

42


Active Directory Integration using LDAP

The following information is needed to configure the LDAP communication

– Hostname or IP of server. If encryption over SSL is used, then the FQDN is needed

– Bind DN. This is the distinguishedName attribute of the account.

– Base DN. This is the distinguishedName of the domain.

– Filter. This is the sAMAccountName attribute. Format is attribute=$userid

– Attribute. This is the CiscoAVPair attribute. Can be left alone if you don’t want to modify the schema. Instead us the LDAP Group in UCSM.

– Password. This is the Bind’s user password

If using SSL the port can be kept at the default of 389. The endpoints will negotiate a TLS session on port 636.

43

UCSM Organizations and Locales


Organizations

Allows dividing the infrastructure into logical entities

Extremely helpful in multi-tenancy environments

Multiple levels of sub-organizations can be created. Up to a maximum of 5 levels under Root.

45


Organizations

Resources, pools, service-profiles in one organization are not available to other organizations

In multi-level configurations if a resource or policy is not found, then the system moves up the hierarchy looking for the same name until found. If UCSM cannot find an applicable policy or available resource in the hierarchy, then it returns an allocation error.

46


Locales

Locales work in conjunction with Organizations in a multi-tenancy environment to restrict access

Locales tie one or multiple Organizations to a user

More than one Local can be assigned to a single user

Users assigned an Organization has access to all Sub-Organizations in that particular hierarchy

A UCS system can contain up to 48 locales

Users with aaa, admin or operations privileges cannot be assigned a Locale

47


Locales Configuration

Locales are created under the Admin tab in the User Management User Services menu

To create the locale you can drag/drop the Organization from the list to the pane

48

UCSM Role-Based Access Control (RBAC)


Role-Based Access Control (RBAC)

RBAC is a method of restricting or authorizing system access for a particular user

Utilizes Roles and Locales

A Role consist of one or more Privileges that will be assigned to the user

Privileges are very granular

There are a total of 11 default Roles (as of 2.1.1d)

Administrators can create custom Roles by selecting specific Privileges

– Example : A custom Role for KVM-Only access can be created by assigning only the Service Profile Ext Access to the new Role.

Privileges cannot be modified

50



51

Default Roles

Network Role Privileges



52



53


RBAC via LDAP Group Maps

LDAP Group Maps allows administrator to associate Active Directory group role with UCS role

If the organization already uses LDAP groups to define authorization policies, then UCSM is expected to use Group membership information to assign the authorization policy (Roles and Locales)

This eliminates the need to define this information for individual users in LDAP

This also helps in scenarios where customers do not like to modify the Active Directory while deploying the UCS

54


RBAC via LDAP Group Maps

A maximum of 28 LDAP Group Maps

Support for nested LDAP groups expected in 2.1 Maintenance Release

55


LDAP Integration Workflow

56

UCS Admin define Roles and Locales

UCS Admin maps Roles and Locales into LDAP groups

User logs into UCSM

UCSM authenticates user with LDAP

UCSM reads user’s group membership

UCSM applies Roles and Locales based on LDAP Group Map

LDAP Admin defines users

LDAP Admin put user into group

Multi-UCS Management


UCS Central Overview

External VM based application

Requires UCSM 2.1(1) or above

VM available for VMware and Hyper-v hypervisors

Allow multiple UCS systems to be managed from a single management tool

Simplifies large scale UCS deployments

Extension of management paradigm

Similar hierarchical presentation to UCSM

– Domains, Domain Groups, Sub-Domains

License done per Domain (pair of Fabric Interconnects)

58


UCS Central Overview

First five (5) Domains do not require a license

Phase 1 features

– Inventory, Fault and Event log aggregation

– Global ID pools, Firmware Upgrades, Backup and Global Admin Policies

Phase 2 features

– Global service-profiles, templates and policies

– Statistic aggregation

59


Centralized Inventory

60

Domains grouped in tree under the

Domain Groups Cross launch for UCSM or KVM Console

Faults on selected resources

Equipment status and details

Global inventory of all components of UCS organized by Domain

Refreshes on customizable schedule

Tree view of devices similar to UCSM


Centralized Fault Summary …and Audit logs too!

61


Automated

Scheduled

Downloads from

Cisco.com

Cisco.com

UCS Central Firmware Library Global Firmware Policies

Firmware Auto Install

Centralized Firmware Upgrade

62

UCS in VMware Environments


UCS vCenter Plugin

Single point to manage physical and virtual infrastructure

Phase 1 :

– View UCS health & configuration

– Track virtual and physical relationships

– Faults / Events

– Click-to-open UCSM GUI and KVM

Phase 2 :

– Configure UCS

– UCS resource pools

– Associate Service Profiles

– Boot nodes w/Auto Deploy

64

UCSM Collection and Threshold Policies


UCSM Statistic Collection Policy

Policy defines

– How frequently stats are to be collected (collection interval)

– How frequently stats are to be reported (reporting interval)

Report Interval Time > Collection Interval Time

Stats can be collected and reported for the following areas :

– Adapter

– Chassis

– Fex

– Host

– Port

– Server

66


UCSM Statistic Collection Policy

Only one (1) default policy per area present which cannot be deleted

New stats collection policies cannot be created

Only modification of the default policy is allowed

67


GUI Statistics Collection Display

Since there are several collections per report the UCSM provides a min/max/avg display for each stat

68


UCSM Statistic Threshold Policy

Monitors stats about certain aspects of the system

Generates an event if a threshold is crossed

Minimum and Maximum thresholds can be configured

Threshold policy does not control any hardware, just raises alarms

Available for the following components

– Uplink Ethernet Ports

– Uplink Fibre Channel Ports

– Ethernet server ports

– Server and server components

– Chassis

– Fabric Interconnects

69



It can be configured via Policy under Server, LAN, SAN or Admin tab

Define Name Define Threshold Classes Define Threshold Definition

70



Once defined it can be added to any service-profile thru the Policies Tab

71

UCSM Backups


Backup Operation

Allows the backup of the Domain configuration

There are four (4) types of backup options

– Full state

– All configuration

– System configuration

– Logical configuration

Multiple transport protocol options

– FTP

– TFTP

– SCP

– SFTP

73


Backup Options

Full State

– Binary file that contains full configuration of system

– Ideal for DR situations

– Cannot be used for an import

All Configuration

– XML file that contains all system and logical configuration of system

– Cannot be used to restore system

– Ideal to import the stored configuration settings back to the same or new UCSM

– Does not include password for Locally Authenticated Users

74


Backup Options

System Configuration

– XML file that includes all system configurations (username, roles, locales, etc)



Logical Configuration

– XML file that includes all logical configurations (Service-profile, VLAN, VSAN, etc)



The All Configuration and Logical Configuration options allow the chance to Preserve Identities

– The backup file preserves all identities derived from pools, including the MAC addresses, WWPN, WWNN, and UUIDs

75


Backup Automation

Backup Export Policy introduced in 2.1(1) release

76

In Conclusion


Takeaways

SNMP has support for large number of MIBs ideal for monitoring system

Smart Call Home expedites the time of resolution by automatic SR creation

Very powerful XML API programmatic interface to assist in many tasks

Multiple authentication methods available

Use of Roles and Locales allow for task to be divided into smaller groups

UCS Central provides single window to multiple UCS Domains

Stats Collection and Threshold Policies can provide insight on traffic patterns

Backup – If you haven’t backup your system, then that is your HOMEWORK!

78


Maximize your Cisco Live experience with your

free Cisco Live 365 account. Download session

PDFs, view sessions on-demand and participate in

live activities throughout the year. Click the Enter

Cisco Live 365 button in your Cisco Live portal to

log in.

Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Cisco Daily Challenge points for each session evaluation you complete.

Complete your session evaluation online now through either the mobile app or internet kiosk stations.

79

Date post:	27-Sep-2018
Category:	Documents
Upload:	dodan
View:	220 times
Download:	0 times

UCS Administration and RBACd2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKCOM-2006.pdf · UCS...

Documents