Cisco UCS Administration and RBACd2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKCOM-2006.pdf · Cisco UCS Administration and RBAC BRKCOM-2006 Jose Martinez Technical Leader Services

Cisco UCS Administration and RBAC

BRKCOM-2006

Jose Martinez

Technical Leader Services

@jose_at_csco

© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public

Agenda

• UCS Management Introduction

• SNMP and the UCS

• Smart Call Home

• XML and the UCS

• Authentication Methods

• Two Factor Authentication

• Organization & Locales

• Role-Based Access Control

3


Agenda

• Multi-UCS Management

• UCS in VMware Environments

• Collection & Threshold Policies

• Backups

• Conclusion

4

Cisco UCS Management Introduction



• Remote access to UCSM available via

– HTTP (Port 80)

– HTTPS (Port 443)

– SSH (Port 22)

– Telnet (Port 23 , disabled by default)

– SNMP (Port 161, disabled by default)

– CIM-XML (Port 5988 , disabled by default)

• Multiple remote authentication mechanisms available

6



• Reduction of GUI JAR file size in 2.1(2) release

– Original size 52.3MB New size 8.2MB (overall 84% reduction)

• Better CIMC management added in 2.1(2) release

– More visibility

– Ability to terminate sessions

New Features in 2.1(2)

7



• Direct KVM access via URL :

– http://<CIMC_IP_Address>

– https://<CIMC_IP_Address>

• Server admins have KVM access without requiring to go thru UCSM

• Supported only over out-of-band (FI mgmt port)


8



• CIMC In-band Management Option

– CIMC traffic takes same path as data traffic

– CIMC traffic separate now from UCSM management traffic

– Supports both IPv4 and IPv6 traffic

– It is only supported in M3 and newer compute blades

• A new Inband Profile is available : LAN Tab LAN Cloud Global Policies

– Inband VLAN Group : List of VLANs available for inband communication

– Network : denotes the default Inband vlan that will be used to configure Inband on servers if user has not explicitly configured them

– IP Pool Name : Pool from where the IP addresses for the CIMC come from


9


Cisco UCS Management Introduction New Features in 2.2(1)

10


UCS Management Introduction Model-Based Framework

11

GUI

Available

Comprehensive

Modular Reliable

Serviceable

CLI Standards

(SNMP, IPMI, etc)

Secure

Module Base

Open

XML API

Management

Information Tree

Data Management

Engine (DME)

Application

Gateways (AG)

Managed Endpoints

Cisco UCS SNMP Support


Cisco UCSM SNMP Evolution

• UCSM 1.0(1) thru 1.2(1) releases

– UCS Networking (NX-OS) MIBs support

• UCSM 1.3(1) release

– Reports equipment and logical faults

– CISCO-UNIFIED-COMPUTING-MIB

– Sends SNMP Traps or Informs when UCSM fault is raised or cleared

• UCSM 1.4(1) thru 2.2(1) releases

– 100% UCSM data model coverage via private MIBs

13


Cisco UCSM SNMP Features

• Support for SNMPv1, SNMPv2c and SNMPv3

• Cisco UCS supports read-only access to MIBs

• If using SNMPv3 the following authentication protocols are available

– HMAC-MD5-96 (MD5)

– HMAC-SHA-96 (SHA)

• If using SNMPv3 the privacy password offers a choice of DES or 128-bit AES encryption

• Starting with UCSM 2.0(2m) SNMP defaults to v3 when enabled

• Starting with UCSM 2.0(2m) non-secure SNMPv1/v2c access can be disabled while SNMP is still enabled

14


Cisco UCSM SNMP GUI Configuration

15


Cisco UCSM SNMP Fault Notification (Traps)

• UCSM supports two Traps

– cucsFaultActiveNotif – Generated whenever a fault is active and the fault state changes

– cucsFaultClearNotif – Generated whenever a fault is cleared

• Traps notifications include

– cucsFaultDescription

– cucsFaultAffectedObjectId

– cucsFaultCreationTime

– cucsFaultSeverity

– cucsFaultId

• Traps are defined in the CISCO-UNIFIED-COMPUTING-NOTIFS-MIB

16


Cisco UCS SNMP MIB Files

• ftp://ftp.cisco.com/pub/mibs/supportlists/ucs/ucs-manager-supportlist.html

17


Cisco UCS SNMP Traps Example

18


Cisco UCSM SNMP & Fault Suppression

• Fault Suppression Introduced in 2.1(1)

• Traps can be suppressed during a specific time periods

• Suppression of transient faults for physical and logical entities

19

Cisco UCS Smart Call Home Support


Cisco UCS Smart Call Home

• Provides email-based notifications

• Email format can be text or XML

• Configuration dictates which faults or events generate alerts

• Alert messages can be delivered to specific person or email alias

• UCSM executes appropriate CLI commands to attach to message automatically

• Some messages result in automatic Service Request creation

– http://www.cisco.com/en/US/docs/unified_computing/ucs/ts/faults/reference/TS_CallHomeFaults.html

21

http://www.cisco.com/en/US/docs/unified_computing/ucs/ts/faults/reference/TS_CallHomeFaults.html

http://www.cisco.com/en/US/docs/unified_computing/ucs/ts/faults/reference/TS_CallHomeFaults.html


Smart Call Home Architecture

22

Internet

Customer

Secure Authenticated

Access to Hosted Portal

Device Diagnostic

Library

Remediation

Recommendation

Engine

Diagnostics &

Parsing Engine

Smart Call Home Portal TAC

Automatic

SR

Remediation

Recommendation

Intelligent Monitoring

& Collection Engine

Secure Transport

Cisco

HTTPS Encryption & Certificate-

based authentication


Cisco UCS Smart Call Home GUI Configuration

23


Cisco UCS Smart Call Home GUI Configuration

24

Cisco UCS XML Support


Cisco UCSM XML API

• Programmatic interface

• Communicates over HTTP/HTTPS

• Standard Request/Response cycle

• Role Based Authentication

• Object Model Hierarchy

• Build-in Object Browser

• Published Schema

• High Availability

26


Copying the XML

• The UCSM GUI allows administrators to copy the XML used to create any object

• This can be helpful when developing scripts or creating applications with the XML API

27

Right-click


Copying the XML

28


Cisco UCSM Developer Network

• Downloads

– UCS Platform Emulator

– goUCS Automation Tool

– XML API, Perl, Powershell code samples

• Documentation

– Programming & Developer Guides

– White papers

– Reference Guides

• Collaboration

– Blogs

– Videos

– Peer to peer forums

http://developer.cisco.com/web/unifiedcomputing/

29


UCS Case Examples for UCS XML API

• Manage Multiple UCS Systems

• Monitor and Integrate the Event Stream

• Automate Issue Remediation

• Automate Deployment

• Automate Backup

• Firmware Image Management

30


UCS Case Examples for UCS XML API

• Total of 29 domains

• Need an easy way to locate hardware or find particular software used

Cisco TAC

31


UCS Case Examples for UCS XML API Cisco TAC

32


UCS Case Examples for UCS XML API Cisco TAC

33

Cisco UCS Authentication Methods


Authentication Services

• During user-login the UCSM

– Queries the local or remote authentication server

– Validates the user

– Checks for Roles and Locales assigned to user

• A custom user attribute can be used to extend the schema of the remote authentication provider

– LDAP : CiscoAVPair customer attribute ; ID 1.3.6.1.4.1.9.287247.1

– RADIUS : The vendor ID for the Cisco RADIUS implementation is 009, the vendor ID for the attribute is 001. Multiple roles or locales can be passed via the cisco-avpair with the following syntax – shell:roles=“operations,network” shell:locales=“Exec,Finance”

– TACACS+ : The cisco-av-pair name is the string that provides the attribute ID for the provider. The following syntax can be use to pass multiple roles and locales – cisco-av-pair=shell:roles=“operations network” shell:locales*”Engineering”

35


Cisco UCSM Multiple Authentication Model

36

LDAP

RADIUS

TACACS+


Providers and Provider Groups

• Providers

– Servers used by UCSM to authenticate users

– A total of 16 servers per authentication method

– Defined by IP or Hostname

37



• Release 2.1(2) added the support for nested LDAP groups

• Before 2.1(2) to process the nested group membership, admin had to configure all the groups in the hierarchy

• User would end up configuring many LDAP groups at UCSM level and execute large inefficient queries

• May lead to insufficient number of groups allowed

Nested LDAP Groups

38



• Supported only for Microsoft AD

• No change when choosing Open LDAP as vendor

Nested LDAP Groups

39



• Provider Groups

– Providers can be separated into groups

– A single Provider can be present in more than one Provider Group

– A total of 16 Provider Groups can be defined per authentication method

– The administrator can set the order the Providers are queried

– If all Providers are unavailable or unreachable, then UCSM automatically falls back to the local authentication method using the local credentials

– Change in 2.1 : Changing the order requires auth-domain to be set to local to complete without error

40


Authentication Domain and Realms

• Domains

– Allows UCSM to leverage multiple authentication systems

– Up to eight (8) different domains per system

– Domains are always tied to a Realm

– Provider groups can be assigned

– If no provider group listed, then all servers within the Realm are used

• Realms

– Defines the authentication protocol for a particular Domain

– Type : Local, Radius, TACACS+ or LDAP

41


Default and Console Authentication

• Default and Console Authentication accessed via Native Authentication option

• Default Authentication used when user login via SSH/Telnet/GUI/XML, but no domain was specified

• Console Authentication used when user login via Console port in FI

• Valid Realm are Local, RADIUS, TACACS+, LDAP and None

• Role policy defines what roles to assign if Provider didn’t supply roles

42


Login using Authentication Domain

• For SSH, Telnet or XML the username should include the domain for it to be qualified properly

– XML : <aaaLogin inName="ucs-server-mgmt\ciscolive" inPassword="Cisco12345" />

– Telnet : ucs-network-mgmt\ciscolive

– ssh ucs-network-mgmt\\[email protected]

• For GUI a list of Domains can be selected from a pull down menu

43


Troubleshooting Provider Connection

• Test command for individual server executed from NXOS CLI

44

F340-31-17-FI-A-A(nxos)# test aaa server ldap 14.17.111.100 jason passwd

user has failed authentication

Invalid credentials

F340-33-16-FI-B(nxos)# test aaa server ldap 14.17.111.110 jomartin passwd

can not find the LDAP server



• Test command for server executed from NXOS CLI

45

F340-31-17-FI-A-A(nxos)# test aaa server ldap 14.17.111.100 jason password

user has been authenticated

Attributes downloaded from remote server:

User Groups:

CN=ucsadmin,OU=CiscoUCS,DC=jlill,DC=lab

Roles:

admin

F340-31-17-FI-A-A(nxos)# test aaa server ldap 14.17.111.100 jason password



User Groups:

CN=ucskvm,OU=CiscoUCS,DC=jlill,DC=lab

Roles:

kvm-only



• Test command for Provider Group executed from NXOS CLI

46

F340-31-17-FI-A-A(nxos)# test aaa group jlill-dc jason password

Problem in validating the group

F340-31-17-FI-A-A(nxos)# test aaa group jlill-dc1 jason password



User Groups:

CN=ucsadmin,OU=CiscoUCS,DC=jlill,DC=lab

Roles:

admin



• Debug output executed from the NXOS CLI

– debug <radius | tacacs+ | ldap>

– debug aaa all

• Usually done with TAC assistance

• Always turn all debugs OFF after troubleshooting

– undebug all

47



• Ethanalyzer tool usage from NXOS level

– Selecting the mgmt interface we can sniff all traffic to/from the management port

– Cannot be used to sniff the 10GE ports in the motherboard

– Can be saved as pcap file to open in Wireshark

48


Active Directory Integration using LDAP

• Release 1.4(1) introduced the ability to configure LDAP to an Active Directory environment without the need for AD schema changes

• Pre-1.4(1) configurations need to be removed first

• The use of editors, like ADSI Edit, makes it easier to collect information and edit the CiscoAVPair attribute

• When using Active Directory as LDAP server you need to create a user account to bind to UCS. It should be given a non-expiring password.

• Caveat – In 1.4 and 2.0 UCSM releases there was no way to map LDAP group to Read-Only Role. This was resolved in 2.1 release. There is a work-around available for 1.4 and 2.0 releases.

49


Active Directory Integration using LDAP

• The following information is needed to configure the LDAP communication

– Hostname or IP of server. If encryption over SSL is used, then the FQDN is needed

– Bind DN. This is the distinguishedName attribute of the account.

– Base DN. This is the distinguishedName of the domain.

– Filter. This is the sAMAccountName attribute. Format is attribute=$userid

– Attribute. This is the CiscoAVPair attribute. Can be left alone if you don’t want to modify the schema. Instead us the LDAP Group in UCSM.

– Password. This is the Bind’s user password

• If using SSL the port can be kept at the default of 389. The endpoints will negotiate a TLS session on port 636.

50

Two Factor Authentication



• The UCS Manager originally supported only logins with username and password

• Sometimes weak passwords are selected which can be easily cracked

• There are constant phishing attacks that trick people daily into revealing their password

• Users using unsecured networks can have their password sniffed/stolen

• Malicious viruses and spyware can capture passwords when entered by user

• Conclusion – Passwords are not enough for protecting critical applications from unauthorized access

Why?

52



• Starting in release 2.2(1) the Cisco UCS Manager supports two factor authentication

• Having a second factor for authentication prevents unauthorized users from accessing systems even in cases where password is compromised

• The Cisco UCS Manager considers a TOKEN as second factor

• There is an option under authentication domains that allows for enabling this feature

• Only authentication domains that are defined with an authentication realm of RADIUS or TACAC+ are supported

Introduction

53



• Passwords are stored in the AAA server

• Users have to enter their user name, then enter a token and password combination in the password field

• Requests are sent to the token server to retrieve a vendor specific attribute

• Cisco UCS Manager expects the token server to be integrated with the AAA server so it forwards the request to the AAA server

• The password and token are validated at the same time by the AAA server

• Users need to enter the token and password sequence in the same order as it is configured in the AAA server.

Introduction

54



• This feature is currently validated with the following two vendors :

– RSA SecurID

– Symantec VIP EG

Introduction

55



• Only available for Realms Radius or TACACs

Configuration

56



• No changes to the login dialog for GUI or KVM launch manager

• The Cisco UCS Manager does not reveal any info on the two factor authentication domains

• This is the same for CLI login

57



• Authentication Domains created prior to an upgrade will remain the way they were before == No two factor authentication

• New Domains created after the upgrade will have two factor authentication if selected during creation

• If a downgrade is performed, then any Domains that are configured for two factor authentication need to be changed to not use it or deleted

• The following fault is reported during downgrades if two factor authentication domain is configured

– Error: Update failed: [Before downgrade, remove auth-domains having two-factor enabled.]

58

Cisco UCSM Organizations and Locales


Organizations

• Allows dividing the infrastructure into logical entities

• Extremely helpful in multi-tenancy environments

• Multiple levels of sub-organizations can be created. Up to a maximum of 5 levels under Root.

60


Organizations

• Resources, pools, service-profiles in one organization are not available to other organizations

• In multi-level configurations if a resource or policy is not found, then the system moves up the hierarchy looking for the same name until found. If UCSM cannot find an applicable policy or available resource in the hierarchy, then it returns an allocation error.

61


Locales

• Locales work in conjunction with Organizations in a multi-tenancy environment to restrict access

• Locales tie one or multiple Organizations to a user

• More than one Local can be assigned to a single user

• Users assigned an Organization has access to all Sub-Organizations in that particular hierarchy

• A UCS system can contain up to 48 locales

• Users with aaa, admin or operations privileges cannot be assigned a Locale

62


Locales Configuration

• Locales are created under the Admin tab in the User Management User Services menu

• Creating the locale is as simple as drag/drop the Organization from the list to the pane

63

Cisco UCSM Role-Based Access Control (RBAC)


Role-Based Access Control (RBAC)

• RBAC is a method of restricting or authorizing system access for a particular user

• Utilizes Roles and Locales

• A Role consist of one or more Privileges that will be assigned to the user

• Privileges are very granular

• There are a total of 11 default Roles (as of 2.2.1c)

• Administrators can create custom Roles by selecting specific Privileges

– Example : A custom Role for KVM-Only access can be created by assigning only the Service Profile Ext Access to the new Role.

• Privileges cannot be modified

65



66

Default Roles Network Role Privileges



67



68


RBAC via LDAP Group Maps

• LDAP Group Maps allows administrator to associate Active Directory group role with UCS role

• If the organization already uses LDAP groups to define authorization policies, then UCSM is expected to use Group membership information to assign the authorization policy (Roles and Locales)

• This eliminates the need to define this information for individual users in LDAP

• This also helps in scenarios where customers do not like to modify the Active Directory while deploying the UCS

69


RBAC via LDAP Group Maps

• A maximum of 28 LDAP Group Maps

• Support for nested LDAP groups expected in 2.1 Maintenance Release

70


LDAP Integration Workflow

71

UCS Admin define Roles and Locales

UCS Admin maps Roles and Locales into LDAP groups

User logs into UCSM

UCSM authenticates user with LDAP

UCSM reads user’s group membership

UCSM applies Roles and Locales based on LDAP Group Map

LDAP Admin defines users

LDAP Admin put user into group

Multi-UCS Management – UCS Central


Cisco UCS Central Overview

• External VM based application

• Requires UCSM 2.1(1) or above

• VM available for VMware and Hyper-v hypervisors

• Allow multiple UCS systems to be managed from a single management tool

• Simplifies large scale UCS deployments

• Extension of management paradigm

• Similar hierarchical presentation to UCSM

– Domains, Domain Groups, Sub-Domains

• License done per Domain (pair of Fabric Interconnects)

73



• First five (5) Domains do not require a license

• 1.0 feature highlights

– Inventory

– Global ID Pools, Domain Groups and Global Administrative Policies

– Audit, Fault and Event Log Aggregation

– Firmware Upgrades, Backup

– UCS Manager and KVM Launch

• 1.1 feature highlights

– Global Service Profiles and Templates

– Global Domain Specific Identifiers

– Enhanced Inventory of UCS

– Globalization of Local Policies and Localization of Global Policies

74


Centralized Inventory

75

Faults on selected resources

Selected status and details

Global inventory of all components of UCS organized by Domain

Refreshes on customizable schedule

Tree view of devices similar to UCSM

Domains grouped in tree under the

Domain Groups

Overall status and details


Centralized Usage & Availability Summary

76


Centralized Fault Summary

77



• Supports SNMP versions v1, v2c and v3.

• Supports only system MIBs. Selected tables under:

– UCD-SNMP-MIB

– HOST-RESOURCES-MIB

– IF-MIB, IP-MIB

– SNMP-FRAMEWORK MIB

– DISMAN-EVENT-MIB

• No support for IPV6 MIB.

• Read only access is supported – No set operation.

• No support for UCS Central MIBs.

• Trap generation (system load, disk usage).

SNMP Support with 1.1

78


Cisco UCS Central Overview SNMP Support with 1.1

79


Automated

Scheduled

Downloads from

Cisco.com

Cisco.com

UCS Central Firmware Library Global Firmware Policies

Firmware Auto Install

Centralized Firmware Upgrade

80

Cisco UCS VMware Interaction


Cisco UCS Plugin for VMware vCenter

• Allows admins to view, manage and monitor various aspects of Cisco UCS physical infrastructure

• Single pane of glass for vCenter users to get both physical and virtual infrastructure information

• Latest vCenter Plugin == 0.9.4

– Support for vCenter 5.5

– Lists, Create and Manages service-profiles, service-profile templates

– Manage Host FW packages

– Reload UCS domain

– Manage BIOS Policies

• Requires VMware vSphere PowerCLI 5.1

82


Cisco UCS Plugin for VMware vCenter

83

UCSM Collection and Threshold Policies


Cisco UCSM Statistic Collection Policy

• Policy defines

– How frequently stats are to be collected (collection interval)

– How frequently stats are to be reported (reporting interval)

• Report Interval Time > Collection Interval Time

• Stats can be collected and reported for the following areas :

– Adapter

– Chassis

– Fex

– Host

– Port

– Server

85


Cisco UCSM Statistic Collection Policy

• Only one (1) default policy per area present which cannot be deleted

• New stats collection policies cannot be created

• Only modification of the default policy is allowed

86


GUI Statistics Collection Display

• Since there are several collections per report the UCSM provides a min/max/avg display for each stat

87


Cisco UCSM Statistic Threshold Policy

• Monitors stats about certain aspects of the system

• Generates an event if a threshold is crossed

• Minimum and Maximum thresholds can be configured

• Threshold policy does not control any hardware, just raises alarms

• Available for the following components

– Uplink Ethernet Ports

– Uplink Fibre Channel Ports

– Ethernet server ports

– Server and server components

– Chassis

– Fabric Interconnects

88



• It can be configured via Policy under Server, LAN, SAN or Admin tab

• Define Name Define Threshold Classes Define Threshold Definition

89



• Once defined it can be added to any service-profile thru the Policies Tab

90

Cisco UCSM Backups


Backup Operation

• Allows the backup of the Domain configuration

• There are four (4) types of backup options

– Full state

– All configuration

– System configuration

– Logical configuration

• Multiple transport protocol options

– FTP

– TFTP

– SCP

– SFTP

92


Backup Options

• Full State

– Binary file that contains full configuration of system

– Ideal for DR situations

– Cannot be used for an import

• All Configuration

– XML file that contains all system and logical configuration of system

– Cannot be used to restore system

– Ideal to import the stored configuration settings back to the same or new UCSM

– Does not include password for Locally Authenticated Users

93


Backup Options

• System Configuration

– XML file that includes all system configurations (username, roles, locales, etc)



• Logical Configuration

– XML file that includes all logical configurations (Service-profile, VLAN, VSAN, etc)



• The All Configuration and Logical Configuration options allow the chance to Preserve Identities

– The backup file preserves all identities derived from pools, including the MAC addresses, WWPN, WWNN, and UUIDs

94


Backup Automation

• Backup Export Policy introduced in 2.1(1) release

95

In Conclusion


Takeaways

• SNMP has support for large number of MIBs ideal for monitoring system

• Smart Call Home expedites the time of resolution by automatic SR creation

• Very powerful XML API programmatic interface to assist in many tasks

• Multiple authentication methods available

• Use of Roles and Locales allow for task to be divided into smaller groups

• UCS Central provides single window to multiple UCS Domains

• Stats Collection and Threshold Policies can provide insight on traffic patterns

• Backup – If you haven’t backup your system, then that is your HOMEWORK!

97


Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include

– Your favorite speaker’s Twitter handle <@jose_at_csco>

– Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could be a Winner

98

http://bit.ly/CLUSwin


Complete Your Online Session Evaluation

• Give us your feedback and you could win fabulous prizes. Winners announced daily.

• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

99

https://www.ciscolive.com/online


Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

100

Documents

Cisco UCS Administration and RBACd2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKCOM-2006.pdf · Cisco UCS Administration and RBAC BRKCOM-2006 Jose Martinez Technical Leader Services