Operations and Maintenance Release 4.5 - Chapter 2 - Managing Access and Users [Cisco BTS 10200 Softswitch]

Table Of Contents

Managing Access and Users

Introduction

System Administrator Access

Logging in Using Secure Shell

Managing User Access

User and Command Privilege Levels

Command Level Provisioning

User Account Administration

Predefined User Accounts

Showing, Changing and Resetting the Command Privilege Level

Security Level Requirement

Using the Show, Change and Reset Commands

Adding Descriptions to Security Classes

Show, Add, Change and Delete Users

Required User Privilege Level

Using the Show, Add, Change and Delete User Commands

Managing Users and Services through EMS Activity Commands

EMS Users and Services Commands

Show

Host Operating System Time

Configuring NTP Server

Using the History Command to View All Executed Commands

Show History Command

Report History Command

Setting or Resetting User and Optiuser Password

Resetting the optiuser Password

Creating or Adding Work-groups

Tracking Session Clients Using the Session Manager

Querying Terminals Using the Show Command

Blocking Provisioning

Who Can Block?

Who Can Be Blocked?

Using Block and Unblock Commands

Suspending Terminal Operations Using the Block Command

Unblocking a Terminal with the Unblock Command

Changing the Session Idle Time by Using the Change Command

Stopping a Terminal Session with the Stop Command

Running a Security Summary Report

Example of a Security Summary Report

Establishing a CLI Session

Determining if an EMS is Primary or Secondary

Logging in Using Secure Shell

Activating a Media Gateway

Managing Access and Users

Revised: December 10, 2008, OL-4495-07

Introduction

This chapter describes the operator interfaces used for communication with the Cisco BTS 10200 Softswitch, and the procedures for managing access and users.

Note After entering any of the commands in this chapter, press the Return or Enter key.

illustrates the Cisco BTS 10200 Softswitch operator interfaces of the Element Management System (EMS). These interfaces support several types of communications:

•Local Operations Console—the following options are available:

–Interactive CLI session—operator connects to the EMS using Secure Shell (SSH) and uses the command line interface (CLI) in an interactive session

–Bulk Provisioning—operator connects to the EMS using FTP for batch-mode provisioning (requires highest privilege levels)

SFTP is used as of Release 4.1. The /opt/ems/ftp/deposit directory checks for files every 7 seconds and then deletes them. A report is generated and can be viewed at https://<ems ip> (see the HTML file listed in the reports index). You can move the files to a deposit directory. The file must be owned by a valid Cisco BTS 10200 user (such as optiuser or btsadmin). If you are logged in as root, you must use the command unix -p when putting the file in the deposit directory.

Note See the Cisco BTS 10200 Softswitch Provisioning Guide for Bulk Provisioning information.

•Network Management System—provides events, alarms, thresholds and traffic monitoring management commands into the EMS using SNMP

•CORBA Client—provides events, alarms, thresholds and traffic monitoring management commands into the EMS via Common Object Request Broker Architecture (CORBA)

The EMS database holds up to 100 operator logins, and up to 50 user sessions can be active at any time.

The EMS interfaces internally with the Call Agent (CA) and Feature Server (FS) using the Java Message Service (JMS) protocol over IP Protocol.

Figure 2-1 Operator Interfaces (Billing interfaces also shown)

System Administrator Access

When logging in for the first time, log in as btsadmin (the default password is btsadmin). You must change the password when you take possession of the system.

Logging in Using Secure Shell

This section describes how to log in to the Cisco BTS 10200 Softswitch using SSH.

Secure Shell (SSH) is the method of access to the Cisco BTS 10200 Softswitch CLI, or maintenance (MAINT) modes. SSH provides encrypted communication between a remote machine and the EMS or Call Agent for executing CLI, or MAINT commands. The SSH server runs on the EMSs and CAs of the Cisco BTS 10200 Softswitch. To connect, the client and server sides must run the secure shell daemon (SSHD).

With SSH enabled, new users are prompted to enter a new password and reenter that password during their first login. From that point, they are prompted once for a password only.

Step 1 To log in from the client side for the first time, enter the following:
ssh btsadmin@<ipaddress>
Note If you are logged into the system as root, enter the following:
btsadmin@0

On the first SSH login from the client side, expect a message similar to the following:
The authenticity of host [hostname] can't be established. 
Key fingerprint is 1024 5f:a0:0b:65:d3:82:df:ab:42:62:6d:98:9c:fe:e9:52. 
Are you sure you want to continue connecting (yes/no)? 
Step 2 Enter yes.

The password prompt is displayed. From this point on, all communications are encrypted. Enter the default password.

Note Subsequent SSH logins will prompt only for a password.

The password prompt appears. For btsadmin, the prompt is btsadmin>.

Step 3 Enter your password.

The system responds with a CLI> prompt. You are now ready to send commands to the EMS.

Step 4 Enter the desired provisioning commands.

Step 5 To log off, enter exit at the prompt.

This completes the procedures for logging in to the Cisco BTS 10200 Softswitch using SSH.

Managing User Access

The security management system controls and monitors access to the Cisco BTS 10200 Softswitch from outside sources. This security system is important in preventing the following:

•Errors by personnel not trained in specific procedures

•Unauthorized changes to system provisioning

•Unauthorized viewing or modification of databases

Internal security functions include:

•Providing a user interface to provision users and security classes (privilege levels)

•Storing user login profiles

•Performing user authentication

•Managing the level of access on a per-user basis

•Providing session-oriented security measures

•Providing transaction-oriented security measures

•Maintaining a history log

•Maintaining security log where entries are retained for 7 days, starting from the time of the first security infraction, then deleted after 7 days

•Providing a user interface for security log reporting

Note Refer to the Cisco BTS 10200 Softswitch Command Line Interface Reference for specific CLI commands and tokens.

User and Command Privilege Levels

Each command (verb-noun combination) is preassigned a security class of 1 to 10, with 1 being the lowest level and 10 the highest level. The security class indicates the minimum privilege level required for an operator to complete the command. The system administrator can assign an alphanumeric description with each of these security classes.

Note The security classes are preassigned for each command, but can be changed by the system administrator.

The system administrator enters a new user and assigns a privilege level from 1 to 10 (level 10 is typically reserved for the system administrator). Each time a user enters a command, the system compares the user's privilege level to the security class of the specific command. The command is denied if the user has a privilege level less than the command level.

The user interface of the security management system allows users with the highest privilege levels to perform the following security tasks:

•Enter users into the system database

•Assign or modify a user's privilege level

•Reset the password of any user

•Modify descriptions of a security level

•Manage security log reporting and obtain security reports

Command Level Provisioning

The Command Level (command-level) table identifies the 10 command levels and their descriptions. The system is delivered with the following administration access levels which are preset with descriptions:

•1 (lowest level)

•5 (mid-level)

•10 (highest level)

Preset levels can be changed. Every security level can be assigned an alphanumeric description. The optional description token is intended for the service provider.

Step 1 To show a command level ID, use the following example:
show command-level id=10;
Step 2 To add a description to any command level ID, use the following example:
change command-level id=10; description=This is the highest level administration access;
User Account Administration

This section describes user account administration.

Predefined User Accounts

For software releases prior to Release 4.4, the Cisco BTS 10200 Softswitch system is delivered with one account predefined as username=optiuser and password=optiuser. Cisco recommends resetting this password. New users can be added by this superuser. A new user who logs in for the first time is prompted to enter a new password and to reenter the new password for verification purposes. Passwords must be at least six characters in length and cannot contain the first three characters of the login name

Beginning with Release 4.4, the Cisco BTS 10200 Softswitch system is delivered with three predefined accounts, as follows:

•Username=btsadmin and password=btsadmin—Comparable to optiuser in previous releases.

•Username=btsuser and password=btsuser—Provides lower access permissions than btsadmin and is suitable for generic provisioning access.

•Username=secadmin and password=secadmin—Currently similar to btsadmin.

Btsadmin and secadmin are MAINT shell users. The MAINT shell is an enhanced CLI interface and does not log off an idle user.

If you use one of the new accounts added in Release 4.4 and encounter errors accessing directories, enter the following command at the UNIX prompt to resolve the problem:
chown -R<user_name>:staff /opt/ems/users/<user_name>
User characteristics are stored under the directory priems4# cd /opt/ems/users.

Example:
priems4# ls
btsadmin/        oamp/          secadmin/      twake/
btsuser/         ciscouser/     optiuser/      snmpuserlvl6/
priems4# more twake/
*** twake/: directory ***
priems4# cd twake
priems4# ls
\local.cshrc           local.profile
local.login           personal.properties
priems4# \more local.login
# @(#)local.login 1.5     98/10/03 SMI
stty -istrip
# setenv TERM `tset -Q -`
Showing, Changing and Resetting the Command Privilege Level

Security Level Requirement

These commands require a system administrator with a security level of 10 to execute.

Using the Show, Change and Reset Commands

The Command Table (command-table) table allows a system administrator to show, change, and reset the command privilege level (CPL) of a specific noun-verb pair. Security classes are preassigned for each command, but can be changed with the command-table command.

Showing the Command Privilege Level

To show the command privilege level of a specific noun-verb pair, use the following example:
show command-table noun=mgw; verb=add;
Changing the Command Privilege Level

To change the command privilege level of a specific noun-verb pair, use the following example:
change command-table noun=mgw; verb=add; sec-level=9;
Resetting the Command Privilege Level

To reset the command privilege level of a specific noun-verb pair, use the following example:
reset command-table noun=mgw; verb=add; 
Adding Descriptions to Security Classes

Each of the ten security levels can be assigned an alphanumeric description using the following command. This procedure is optional.
change command-level id=<#>; description=<alphanumeric description>
Note <#> = 1 to 10 and <alphanumeric description> can have up to 64 ASCII characters.

Show, Add, Change and Delete Users

This section describes how to show, add, change and delete users.

Required User Privilege Level

Caution Never add, change, or delete the username root, because this affects proper access to the system.

You must have a user privilege level of 9 or higher. If your user privilege level is less than 9 and you attempt to enter an add user, show user, change user, or delete user command, your request will be denied, as shown in the following example:
change user name=UserABC;command-level=6;
Text similar to the following is displayed:
Not authorized to execute change user:
User command-level: 2 level needed: 10 
Using the Show, Add, Change and Delete User Commands

Note The warn, days-valid, and workgroups tokens are optional.

Add User Command

To add a user, enter the add user name command, as shown in the following example:
add user name=UserABC; command-level=9; warn=10; days-valid=30; workgroups=somegroup;
Text similar to the following is displayed:
Executing command, please wait...
Reply: Request was successfully completed
Note After adding a new user to the system, you must supply a default or initial password with the following command (this command is the standard Cisco BTS 10200 Softswitch command for the system administrator to reset a password):
reset password name=<user name>; new-password=<user password>;

Show User Command

To show the details for a user, enter the show user name command, as shown in the following example:
show user name=UserABC;
Change Command

To change details for a specific user, enter the change user name command, as shown in the following example:
change user name=UserABC; command-level=1; workgroups=somegroup;
Text similar to the following is displayed:
Executing command, please wait...
Reply: Request was successfully completed
Note The change user command changes only the privilege level of the user, and not the identity of the user. The command-level and workgroups tokens are optional; however, one of them must be changed.

Delete Command

To delete a user, enter the delete user name command, as shown in the following example:
delete user name=UserABC;
Text similar to the following is displayed:
Executing command, please wait...
Reply: Request was successfully completed
Managing Users and Services through EMS Activity Commands

This section describes EMS activity commands. EMS activity commands are available to manage the users and other services on the system. The activity timer for user sessions is not part of any schema or table. This is a system configuration parameter.

EMS Users and Services Commands

This section describes the EMS user and other service commands on the system.

Note Refer to the Cisco BTS 10200 Softswitch Command Line Interface Reference for specific CLI commands and tokens.

Show

Use the show command to show user activity on the EMS, as shown in the following example:
show ems;
Host Operating System Time

The Solaris Operating System obtains the system time automatically through Network Time Protocol (NTP) services. Timing is critical to all system logs and billing—the platforms must be within 10 seconds or the Heartbeat within 2500ms, otherwise they will not start.

Enter the following command to see NTP servers:
ems ntp-server=<ip addr primary ntp>, <ip addr secondary ntp>
Caution Never modify the date or time on your host machines when BTS components (CA, FS, EMS, and BDMS) are running. Allow the Solaris OS to automatically set the time through NTP services.

Configuring NTP Server

The network time protocol (NTP) synchronizes clocks of computers over a network. It uses multiple redundant servers for high accuracy and reliability.

Step 1 Modify 'server' line(s) in /etc/ntp.conf.

Step 2 Modify 'NTP_SERVERS' in /etc/opticall.cfg

Step 3 Restart daemon:

/etc/init.d/xntp stop

/etc/init.d/xntp start

Step 4 Verify configuration change: /opt/BTSxntp/bin/ntpq -c peers"

Using the History Command to View All Executed Commands

The history command returns a list of all executed commands. A list of all executed commands can be sent to a file (report history) or displayed on the screen (show history).

Show History Command

This section describes the show history command. Results of this command are sent to the terminal screen. Using this command without any tokens returns all entries.

Step 1 Use the following command example to show all history entries:
show history;
Report History Command

This section describes the report history command. Results of this command are sent to report file. Using this command without any tokens returns all entries.

Step 1 Use the following command example to report all history entries:
report history;
Step 2 Using the Cisco BTS 10200 Softswitch http:// server in an external browser (such as Netscape or Internet Explorer), perform the following steps to retrieve the history report file:

a. Enter the http:// server name.
https://<ip addr>
b. Once on the main page, click the reports link.

A set of directories is displayed.

c. Select the Command History report by clicking history.html.

The history log is displayed.

Setting or Resetting User and Optiuser Password

The password command allows the system administrator to reset any user's password. It also allows setting the number of days that the password is valid and the number of days before password expiration that the user is warned. It also forces the system administrator to enter a new password. A user who logs in for the first time must execute this command again to change the password.

A level 10 user (or a lower user level authorized by a level 10 user) can reset any user password.

Passwords must contain a combination of 6 to 8 alphanumeric characters consisting of at least one digit (0 through 9) and at least 1 character (a through z). For example, cisco1, or 1234a.

You can reset only your own password. You are allowed to reset the days a password is valid, the number of days before password expiration, and must enter a new password when executing this command.

Construct passwords to meet the following UNIX standards:

•A password must have at least six to eight characters. If it is longer than eight characters, only the first eight characters are significant.

•A password must contain at least two alphabetic characters and at least one numeric or special character. In this case, alphabetic refers to all uppercase or lowercase letters.

•A password must differ from the user's login name and any reverse or circular shift of that login name. For comparison purposes, an uppercase letter and its corresponding lowercase letter are equivalent.

•New passwords must differ from the old by at least three characters. For comparison purposes, an uppercase letter and its corresponding lowercase letter are equivalent.

Resetting the optiuser Password

The system default user/password combination for the system administrator is optiuser/optiuser. The username optiuser can never be deleted from the system. As a security measure, the system administrator should change the password for user optiuser on each system.

To change the password for optiuser, perform the following steps.

Note Perform the same steps to change the password for any system user.

Step 1 Log on using SSH to one EMS unit with the username optiuser and the current password for optiuser.
ssh -1 <username> <ipaddress>
Step 2 Enter your current password.

Step 3 Enter the reset command:
reset password name=optiuser; days-valid=<number of days the new password will be valid>; 
warn=<number of days before password expiration to warn user>;
reset password name=optiuser; days-valid=30; warn=4;
Note The number of days that the new password is valid can be configured between 1 and 364 days. The default number of days is 30.

When the password is due to expire, a warning will be issued a number of days before expiration. The number of days iscan be configured between 1 and 10 days. The default number of days is 4.
Step 4 Enter exit to leave the CLI shell.

Step 5 Log in using SSH to the same EMS with user name optiuser.

The system prompts you for a new password.

Step 6 Enter the new password.

Step 7 The system prompts you for the new password again.

Step 8 Enter your new password.

The password for user optiuser is changed and the CLI prompt appears. You can continue with the CLI session if desired, or exit again.

Creating or Adding Work-groups

Work-groups are created when you use the User or Command tables. The first time you use the work-groups token, you create the work-group and add the User/Command to the work-groups. Additional User/Commands are added to the work-groups the same way. The only exception is that the work-groups is already created.

The work-groups token is a logical collection of commands created by the service provider. Work-groups are valid only for the change command. An equal sign (=) without a plus sign (+) or minus sign (-) creates a new work-group. A plus sign (+) before the work-group name adds a work-group to a user. A minus sign (-) before the work-groups name removes a work-group from a user.

Step 1 To add a user to a work-group for the first time, use the following example:
change command-table noun=mgw; verb=add; work-groups=latex; 
Reply Example:
Reply : Success: Request was successfully completed
Step 2 To add user to an existing work-group, use the following example.

Note This does not replace any already existing work-group.
change user name=trs80nut; work-groups=+rubber;
Reply Example:
Reply : Success: Request was successfully completed
Step 3 To remove one or more work-groups from an existing user, use the following example:
change user name=trs80nut; work-groups=-latex;
Reply Example:
Reply : Success: Request was successfully completed
Tracking Session Clients Using the Session Manager

The Session Manager (SMG) user management tool tracks the session clients (users) that have logged in to the Cisco BTS 10200 Softswitch.

This section describes the session management activity commands. The stop, block, and unblock commands cannot be executed on the same terminal from which the command was entered. In this section, command information in square brackets ( [ ] ) is mandatory and command information in curly braces ( { } ) is optional. There is no mandatory information for the show command.

Querying Terminals Using the Show Command

The show command queries all terminals in the system. The SMG returns a list of currently defined terminals. It allows the service provider to differentiate the list based on a user ID. The show session terminal command is used to show a specific session.

Note To see all sessions, use the show session command—if you do not specify a terminal, all terminals are shown. The asterisk (*) wildcard is not supported.

Note To query all terminals in the system, use the following example:
show session 
Reply Example:
Reply : Success
TERMINAL=USR5
USER=optiuser
STATE=ACTIVE
TYPE=CLI
TIME=2001-May-18 14:32:27
TERMINAL=USR4
USER=wenyang
STATE=ACTIVE
TYPE=CLI
TIME=2001-May-18 13:48:49
TERMINAL=USR3
USER=optiuser
STATE=ACTIVE
TYPE=CLI
TIME=2001-May-18 12:18:49
=========
Blocking Provisioning

Prevent BTS provisioning during an upgrade or maintenance window from the following interfaces:

•CLI

•FTP

•CORBA

•SNMP

Note The software will support blocking HTTP interfaces in a future release.

If you block provisioning before performing an SMG restart or EMS reboot, blocking is still enforced when these applications return to in-service state.

There are two levels of blocking:

•PROVISION—prevents all provisioning commands from executing

•COMPLETE—prevents all commands from executing

Who Can Block?

Only terminal type "MNT" users can use these blocking and unblocking commands. "MNT" users are never blocked. "MNT" users issue these commands from either Active or Standby EMS.

Who Can Be Blocked?

A blocking command applies to all non-"MNT" users on terminals on either Active or Standby EMS. Commands do not execute for:

•logged-in users

•users who login after the block command

Commands are not queued for execution after unblock. The CLI user prompt changes when blocked, notifiying the user their commands will not execute.

Using Block and Unblock Commands

Step 1 Select operation mode:

•MAINTENANCE—(default) for regular maintenance

•UPGRADE—for upgrades

Step 2 Use block/unblock commands.

Step 3 Exit the blocked mode using the "unblock session" command.

Suspending Terminal Operations Using the Block Command

The block command is executed on a single terminal ID. The terminal is then blocked and a notification is sent to the terminal to suspend all further operation. The state of the specified terminal is changed to blocked.

Step 1 To block a terminal, use the following example:
block session terminal=USR16;
Reply Example:
Reply : Success
Caution If the terminal type of a terminal is associated with an external application such as SNMP, the external application is blocked as well.

Unblocking a Terminal with the Unblock Command

Note You cannot block, unblock, or stop your own session or the session of another user who has a higher command level.

The unblock command is executed on a single terminal ID. The terminal is then unblocked and a notification is sent to the terminal for the user to resume normal operation. The state of the specified terminal is changed to unblocked.

Step 1 To unblock a single terminal, use the following example:
unblock session terminal=USR16;
Reply Example:
Reply : Success
Changing the Session Idle Time by Using the Change Command

The change command changes the idle time of a session. The idle time defines the number of minutes that a user can be idle on a CLI interface before being automatically logged off the Cisco BTS 10200 Softswitch.

Note Idle time can be provisioned with values between 1 to 30 minutes.

To change the session idle time, use the following example:
change session idle-time=30;
Reply Example:
Reply : Success: Idle time set to 30 for new sessions.
Stopping a Terminal Session with the Stop Command

The stop command is executed on a single terminal ID. The selected terminal is then notified to terminate and its associated terminal definition in the SMG is removed.

Step 1 To stop a specified terminal, use the following example:
stop session terminal=USR16;
Reply Example:
Reply : Success: Stop attempted on terminal <USR16>.
Running a Security Summary Report

The Security Summary command provides a summary report of security infractions by source and start/stop times from the Security Log table.

Note The EMS maintains seven days of security infractions.

Step 1 To run a Security Summary report, use the following example:
report security-summary start-time=2002-09-26 00:00:00; end-time=2002-09-27 00:00:00; 
source=all;
Note If you enter this command without any tokens, the report shows all security infractions.

Step 2 Using the Cisco BTS 10200 Softswitch http:// server in an external browser (such as Netscape or Internet Explorer), perform the following steps to retrieve the security-summary report file.

a. Enter the https:// <ems ip addr>.
https://<ems ip addr>
Note The port number is not listed, unless default port 443 is not used during the installation.

b. The security summary is displayed in CLI.

A set of directories is displayed.

Example of a Security Summary Report

In the following example, user wwalbash, with a command-level 5 security level, tried to add a media gateway, which requires a security level of 8 or above. The attempt failed and is recorded in the Security Summary report for the Security manager.
report security-summary
Reply : Success: Request was successful.
USER=wwalbash
VERB=add
NOUN=mgw
DATE=2002-09-26 13:25:50.0
USER=wwalbash
VERB=add
NOUN=subscriber
DATE=2002-09-26 13:26:02.0
Establishing a CLI Session

Using the Cisco BTS 10200 Softswitch command line interface (CLI), you can initiate an interactive CLI session using the Secure Shell (SSH) to build and send CLI commands by typing in the CLI commands.

The following sections specify how you can create the CLI commands, and where you can obtain the values of the CLI command parameters. Command parameters that are hard coded are shown in the commands as they would be generated; for example, port-start=1. Command parameters that must be obtained elsewhere are shown in traditional variable brackets in italics <parameter>: for example,
tsap-addr=<network_address_of_MTA>
Determining if an EMS is Primary or Secondary

If you are logged in as root, use nodestat. If you are logged in as a CLI user, log in as ciscouser, as shown in the following example:
ciscouser@10.89.55.124's password:
Last login: Tue Mar 15 21:10:15 2005 from 10.82.225.59
Sun Microsystems Inc.   SunOS 5.8       Generic Patch   February 2004
Unable to initialize the Session
        ERROR reply from Session Manager -->
No login allowed on the STANDBY EM01 application.
CLI will terminate in 10 seconds
Logging in Using Secure Shell

Secure Shell (SSH) is the method used to access the Cisco BTS 10200 Softswitch CLI prompt and login to the primary EMS. SSH provides encrypted communication between a remote machine and the EMS or Call Agent for executing CLI or MAINT commands. SSH servers run on both EMSs and CAs of the softswitch. To connect, the client and server sides must both be running the secure shell daemon (SSHD).

You can get IP addresses and identifiers for the primary and secondary EMSs from the SOFTSW_INFO table by using the subscriber's TN (the TN_INFO table contains the SOFTSW_ID as a foreign key).

To establish an SSH session and log in to the primary EMS, complete the following steps:

Step 1 To log in from the client side, use an SSH client program or enter the following at a console:
ssh <username>@<IPaddress>
On the first SSH log in from the client side, you might see a message similar to the following:
The authenticity of host [hostname] can't be established.
Key fingerprint is 1024 5f:a0:0b:65:d3:82:df:ab:42:62:6d:98:9c:fe:e9:52.
Are you sure you want to continue connecting (yes/no)?
Step 2 If a message similar to one above is displayed, enter yes to continue.

The default password prompt appears. From this point on, all communications are encrypted.

Step 3 Enter the default password.

With SSH enabled, new users are prompted to enter a new password and you must reenter that password during your first log in. From that point on, you are prompted only once at the beginning of each session for your password.

Step 4 At the log in prompt, enter your CLI username.

The password prompt appears.

Step 5 Enter your password.

•If the EMS you attempt to log in to is the primary EMS, a message similar to the following is displayed:
Last login: Thu Apr 15 10:24:15 2004 from 64.101.149.247
Sun Microsystems Inc.   SunOS 5.8       Generic Patch   October 2001
CLI>
If the system responds with a CLI> prompt, you are ready to send commands to the EMS. Proceed to Step 6.

•If the EMS you attempt to log in to is the secondary EMS, a message similar to the following is displayed:
Last login: Thu Apr 15 10:24:15 2004 from 64.101.149.247
Sun Microsystems Inc.   SunOS 5.8       Generic Patch   October 2001
Unable to initialize the Session
        ERROR reply from Session Manager -->
No login allowed on the STANDBY EM01 application.
CLI will terminate in 30 seconds
The system will log you off. Determine the IP address and identifier of the other EMS and repeat Step 1 through Step 5.

If you cannot establish an SSH session with, or log in to the primary EMS, you can attempt to log in to the secondary EMS, as described in the next section.

Step 6 Use the following command to show user activity on the EMS:
show ems
You should receive a response similar to the following:
Reply : Success: Current EMS logical IP assignment.
IP_ALIAS=Not-defined-yet
INTERFACE=hme0
CLI>
Step 7 Enter any other desired commands.

Step 8 To log off and terminate the SSH session, enter exit at the CLI> prompt.

Activating a Media Gateway

The control command is used to change the state of the media gateway to "in service." You should monitor the Cisco BTS 10200 Softswitch transaction queue to verify that the media gateway has been successfully added before trying to activate the media gateway.

To verify that the media gateway has been added and to activate the media gateway, complete the following steps:

Step 1 Execute the following command, using the transaction-id of the command that added the media gateway:
show transaction-queue transaction-id=1029944382523
Reply: Success: Database is void of entries.
Step 2 If the above response is received, you can execute the control command to activate the media gateway:
control mgw id=<mgw-id>; target-state=ins; mode=forced;
Data elements specified in this command are:

•mgw id—The unique identifier of the voice port on the subscriber's MTA, which is created by taking the voice port's MAC address and stripping out all the hyphens.

•target-state—Use "ins" to indicate "in service" for all activations.

•mode—Use "forced" for all activations.

	Operations and Maintenance Release 4.5
	Chapter 2 - Managing Access and Users
Operations and Maintenance Release 4.5 Preface Chapter 1 - Cisco BTS 10200 Softswitch Startup and Shutdown Procedures Chapter 2 - Managing Access and Users Chapter 3 - Operations Chapter 4 - Maintaining the BTS 10200 Softswitch Chapter 5 - Maintenance and Diagnostics for External Resources Chapter 6 -- Traffic Measurements Chapter 7 - SNMP Interface Chapter 8 - Congestion Detection and Protection Appendix A - Feature Tones	Download this chapter Chapter 2 - Managing Access and Users Download the complete book Operations and Maintenance (PDF - 3 MB) Table Of Contents Managing Access and Users Introduction System Administrator Access Logging in Using Secure Shell Managing User Access User and Command Privilege Levels Command Level Provisioning User Account Administration Predefined User Accounts Showing, Changing and Resetting the Command Privilege Level Security Level Requirement Using the Show, Change and Reset Commands Adding Descriptions to Security Classes Show, Add, Change and Delete Users Required User Privilege Level Using the Show, Add, Change and Delete User Commands Managing Users and Services through EMS Activity Commands EMS Users and Services Commands Show Host Operating System Time Configuring NTP Server Using the History Command to View All Executed Commands Show History Command Report History Command Setting or Resetting User and Optiuser Password Resetting the optiuser Password Creating or Adding Work-groups Tracking Session Clients Using the Session Manager Querying Terminals Using the Show Command Blocking Provisioning Who Can Block? Who Can Be Blocked? Using Block and Unblock Commands Suspending Terminal Operations Using the Block Command Unblocking a Terminal with the Unblock Command Changing the Session Idle Time by Using the Change Command Stopping a Terminal Session with the Stop Command Running a Security Summary Report Example of a Security Summary Report Establishing a CLI Session Determining if an EMS is Primary or Secondary Logging in Using Secure Shell Activating a Media Gateway Managing Access and Users Revised: December 10, 2008, OL-4495-07 Introduction This chapter describes the operator interfaces used for communication with the Cisco BTS 10200 Softswitch, and the procedures for managing access and users. Note After entering any of the commands in this chapter, press the Return or Enter key. illustrates the Cisco BTS 10200 Softswitch operator interfaces of the Element Management System (EMS). These interfaces support several types of communications: •Local Operations Console—the following options are available: –Interactive CLI session—operator connects to the EMS using Secure Shell (SSH) and uses the command line interface (CLI) in an interactive session –Bulk Provisioning—operator connects to the EMS using FTP for batch-mode provisioning (requires highest privilege levels) SFTP is used as of Release 4.1. The /opt/ems/ftp/deposit directory checks for files every 7 seconds and then deletes them. A report is generated and can be viewed at https://<ems ip> (see the HTML file listed in the reports index). You can move the files to a deposit directory. The file must be owned by a valid Cisco BTS 10200 user (such as optiuser or btsadmin). If you are logged in as root, you must use the command unix -p when putting the file in the deposit directory. Note See the Cisco BTS 10200 Softswitch Provisioning Guide for Bulk Provisioning information. •Network Management System—provides events, alarms, thresholds and traffic monitoring management commands into the EMS using SNMP •CORBA Client—provides events, alarms, thresholds and traffic monitoring management commands into the EMS via Common Object Request Broker Architecture (CORBA) The EMS database holds up to 100 operator logins, and up to 50 user sessions can be active at any time. The EMS interfaces internally with the Call Agent (CA) and Feature Server (FS) using the Java Message Service (JMS) protocol over IP Protocol. Figure 2-1 Operator Interfaces (Billing interfaces also shown) System Administrator Access When logging in for the first time, log in as btsadmin (the default password is btsadmin). You must change the password when you take possession of the system. Logging in Using Secure Shell This section describes how to log in to the Cisco BTS 10200 Softswitch using SSH. Secure Shell (SSH) is the method of access to the Cisco BTS 10200 Softswitch CLI, or maintenance (MAINT) modes. SSH provides encrypted communication between a remote machine and the EMS or Call Agent for executing CLI, or MAINT commands. The SSH server runs on the EMSs and CAs of the Cisco BTS 10200 Softswitch. To connect, the client and server sides must run the secure shell daemon (SSHD). With SSH enabled, new users are prompted to enter a new password and reenter that password during their first login. From that point, they are prompted once for a password only. Step 1 To log in from the client side for the first time, enter the following: ssh btsadmin@<ipaddress> Note If you are logged into the system as root, enter the following: btsadmin@0 On the first SSH login from the client side, expect a message similar to the following: The authenticity of host [hostname] can't be established. Key fingerprint is 1024 5f:a0:0b:65:d3:82:df:ab:42:62:6d:98:9c:fe:e9:52. Are you sure you want to continue connecting (yes/no)? Step 2 Enter yes. The password prompt is displayed. From this point on, all communications are encrypted. Enter the default password. Note Subsequent SSH logins will prompt only for a password. The password prompt appears. For btsadmin, the prompt is btsadmin>. Step 3 Enter your password. The system responds with a CLI> prompt. You are now ready to send commands to the EMS. Step 4 Enter the desired provisioning commands. Step 5 To log off, enter exit at the prompt. This completes the procedures for logging in to the Cisco BTS 10200 Softswitch using SSH. Managing User Access The security management system controls and monitors access to the Cisco BTS 10200 Softswitch from outside sources. This security system is important in preventing the following: •Errors by personnel not trained in specific procedures •Unauthorized changes to system provisioning •Unauthorized viewing or modification of databases Internal security functions include: •Providing a user interface to provision users and security classes (privilege levels) •Storing user login profiles •Performing user authentication •Managing the level of access on a per-user basis •Providing session-oriented security measures •Providing transaction-oriented security measures •Maintaining a history log •Maintaining security log where entries are retained for 7 days, starting from the time of the first security infraction, then deleted after 7 days •Providing a user interface for security log reporting Note Refer to the Cisco BTS 10200 Softswitch Command Line Interface Reference for specific CLI commands and tokens. User and Command Privilege Levels Each command (verb-noun combination) is preassigned a security class of 1 to 10, with 1 being the lowest level and 10 the highest level. The security class indicates the minimum privilege level required for an operator to complete the command. The system administrator can assign an alphanumeric description with each of these security classes. Note The security classes are preassigned for each command, but can be changed by the system administrator. The system administrator enters a new user and assigns a privilege level from 1 to 10 (level 10 is typically reserved for the system administrator). Each time a user enters a command, the system compares the user's privilege level to the security class of the specific command. The command is denied if the user has a privilege level less than the command level. The user interface of the security management system allows users with the highest privilege levels to perform the following security tasks: •Enter users into the system database •Assign or modify a user's privilege level •Reset the password of any user •Modify descriptions of a security level •Manage security log reporting and obtain security reports Command Level Provisioning The Command Level (command-level) table identifies the 10 command levels and their descriptions. The system is delivered with the following administration access levels which are preset with descriptions: •1 (lowest level) •5 (mid-level) •10 (highest level) Preset levels can be changed. Every security level can be assigned an alphanumeric description. The optional description token is intended for the service provider. Step 1 To show a command level ID, use the following example: show command-level id=10; Step 2 To add a description to any command level ID, use the following example: change command-level id=10; description=This is the highest level administration access; User Account Administration This section describes user account administration. Predefined User Accounts For software releases prior to Release 4.4, the Cisco BTS 10200 Softswitch system is delivered with one account predefined as username=optiuser and password=optiuser. Cisco recommends resetting this password. New users can be added by this superuser. A new user who logs in for the first time is prompted to enter a new password and to reenter the new password for verification purposes. Passwords must be at least six characters in length and cannot contain the first three characters of the login name Beginning with Release 4.4, the Cisco BTS 10200 Softswitch system is delivered with three predefined accounts, as follows: •Username=btsadmin and password=btsadmin—Comparable to optiuser in previous releases. •Username=btsuser and password=btsuser—Provides lower access permissions than btsadmin and is suitable for generic provisioning access. •Username=secadmin and password=secadmin—Currently similar to btsadmin. Btsadmin and secadmin are MAINT shell users. The MAINT shell is an enhanced CLI interface and does not log off an idle user. If you use one of the new accounts added in Release 4.4 and encounter errors accessing directories, enter the following command at the UNIX prompt to resolve the problem: chown -R<user_name>:staff /opt/ems/users/<user_name> User characteristics are stored under the directory priems4# cd /opt/ems/users. Example: priems4# ls btsadmin/ oamp/ secadmin/ twake/ btsuser/ ciscouser/ optiuser/ snmpuserlvl6/ priems4# more twake/ * twake/: directory * priems4# cd twake priems4# ls \local.cshrc local.profile local.login personal.properties priems4# \more local.login # @(#)local.login 1.5 98/10/03 SMI stty -istrip # setenv TERM `tset -Q -` Showing, Changing and Resetting the Command Privilege Level Security Level Requirement These commands require a system administrator with a security level of 10 to execute. Using the Show, Change and Reset Commands The Command Table (command-table) table allows a system administrator to show, change, and reset the command privilege level (CPL) of a specific noun-verb pair. Security classes are preassigned for each command, but can be changed with the command-table command. Showing the Command Privilege Level To show the command privilege level of a specific noun-verb pair, use the following example: show command-table noun=mgw; verb=add; Changing the Command Privilege Level To change the command privilege level of a specific noun-verb pair, use the following example: change command-table noun=mgw; verb=add; sec-level=9; Resetting the Command Privilege Level To reset the command privilege level of a specific noun-verb pair, use the following example: reset command-table noun=mgw; verb=add; Adding Descriptions to Security Classes Each of the ten security levels can be assigned an alphanumeric description using the following command. This procedure is optional. change command-level id=<#>; description=<alphanumeric description> Note <#> = 1 to 10 and <alphanumeric description> can have up to 64 ASCII characters. Show, Add, Change and Delete Users This section describes how to show, add, change and delete users. Required User Privilege Level Caution Never add, change, or delete the username root, because this affects proper access to the system. You must have a user privilege level of 9 or higher. If your user privilege level is less than 9 and you attempt to enter an add user, show user, change user, or delete user command, your request will be denied, as shown in the following example: change user name=UserABC;command-level=6; Text similar to the following is displayed: Not authorized to execute change user: User command-level: 2 level needed: 10 Using the Show, Add, Change and Delete User Commands Note The warn, days-valid, and workgroups tokens are optional. Add User Command To add a user, enter the add user name command, as shown in the following example: add user name=UserABC; command-level=9; warn=10; days-valid=30; workgroups=somegroup; Text similar to the following is displayed: Executing command, please wait... Reply: Request was successfully completed Note After adding a new user to the system, you must supply a default or initial password with the following command (this command is the standard Cisco BTS 10200 Softswitch command for the system administrator to reset a password): reset password name=<user name>; new-password=<user password>; Show User Command To show the details for a user, enter the show user name command, as shown in the following example: show user name=UserABC; Change Command To change details for a specific user, enter the change user name command, as shown in the following example: change user name=UserABC; command-level=1; workgroups=somegroup; Text similar to the following is displayed: Executing command, please wait... Reply: Request was successfully completed Note The change user command changes only the privilege level of the user, and not the identity of the user. The command-level and workgroups tokens are optional; however, one of them must be changed. Delete Command To delete a user, enter the delete user name command, as shown in the following example: delete user name=UserABC; Text similar to the following is displayed: Executing command, please wait... Reply: Request was successfully completed Managing Users and Services through EMS Activity Commands This section describes EMS activity commands. EMS activity commands are available to manage the users and other services on the system. The activity timer for user sessions is not part of any schema or table. This is a system configuration parameter. EMS Users and Services Commands This section describes the EMS user and other service commands on the system. Note Refer to the Cisco BTS 10200 Softswitch Command Line Interface Reference for specific CLI commands and tokens. Show Use the show command to show user activity on the EMS, as shown in the following example: show ems; Host Operating System Time The Solaris Operating System obtains the system time automatically through Network Time Protocol (NTP) services. Timing is critical to all system logs and billing—the platforms must be within 10 seconds or the Heartbeat within 2500ms, otherwise they will not start. Enter the following command to see NTP servers: ems ntp-server=<ip addr primary ntp>, <ip addr secondary ntp> Caution Never modify the date or time on your host machines when BTS components (CA, FS, EMS, and BDMS) are running. Allow the Solaris OS to automatically set the time through NTP services. Configuring NTP Server The network time protocol (NTP) synchronizes clocks of computers over a network. It uses multiple redundant servers for high accuracy and reliability. Step 1 Modify 'server' line(s) in /etc/ntp.conf. Step 2 Modify 'NTP_SERVERS' in /etc/opticall.cfg Step 3 Restart daemon: /etc/init.d/xntp stop /etc/init.d/xntp start Step 4 Verify configuration change: /opt/BTSxntp/bin/ntpq -c peers" Using the History Command to View All Executed Commands The history command returns a list of all executed commands. A list of all executed commands can be sent to a file (report history) or displayed on the screen (show history). Show History Command This section describes the show history command. Results of this command are sent to the terminal screen. Using this command without any tokens returns all entries. Step 1 Use the following command example to show all history entries: show history; Report History Command This section describes the report history command. Results of this command are sent to report file. Using this command without any tokens returns all entries. Step 1 Use the following command example to report all history entries: report history; Step 2 Using the Cisco BTS 10200 Softswitch http:// server in an external browser (such as Netscape or Internet Explorer), perform the following steps to retrieve the history report file: a. Enter the http:// server name. https://<ip addr> b. Once on the main page, click the reports link. A set of directories is displayed. c. Select the Command History report by clicking history.html. The history log is displayed. Setting or Resetting User and Optiuser Password The password command allows the system administrator to reset any user's password. It also allows setting the number of days that the password is valid and the number of days before password expiration that the user is warned. It also forces the system administrator to enter a new password. A user who logs in for the first time must execute this command again to change the password. A level 10 user (or a lower user level authorized by a level 10 user) can reset any user password. Passwords must contain a combination of 6 to 8 alphanumeric characters consisting of at least one digit (0 through 9) and at least 1 character (a through z). For example, cisco1, or 1234a. You can reset only your own password. You are allowed to reset the days a password is valid, the number of days before password expiration, and must enter a new password when executing this command. Construct passwords to meet the following UNIX standards: •A password must have at least six to eight characters. If it is longer than eight characters, only the first eight characters are significant. •A password must contain at least two alphabetic characters and at least one numeric or special character. In this case, alphabetic refers to all uppercase or lowercase letters. •A password must differ from the user's login name and any reverse or circular shift of that login name. For comparison purposes, an uppercase letter and its corresponding lowercase letter are equivalent. •New passwords must differ from the old by at least three characters. For comparison purposes, an uppercase letter and its corresponding lowercase letter are equivalent. Resetting the optiuser Password The system default user/password combination for the system administrator is optiuser/optiuser. The username optiuser can never be deleted from the system. As a security measure, the system administrator should change the password for user optiuser on each system. To change the password for optiuser, perform the following steps. Note Perform the same steps to change the password for any system user. Step 1 Log on using SSH to one EMS unit with the username optiuser and the current password for optiuser. ssh -1 <username> <ipaddress> Step 2 Enter your current password. Step 3 Enter the reset command: reset password name=optiuser; days-valid=<number of days the new password will be valid>; warn=<number of days before password expiration to warn user>; reset password name=optiuser; days-valid=30; warn=4; Note The number of days that the new password is valid can be configured between 1 and 364 days. The default number of days is 30. When the password is due to expire, a warning will be issued a number of days before expiration. The number of days iscan be configured between 1 and 10 days. The default number of days is 4. Step 4 Enter exit to leave the CLI shell. Step 5 Log in using SSH to the same EMS with user name optiuser. The system prompts you for a new password. Step 6 Enter the new password. Step 7 The system prompts you for the new password again. Step 8 Enter your new password. The password for user optiuser is changed and the CLI prompt appears. You can continue with the CLI session if desired, or exit again. Creating or Adding Work-groups Work-groups are created when you use the User or Command tables. The first time you use the work-groups token, you create the work-group and add the User/Command to the work-groups. Additional User/Commands are added to the work-groups the same way. The only exception is that the work-groups is already created. The work-groups token is a logical collection of commands created by the service provider. Work-groups are valid only for the change command. An equal sign (=) without a plus sign (+) or minus sign (-) creates a new work-group. A plus sign (+) before the work-group name adds a work-group to a user. A minus sign (-) before the work-groups name removes a work-group from a user. Step 1 To add a user to a work-group for the first time, use the following example: change command-table noun=mgw; verb=add; work-groups=latex; Reply Example: Reply : Success: Request was successfully completed Step 2 To add user to an existing work-group, use the following example. Note This does not replace any already existing work-group. change user name=trs80nut; work-groups=+rubber; Reply Example: Reply : Success: Request was successfully completed Step 3 To remove one or more work-groups from an existing user, use the following example: change user name=trs80nut; work-groups=-latex; Reply Example: Reply : Success: Request was successfully completed Tracking Session Clients Using the Session Manager The Session Manager (SMG) user management tool tracks the session clients (users) that have logged in to the Cisco BTS 10200 Softswitch. This section describes the session management activity commands. The stop, block, and unblock commands cannot be executed on the same terminal from which the command was entered. In this section, command information in square brackets ( [ ] ) is mandatory and command information in curly braces ( { } ) is optional. There is no mandatory information for the show command. Querying Terminals Using the Show Command The show command queries all terminals in the system. The SMG returns a list of currently defined terminals. It allows the service provider to differentiate the list based on a user ID. The show session terminal command is used to show a specific session. Note To see all sessions, use the show session command—if you do not specify a terminal, all terminals are shown. The asterisk () wildcard is not supported. Note* To query all terminals in the system, use the following example: show session Reply Example: Reply : Success TERMINAL=USR5 USER=optiuser STATE=ACTIVE TYPE=CLI TIME=2001-May-18 14:32:27 TERMINAL=USR4 USER=wenyang STATE=ACTIVE TYPE=CLI TIME=2001-May-18 13:48:49 TERMINAL=USR3 USER=optiuser STATE=ACTIVE TYPE=CLI TIME=2001-May-18 12:18:49 ========= Blocking Provisioning Prevent BTS provisioning during an upgrade or maintenance window from the following interfaces: •CLI •FTP •CORBA •SNMP Note The software will support blocking HTTP interfaces in a future release. If you block provisioning before performing an SMG restart or EMS reboot, blocking is still enforced when these applications return to in-service state. There are two levels of blocking: •PROVISION—prevents all provisioning commands from executing •COMPLETE—prevents all commands from executing Who Can Block? Only terminal type "MNT" users can use these blocking and unblocking commands. "MNT" users are never blocked. "MNT" users issue these commands from either Active or Standby EMS. Who Can Be Blocked? A blocking command applies to all non-"MNT" users on terminals on either Active or Standby EMS. Commands do not execute for: •logged-in users •users who login after the block command Commands are not queued for execution after unblock. The CLI user prompt changes when blocked, notifiying the user their commands will not execute. Using Block and Unblock Commands Step 1 Select operation mode: •MAINTENANCE—(default) for regular maintenance •UPGRADE—for upgrades Step 2 Use block/unblock commands. Step 3 Exit the blocked mode using the "unblock session" command. Suspending Terminal Operations Using the Block Command The block command is executed on a single terminal ID. The terminal is then blocked and a notification is sent to the terminal to suspend all further operation. The state of the specified terminal is changed to blocked. Step 1 To block a terminal, use the following example: block session terminal=USR16; Reply Example: Reply : Success Caution If the terminal type of a terminal is associated with an external application such as SNMP, the external application is blocked as well. Unblocking a Terminal with the Unblock Command Note You cannot block, unblock, or stop your own session or the session of another user who has a higher command level. The unblock command is executed on a single terminal ID. The terminal is then unblocked and a notification is sent to the terminal for the user to resume normal operation. The state of the specified terminal is changed to unblocked. Step 1 To unblock a single terminal, use the following example: unblock session terminal=USR16; Reply Example: Reply : Success Changing the Session Idle Time by Using the Change Command The change command changes the idle time of a session. The idle time defines the number of minutes that a user can be idle on a CLI interface before being automatically logged off the Cisco BTS 10200 Softswitch. Note Idle time can be provisioned with values between 1 to 30 minutes. To change the session idle time, use the following example: change session idle-time=30; Reply Example: Reply : Success: Idle time set to 30 for new sessions. Stopping a Terminal Session with the Stop Command The stop command is executed on a single terminal ID. The selected terminal is then notified to terminate and its associated terminal definition in the SMG is removed. Step 1 To stop a specified terminal, use the following example: stop session terminal=USR16; Reply Example: Reply : Success: Stop attempted on terminal <USR16>. Running a Security Summary Report The Security Summary command provides a summary report of security infractions by source and start/stop times from the Security Log table. Note The EMS maintains seven days of security infractions. Step 1 To run a Security Summary report, use the following example: report security-summary start-time=2002-09-26 00:00:00; end-time=2002-09-27 00:00:00; source=all; Note If you enter this command without any tokens, the report shows all security infractions. Step 2 Using the Cisco BTS 10200 Softswitch http:// server in an external browser (such as Netscape or Internet Explorer), perform the following steps to retrieve the security-summary report file. a. Enter the https:// <ems ip addr>. https://<ems ip addr> Note The port number is not listed, unless default port 443 is not used during the installation. b. The security summary is displayed in CLI. A set of directories is displayed. Example of a Security Summary Report In the following example, user wwalbash, with a command-level 5 security level, tried to add a media gateway, which requires a security level of 8 or above. The attempt failed and is recorded in the Security Summary report for the Security manager. report security-summary Reply : Success: Request was successful. USER=wwalbash VERB=add NOUN=mgw DATE=2002-09-26 13:25:50.0 USER=wwalbash VERB=add NOUN=subscriber DATE=2002-09-26 13:26:02.0 Establishing a CLI Session Using the Cisco BTS 10200 Softswitch command line interface (CLI), you can initiate an interactive CLI session using the Secure Shell (SSH) to build and send CLI commands by typing in the CLI commands. The following sections specify how you can create the CLI commands, and where you can obtain the values of the CLI command parameters. Command parameters that are hard coded are shown in the commands as they would be generated; for example, port-start=1. Command parameters that must be obtained elsewhere are shown in traditional variable brackets in italics <parameter>: for example, tsap-addr=<network_address_of_MTA> Determining if an EMS is Primary or Secondary If you are logged in as root, use nodestat. If you are logged in as a CLI user, log in as ciscouser, as shown in the following example: ciscouser@10.89.55.124's password: Last login: Tue Mar 15 21:10:15 2005 from 10.82.225.59 Sun Microsystems Inc. SunOS 5.8 Generic Patch February 2004 Unable to initialize the Session ERROR reply from Session Manager --> No login allowed on the STANDBY EM01 application. CLI will terminate in 10 seconds Logging in Using Secure Shell Secure Shell (SSH) is the method used to access the Cisco BTS 10200 Softswitch CLI prompt and login to the primary EMS. SSH provides encrypted communication between a remote machine and the EMS or Call Agent for executing CLI or MAINT commands. SSH servers run on both EMSs and CAs of the softswitch. To connect, the client and server sides must both be running the secure shell daemon (SSHD). You can get IP addresses and identifiers for the primary and secondary EMSs from the SOFTSW_INFO table by using the subscriber's TN (the TN_INFO table contains the SOFTSW_ID as a foreign key). To establish an SSH session and log in to the primary EMS, complete the following steps: Step 1 To log in from the client side, use an SSH client program or enter the following at a console: ssh <username>@<IPaddress> On the first SSH log in from the client side, you might see a message similar to the following: The authenticity of host [hostname] can't be established. Key fingerprint is 1024 5f:a0:0b:65:d3:82:df:ab:42:62:6d:98:9c:fe:e9:52. Are you sure you want to continue connecting (yes/no)? Step 2 If a message similar to one above is displayed, enter yes to continue. The default password prompt appears. From this point on, all communications are encrypted. Step 3 Enter the default password. With SSH enabled, new users are prompted to enter a new password and you must reenter that password during your first log in. From that point on, you are prompted only once at the beginning of each session for your password. Step 4 At the log in prompt, enter your CLI username. The password prompt appears. Step 5 Enter your password. •If the EMS you attempt to log in to is the primary EMS, a message similar to the following is displayed: Last login: Thu Apr 15 10:24:15 2004 from 64.101.149.247 Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001 CLI> If the system responds with a CLI> prompt, you are ready to send commands to the EMS. Proceed to Step 6. •If the EMS you attempt to log in to is the secondary EMS, a message similar to the following is displayed: Last login: Thu Apr 15 10:24:15 2004 from 64.101.149.247 Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001 Unable to initialize the Session ERROR reply from Session Manager --> No login allowed on the STANDBY EM01 application. CLI will terminate in 30 seconds The system will log you off. Determine the IP address and identifier of the other EMS and repeat Step 1 through Step 5. If you cannot establish an SSH session with, or log in to the primary EMS, you can attempt to log in to the secondary EMS, as described in the next section. Step 6 Use the following command to show user activity on the EMS: show ems You should receive a response similar to the following: Reply : Success: Current EMS logical IP assignment. IP_ALIAS=Not-defined-yet INTERFACE=hme0 CLI> Step 7 Enter any other desired commands. Step 8 To log off and terminate the SSH session, enter exit at the CLI> prompt. Activating a Media Gateway The control command is used to change the state of the media gateway to "in service." You should monitor the Cisco BTS 10200 Softswitch transaction queue to verify that the media gateway has been successfully added before trying to activate the media gateway. To verify that the media gateway has been added and to activate the media gateway, complete the following steps: Step 1 Execute the following command, using the transaction-id of the command that added the media gateway: show transaction-queue transaction-id=1029944382523 Reply: Success: Database is void of entries. Step 2 If the above response is received, you can execute the control command to activate the media gateway: control mgw id=<mgw-id>; target-state=ins; mode=forced; Data elements specified in this command are: •mgw id—The unique identifier of the voice port on the subscriber's MTA, which is created by taking the voice port's MAC address and stripping out all the hyphens. •target-state—Use "ins" to indicate "in service" for all activations. •mode—Use "forced" for all activations.
	© 1992-2008 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.