Installation Guide for Cisco Security Manager 3 › en › US › docs › security ›...

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706 USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

Installation Guide for Cisco Security Manager 3.2

Text Part Number: OL-15627-01

http://www.cisco.com

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Installation Guide for Cisco Security Manager 3.2 © 2005-2008 Cisco Systems, Inc. All rights reserved.

OL-15627-01

C O N T E N T S

Software License Acknowlegements 1-vii

Notices 1-vii

OpenSSL/Open SSL Project 1-vii

License Issues 1-vii

1-ix

Preface xi

Audience xii

Conventions xii

Product Documentation xiii

Security Manager Documentation xiii

Obtaining Documentation and Submitting a Service Request xv

C H A P T E R 1 Overview 1-1

Introduction to Component Applications 1-1

Effects of Licensing on Installation 1-6

Locations of Installed Files on Servers 1-7

Locations of Installed Files on Client Systems 1-7

C H A P T E R 2 Requirements and Dependencies 2-1

Required Services and Ports 2-2

Server Requirements 2-3

Client Requirements 2-5

C H A P T E R 3 Preparing a Server for Installation 3-1

Best Practices for Enhanced Server Performance 3-1

Readiness Checklist for Installation 3-4

C H A P T E R 4 Installing, Uninstalling, and Reinstalling Server Applications 4-1

Installing Server Applications 4-1

Uninstalling and Reinstalling Server Applications 4-6

Uninstalling Server Applications 4-6

Reinstalling Server Applications 4-8

iiiInstallation Guide for Cisco Security Manager 3.2

Contents

C H A P T E R 5 Upgrading and Downgrading Server Applications 5-1

Upgrading Server Applications 5-1

Upgrading to Security Manager 3.2 Using Inline Method 5-2

Known Problem 5-3

Workaround No. 1—Server-side workaround (a permanent fix for all remote Cisco Security Manager clients—recommended) 5-3

Workaround No. 2—Client-Side Workaround with DVD available (a per-client fix) 5-3

Workaround No. 3—Client-Side Workaround without DVD available (a per-client fix) 5-4

Upgrading to Security Manager 3.2 by Backing Up and Restoring the Database 5-4

Restoring the Security Manager Database 5-5

Retrieving Certificates After Upgrading from 3.0.2 to 3.2 Using Perl Scripts 5-6

Migrating AUS and Configuration Engines 5-8

Migrating Catalyst 6500 and Cisco 7600 Chassis 5-9

Migrating IPS Sensors 5-10

Upgrading IPS Manager 3.0.2 Data 5-11

Obtaining Service Packs and Point Patches 5-12

Downgrading Server Applications 5-12

C H A P T E R 6 Installing or Uninstalling Security Manager Client 6-1

Client System Browser Best Practices 6-1

Configuring Required Client Settings To Open Browser Windows 6-2

Configuring Internet Explorer Settings 6-2

Configuring Firefox Settings 6-3

Editing the Preferences File 6-3

Editing the Size of the Disk Cache 6-3

Disabling the Popup Blocker or Creating a White List 6-3

Enabling JavaScript 6-4

Displaying Online Help on a New Tab in the Most Recent Window and Reusing Existing Windows on Subsequent Requests 6-4

Accessing Online Help Using Internet Explorer 6-5

Internet Explorer 6.0 Certificate Support for Online Help 6-5

Internet Explorer 7.0 Certificate Support for Online Help 6-6

Enabling and Configuring Exceptions in Third-party Tools 6-8

Installing Security Manager Client 6-8

Patching a Client 6-11

Uninstalling Security Manager Client 6-12

Using Security Manager Client To Log In to a Server 6-13

ivInstallation Guide for Cisco Security Manager 3.2

OL-15627-01

Contents

C H A P T E R 7 Installing and Upgrading RME 7-1

Performing a Fresh Installation of RME 7-1

Installation Notes 7-1

Installation Modes 7-2

Performing a Fresh Installation—Typical 7-2

Performing a Fresh Installation—Custom 7-4

Defining Upgrade and Migration for RME 4.0.5 7-7

Defining RME Upgrade 7-7

Defining RME Migration 7-7

Upgrade From RME 4.0.x to RME 4.1 7-7

Local Upgrade From RME 4.0.3, or 4.0.5 to RME 4.1 7-8

Remote Upgrade From RME 4.0.3 or 4.0.5 to RME 4.1 7-8

Backing Up and Restoring RME Data to RME 4.1 7-9

Backing Up Your RME 4.0.x Data 7-9

Backing Up RME 4.0.x Data Using CLI 7-9

Backing Up RME 4.0.x Data Using GUI 7-9

Restoring the RME 4.0.x Backup Data 7-10

C H A P T E R 8 Post Installation Server Tasks 8-1

Server Tasks To Complete Immediately 8-1

Verifying That Required Processes Are Running 8-2

Best Practices for Ongoing Server Security 8-4

Verifying an Installation or an Upgrade 8-4

Where To Go Next 8-5

A P P E N D I X A Troubleshooting A-1

Questions and Answers A-1

Server Q&A A-2

IPS Event Viewer Q&A A-6

Client Q&A A-7

Troubleshooting the Standalone Security Agent A-12

Running a Server Self-Test A-13

Collecting Server Troubleshooting Information A-14

Viewing and Changing Server Process Status A-14

Restarting All Processes on Your Server A-15

Reviewing the Server Installation Log File A-15

vInstallation Guide for Cisco Security Manager 3.2

OL-15627-01

Contents

A P P E N D I X B Cisco Security Agent: Standalone Agent Overview B-1

The Basics B-1

Understanding and Managing Security Level Settings B-2

Responding to Query Challenges B-2

Uninstalling the Standalone Agent B-3

A P P E N D I X C Helpful Reference Information C-1

Understanding User Accounts C-1

Understanding User Account Security Levels C-2

Understanding User Permissions C-2

Recommendations for Creating Strong Passwords C-2

Changing the Default Location for Temporary Files C-3

Exporting Data from IPS MC 2.2 C-4

Importing IPS MC 2.2 Data C-4

I N D E X

viInstallation Guide for Cisco Security Manager 3.2

OL-15627-01

Software License Acknowlegements

Revised: March 24, 2008, OL-15627-01

This section contains the following license information for software used in Cisco Security Manager:

• Notices, page -vii

NoticesThe following notices pertain to this software license.

OpenSSL/Open SSL ProjectThis product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

This product includes cryptographic software written by Eric Young ([email protected]).

This product includes software written by Tim Hudson ([email protected]).

License Issues

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact [email protected].

OpenSSL License:

Copyright © 1998-2007 The OpenSSL Project. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.

viiInstallation Guide for Cisco Security Manager 3.2

OL-15627-01

http://www.openssl.org/

Software License Acknowlegements Notices

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)”.

4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].

5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)”.

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]).

Original SSLeay License:

Copyright © 1995-1998 Eric Young ([email protected]). All rights reserved.

This package is an SSL implementation written by Eric Young ([email protected]).

The implementation was written so as to conform with Netscapes SSL.

This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson ([email protected]).

Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgement:

“This product includes cryptographic software written by Eric Young ([email protected])”.

viiiInstallation Guide for Cisco Security Manager 3.2

OL-15627-01




The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related.

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson ([email protected])”.

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].

ixInstallation Guide for Cisco Security Manager 3.2

OL-15627-01


xInstallation Guide for Cisco Security Manager 3.2

OL-15627-01

Preface

Cisco Security Manager 3.2 (Security Manager) enables you to manage security policies on Cisco devices in large, medium, or small networks. You can use shareable objects and policies in Security Manager to manage thousands of devices or only a few. Security Manager also supports multiple configuration views that are optimized for different use cases, supports the provisioning of many platform-specific settings, and provides device grouping capabilities.

Note Cisco Security Management Suite combines Security Manager and an otherwise separate product, Cisco Security Monitoring, Analysis, and Response System, an appliance that enables you to monitor, identify, isolate, and counter security threats in your network. See http://www.cisco.com/en/US/products/ps6241/.

This guide:

• Lists hardware and software requirements for installing Security Manager and its related applications on a Windows server.

• Explains important concepts about the software applications that you select for installation and the environment in which you install them.

• Provides step-by-step instructions for installing Security Manager on a Windows server and installing dedicated client software for Security Manager on a Windows PC.

• Describes what you must do after installation so that you can use your newly-installed applications successfully.

• Guides you in understanding and troubleshooting problems that might occur during, or as a result of, a Security Manager installation.

Note • Before you rely on any instruction or suggestion in this guide, we recommend that — for late-breaking information — you read the release notes on Cisco.com that are most relevant to the actual software components you choose to install. The release notes might contain corrections or additions to this guide or provide other information that affects planning, preparation, installation, or deployment. See Product Documentation, page xiii.

• You can send your comments about this installation guide to [email protected]. (For alternative instructions, see http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.)

xiInstallation Guide for Cisco Security Manager 3.2

OL-15627-01

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

http://www.cisco.com/en/US/products/ps6241/index.html

Preface

Tip SAFE is a Cisco strategy for designing, implementing, and maintaining a secure network. We recommend that you implement the best practices in the Cisco SAFE blueprint before you install Security Manager or any of its associated component applications. You can learn about SAFE at http://www.cisco.com/go/safe.

AudienceThis document is for network and security personnel who install, configure, deploy, and manage security infrastructure.

ConventionsThis document uses the following conventions:

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication.

Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.

Tip Means the following information will help you solve a problem. The tips information might not be troubleshooting or even an action, but could be useful information, similar to a Timesaver.

Item Convention

Commands and keywords boldface font

Variables for which you supply values italic font

Displayed session and system information screen font

Information you enter boldface screen font

Variables you enter italic screen font

Menu items and button names boldface font

Selecting a menu item in paragraphs Option > Network Preferences

Selecting a menu item in tables Option > Network Preferences

xiiInstallation Guide for Cisco Security Manager 3.2

OL-15627-01

http://www.cisco.com/go/safe

Preface

Product DocumentationCisco documentation and additional literature are available on Cisco.com. This section explains the product documentation resources that Cisco offers.

Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.

• Security Manager Documentation, page xiii

• Auto Update Server Documentation, page xiv

• Related Documentation, page xiv

Security Manager DocumentationTable 1 describes available documentation for Cisco Security Manager in the reading order that we recommend for all users. In addition, some users might want to see Migrating from CiscoWorks VPN/Security Management Solution to Cisco Security Manager.

Table 1 Security Manager Documentation

Document Title Available Formats

Release Notes for Cisco Security Manager 3.2 http://www.cisco.com/en/US/products/ps6498/prod_release_notes_list.html

Supported Devices and Software Versions for Cisco Security Manager 3.2

http://www.cisco.com/en/US/products/ps6498/products_device_support_tables_list.html

Installation Guide for Cisco Security Manager 3.2

(This guide)

http://www.cisco.com/en/US/products/ps6498/prod_installation_guides_list.html

User Guide for Cisco Security Manager 3.2 http://www.cisco.com/en/US/products/ps6498/products_user_guide_list.html

FAQs and Troubleshooting Guide for Cisco Security Manager 3.2

http://www.cisco.com/en/US/products/ps6498/prod_troubleshooting_guides_list.html

Context-sensitive online help Select an option in the GUI, then click Help.

xiiiInstallation Guide for Cisco Security Manager 3.2

OL-15627-01

http://www.cisco.com/en/US/products/ps6498/prod_release_notes_list.html



http://www.cisco.com/en/US/products/ps6498/products_user_guide_list.html

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.0/migration/guide/migr_gd.html

http://www.cisco.com/en/US/products/ps6498/prod_troubleshooting_guides_list.html

Preface

Auto Update Server DocumentationTable 2 describes available Auto Update Server (AUS) documentation in the reading order that we recommend.

Note • The release notes for AUS are included in Release Notes for Cisco Security Manager 3.2. See Security Manager Documentation, page xiii.

• Installation requirements and instructions for AUS are described in this guide (Installation Guide for Cisco Security Manager 3.2).

Related DocumentationTable 3 identifies important documentation for Common Services 3.1, Resource Manager Essentials 4.1, and Performance Monitor 3.2.

Table 2 Auto Update Server Documentation

Document Title Cisco.com URL

User Guide for Auto Update Server 3.2 http://www.cisco.com/en/US/products/ps6498/products_user_guide_list.html

Supported Devices for Auto Update Server 3.2 http://www.cisco.com/en/US/products/ps6498/products_device_support_tables_list.html

Table 3 Documentation for Related Products

Document Title Cisco.com URL

Common Services Documentation

Release Notes for CiscoWorks Common Services 3.1 on Windows

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.1/release/windows/notes/cs31_rn_win.html

User Guide for CiscoWorks Common Services 3.1

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.1/user/guide/cs31ug.html

Resource Manager Essentials Documentation

Release Notes for Resource Manager Essentials 4.1 on Windows

http://www.cisco.com/en/US/products/sw/cscowork/ps2073/prod_release_notes_list.html

Supported Devices Tables for LMS 3.0 http://www.cisco.com/en/US/products/sw/cscowork/ps2425/products_device_support_tables_list.html

Supported Image Distribution Features for RME 4.1 Software Management (With LMS 3.0)

http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_device_support_tables_list.html

Supported Image Import Features for RME 4.1 Software Management (With LMS 3.0)


Supported Protocols for RME 4.1 Configuration Management (With LMS 3.0)


User Guide for Resource Manager Essentials 4.1 (With LMS 3.0)

http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_user_guide_list.html

xivInstallation Guide for Cisco Security Manager 3.2

OL-15627-01






http://www.cisco.com/en/US/products/sw/cscowork/ps2073/prod_release_notes_list.html

http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_user_guide_list.html

http://www.cisco.com/en/US/products/ps6498/products_user_guide_list.html

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.1/release/windows/notes/cs31_rn_win.html

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.1/user/guide/cs31ug.html

Preface

Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:


Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.

xvInstallation Guide for Cisco Security Manager 3.2

OL-15627-01


Preface

xviInstallation Guide for Cisco Security Manager 3.2

OL-15627-01

OL-15627-01

C H A P T E R 1
Overview
This chapter contains the following major sections:

• Introduction to Component Applications, page 1-1

• Effects of Licensing on Installation, page 1-6

• Locations of Installed Files on Servers, page 1-7

• Locations of Installed Files on Client Systems, page 1-7

Introduction to Component ApplicationsThe Security Manager installer enables you to install certain applications and, when you do, requires that you install certain other applications. This section describes those applications and their interdependencies:

• Common Services, page 1-2

• Security Manager, page 1-2

• Auto Update Server, page 1-3

• IPS Event Viewer, page 1-4

• Resource Manager Essentials, page 1-5

• Cisco Security Agent, page 1-5

• Performance Monitor, page 1-5

1-1Installation Guide for Cisco Security Manager 3.2

Chapter 1 Overview Introduction to Component Applications

Common Services CiscoWorks Common Services 3.1 (Common Services) is required for Security Manager 3.2, Resource Manager Essentials 4.1, Auto Update Server, and Performance Monitor to work. You can install Security Manager only if Common Services is already installed on your system or if you select Common Services for installation along with Security Manager.

Common Services provides the framework for data storage, login, user role definitions, access privileges, security protocols, and navigation. It also provides the framework for installation, data management, event and message handling, and job and process management. Common Services supplies essential server-side components to Security Manager that include:

• SSL libraries.

• An embedded SQL database.

• The Apache webserver.

• The Tomcat servlet engine.

• The CiscoWorks home page.

• Backup and restore functions.

For more information, see the Common Services documentation.

Security Manager Cisco Security Manager is an enterprise-class management application designed to configure firewall, VPN, and intrusion prevention system (IPS) security services on Cisco network and security devices. Cisco Security Manager can be used in networks of all sizes–from small networks to large networks consisting of thousands of devices–by using policy-based management techniques. Cisco Security Manager works in conjunction with the Cisco Security Monitoring, Analysis, and Response System (MARS). Used together, these two products provide a comprehensive security management solution that addresses configuration management, security monitoring, analysis, and mitigation.

Note For more information about Cisco Security MARS, visit http://www.cisco.com/go/mars.

To use Security Manager, you must install server and client software.

Security Manager offers the following features and capabilities:

• Service-level and device-level provisioning of VPN, firewall, and intrusion-prevention systems from one desktop.

• Device configuration rollback.

• Network visualization in the form of topology maps.

• Workflow mode.

• Predefined and user-defined FlexConfig service templates.

• Integrated inventory, credentials, grouping, and shared data building blocks.

• Convenient cross-launch access to related applications.


OL-15627-01

http://www.cisco.com/go/mars


Auto Update Server If you choose to install Auto Update Server (AUS), you can install it on the same server where you install Security Manager or on a different server, such as a server in your DMZ. AUS and Security Manager can share device inventory information and other data. AUS requires Common Services 3.1.

AUS enables you to upgrade device configuration files and software images on PIX Security Appliance (PIX) and Adaptive Security Appliance (ASA) devices that use the auto update feature. AUS supports a pull model of configuration that you can use for device configuration, configuration updates, device OS updates, and periodic configuration verification. In addition:

• Supported devices that use dynamic IP addresses in combination with the Auto Update feature can use AUS to upgrade their configuration files and pass device and status information.

• Cisco IOS routers that use dynamic IP addresses can use AUS in combination with the CNS Gateway protocol to retrieve device IP addresses.

AUS increases the scalability of your remote security networks, reduces the costs involved in maintaining a remote security network, and enables you to manage dynamically addressed remote firewalls.

For more information, see the AUS documentation.


OL-15627-01


IPS Event Viewer Cisco IPS Event Viewer (IEV) enables you to monitor as many as five individual IPS sensors in small-scale IPS deployments. Any sensor that you will monitor must be in the Security Manager inventory.

IEV installs when you install Security Manager. Its features include:

• Support for IPSv6 through SDEE compatibility.

• Customizable reporting.

• Event notification through email or paging.

• Visibility into applied response actions, virtual sensor ID, learned DST OS, and threat rating.

Note Ethereal is a network protocol analyzer (a packet sniffer) for Windows that you can use to examine data from a live network or a file. The Security Manager installer does not install Ethereal. However, if you install Ethereal on a server where IEV is installed, you can start the Ethereal application from the IEV Tools menu to view summaries or detailed information for any packet, including the reconstructed stream of a TCP session. Also, if you have configured the sensor capturePacket parameter, IEV uses Ethereal to display the trigger packet. If you install IEV on a server where Ethereal is already installed, you need to specify the directory where Ethereal was installed from the IEV main menu. After you install IEV, you must reconfigure it if you install Ethereal, move the Ethereal executable file, or uninstall Ethereal. See the IEV documentation for detailed instructions.

The first time that you start IEV from Security Manager Client, important files are copied from your server to a subdirectory below the folder where you installed Security Manager Client. (These files are uninstalled when you uninstall Security Manager Client.) You can run one session at a time of IEV from a client system. However, multiple client systems can start and run sessions to one server simultaneously.

To enable communication between IEV server and IEV client, you need to modify the Cisco Security Agent or any other anti-virus and network firewall software policies on the Security Manager server to configure TCP ports 60002 and 60003 as open ports. If the server has a preexisting installation of the full Cisco Security Agent, the standalone agent is not installed on the system when you install Security Manager. In such a case, configure the Cisco Security Agent network services to accept connections on TCP ports 60002 and 60003. However, if the server on which you install Security Manager was not previously installed with the full, commercial version of Cisco Security Agent, the Security Manager installer installs a customized, standalone agent on your server and opens the necessary TCP ports for communication between IEV server and IEV client.

When you start IEV client from the Security Manager client system, IEV client automatically opens TCP port 5001 to establish communication with the IEV server.

You must configure IEV before you can use its full feature set. See the IEV documentation for detailed instructions.


OL-15627-01


Resource Manager Essentials

Cisco Security Manager includes the companion application Resource Manager Essentials 4.1 (RME).

Tip RME is not included with the Security Manager evaluation available for download from Cisco.com. However, RME is included on the orderable Security Manager evaluation kit available from Cisco Marketplace in the Collateral and Subscriptions Store.

You are licensed to use the same number of devices in RME that you license for Security Manager.

RME provides network monitoring and fault information that you can use to track devices critical to network uptime and application availability. RME also provides tools that you can use to rapidly and reliably deploy Cisco software images and view configurations of Cisco routers and switches. RME automates software maintenance to help you maintain and control your network.

RME 4.1 is available only as an upgrade to RME 4.0.3 and RME 4.0.5. Therefore, to install RME, you must:

1. Have or obtain the Security Manager installation DVD.

2. Insert the DVD into the drive, then:

a. Install Common Services 3.1.

b. From the rme4_1 folder, run setup.exe to install RME 4.1.

For detailed information about installing RME, see Chapter 7, “Installing and Upgrading RME.”.

Cisco Security Agent Cisco Security Agent provides host-based intrusion prevention.

If the server on which you install Security Manager is not protected by the fully configurable, commercial version of Cisco Security Agent when you start to install Security Manager, the Security Manager installer automatically installs a customized, standalone agent on your server, with predefined policies that you cannot change. To learn about this standalone agent, see Appendix B, “Cisco Security Agent: Standalone Agent Overview.”

If the server has a preexisting installation of the full Cisco Security Agent, the standalone agent is not installed. In this case, we recommend that you import into your full agent version all policies that you find on the Security Manager installation DVD (in \csm3_2_win_server\CSA\ CSMCSA3.2_policies.export). If you import these policies, you must reconcile them with any conflicting policies that your organization configures. To learn more, see the Cisco Security Agent documentation on Cisco.com.

Performance Monitor Performance Monitor is not available for installation from the Security Manager 3.2 DVD. If you are running Security Manager 3.1 and Performance Monitor 3.1 on the same system and upgrade Security Manager to 3.2, Performance Monitor stops working. This problem occurs because of the difference in the version of Common Services between Security Manager 3.2 and Performance Monitor 3.1.

We recommend that you install Security Manager and Performance Monitor on separate systems. Also, we recommend that you do not upgrade Security Manager to 3.2 if you have Performance Monitor 3.1 running on the same server. The next version of Performance Monitor, 3.2, will be released shortly, at which point, both the applications can coexist on the same server.


OL-15627-01

Chapter 1 Overview Effects of Licensing on Installation

Effects of Licensing on InstallationThe terms of your Security Manager software license determine many things, including the features that are available to you and the number of devices that you can manage. For licensing purposes, the device count includes any physical device, security context, virtual sensor, or Catalyst security services module that uses an IP address. Failover pairs count as one device.

When you upgrade from an earlier release, Security Manager does not prompt you for a license; instead, it retains your license and continues to enforce its terms. If you upgrade during a free evaluation, the remaining time in your evaluation period does not change.

Note For complete information on the types of licenses available and the various supported upgrade paths, as well as information about the Cisco Software Application Support service agreement contracts that you can purchase, see the product bulletin for this version of Security Manager at http://www.cisco.com/en/US/products/ps6498/prod_bulletins_list.html.

Two license types, Standard and Professional, are available, in addition to a free 90-day evaluation period that is restricted to 50 devices.

• Security Manager has one base license file and as many other, additional licenses as you might purchase. To obtain the base license, you must have (or obtain) a Cisco.com user ID, and you must register your copy of the software on Cisco.com. When registering, you must provide the Product Authorization Key (PAK) that is attached to the Software License Claim Certificate inside the shipped software package.

– If you are a registered Cisco.com user, start here: http://www.cisco.com/go/license

– If you are not a registered Cisco.com user, start here: http://tools.cisco.com/RPF/register/register.do

After registration, the base software license is sent to the email address that you provided during registration. Keep the license in a secure location.

• Common Services does not require a license file.

• Auto Update Server does not require a license file.

• The Resource Manager Essentials license is a separate file from the Security Manager license file. RME is not included with the Security Manager evaluation available for download from Cisco.com. However, RME is included on the orderable Security Manager evaluation kit available from Cisco Marketplace in the Collateral and Subscriptions Store. For instructions on how to obtain and install the license file, see the User Guide for CiscoWorks Common Services 3.1 at the following URL: http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.1/user/guide/admin.html#wp386416.

License limits are imposed when you exceed the allotted time (in the case of the evaluation license), or the number of devices that your license allows you to manage. The evaluation license provides the same privileges as the Professional Edition license. It is important that you register Security Manager as soon as you can within the first 90 days, and for the number of devices that you need, to ensure uninterrupted use of the product. Each time you start the application you are reminded of how many days remain on your evaluation license, and you are prompted to upgrade during the evaluation period. At the end of the evaluation period, you cannot log in until you upgrade your license.


OL-15627-01

http://www.cisco.com/en/US/products/ps6498/prod_bulletins_list.html

http://www.cisco.com/go/license

http://tools.cisco.com/RPF/register/register.do

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.1/user/guide/admin.html#wp386416


Chapter 1 Overview Locations of Installed Files on Servers

Note This note applies only if you have not purchased a permanent license. If you perform an inline upgrade to Security Manager 3.2 from a previous version of Security Manager on your server, you must copy the 3.2 license file to the ..NMSROOT\etc\licenses\CSM folder to replace the existing older license file before starting the installation of 3.2. This operation is necessary because the license file format has changed in Security Manager 3.2 and the format in previous versions is not compatible with 3.2. If you do not overwrite the existing evaluation license file with the 3.2 license file, you are prompted to select a permanent license file while starting the Security Manager client after upgrade. If you have not purchased a permanent license, contact Cisco TAC to obtain a new evaluation license.

Note When you back up a Security Manager 3.2 database from one server and restore it to a different server, the validity period of the evaluation license after upgrade is retained as the same period that remained before upgrade or backup. For example, if you used Security Manager installed with an evaluation license for 10 days before upgrading to Security Manager 3.2, the license would be valid for only 80 days after the upgrade.

To learn how to install a license file in the Security Manager GUI, see the “Managing the Security Manager Server” chapter in the User Guide for Cisco Security Manager 3.2.

Note When installing a license, you must stage the license file on a disk that is local to your Security Manager server. Security Manager does not see mapped drives if you use it to browse directories on your server. Windows imposes this limitation, which serves to improve Security Manager performance and security.

Getting Help with Licensing

For licensing problems with Security Manager, contact the Licensing Department in the Cisco Technical Assistance Center (TAC):

• Phone: +1 (800) 553-2447

• E-Mail: [email protected]

• http://www.cisco.com/tac

Locations of Installed Files on ServersNMSROOT is the path to the Security Manager installation directory. The default is C:\Program Files\CSCOpx.

The Security Manager installer application creates and stores files on your target server. Some of those files are specific to Security Manager, while others deal with other applications.

Locations of Installed Files on Client SystemsThe Cisco Security Manager Client installer application creates and stores files on client systems. The default location for those files is C:\Program Files\Cisco Systems\Cisco Security Manager Client.


OL-15627-01

mailto:[email protected]

http://www.cisco.com/tac

Chapter 1 Overview Locations of Installed Files on Client Systems


OL-15627-01

OL-15627-01

C H A P T E R 2
Requirements and Dependencies
You can install and use Security Manager as a standalone product or in combination with several other Cisco security management applications — including optional applications that you can select in the Security Manager installer or download from Cisco.com. Requirements for installation and operation vary in relation to the presence of other software on the server and according to the way that you use Security Manager.

Caution If you are upgrading to Security Manager 3.2 from an earlier version, you must make sure that the existing Security Manager database does not contain any pending data, meaning data that has not been committed to the database. If the existing Security Manager database contains pending data, you must commit or discard all uncommitted changes before upgrading. For instructions, see Uninstalling and Reinstalling Server Applications, page 4-6.

CiscoWorks Common Services 3.1 is required for Security Manager to work. You install Common Services automatically when you install Security Manager server software. Security Manager cannot coexist on a server with any patched or unpatched Common Services version earlier than 3.1. For more information, see Common Services, page 1-2, and see the Common Services documentation on Cisco.com at http://www.cisco.com/en/US/products/sw/cscowork/ps3996/.

Tip We recommend that you synchronize the date and time settings on all of your management servers and all of the managed devices in your network. One method is to use an NTP server. Synchronization is important if you want to correlate and analyze log file information from your network.

The sections in this chapter describe requirements and dependencies for installing Security Manager server and client software:

• Required Services and Ports, page 2-2

• Server Requirements, page 2-3

• Client Requirements, page 2-5


http://www.cisco.com/en/US/products/sw/cscowork/ps3996/

Chapter 2 Requirements and Dependencies Required Services and Ports

Required Services and PortsYou must ensure that required ICMP (ping), TCP, and UDP ports are enabled and available for use by Security Manager and its associated applications on your server, to support their associated services.

Tip To understand which server processes are associated with the applications that you install from the Security Manager installation DVD, see Verifying That Required Processes Are Running, page 8-2.

Table 2-1 sorts the required ports and services numerically, by port.

Table 2-1 Required Ports and Services

Service Used For, or Used ByPort Number/ Range of Ports Pr

otoc

ol

Inbo

und

Out

boun

d

Ping RME — ICMP — X

SSH Common Services 22 TCP — X

RME 22 TCP — X

Telnet Common Services 23 TCP — X

DM 6500/7600 23 TCP — X

RME 23 TCP — X

TACACS+ (for ACS) Common Services 49 TCP — X

RME TCP — X

TFTP Common Services 69 UDP X X

HTTP Common Services 80 TCP — X

DM 6500/7600 TCP — X

SNMP (polling) Common Services 161 UDP — X

SNMP (traps) Common Services 162 UDP — X

HTTPs (SSL) Common Services 4431 TCP X —

Security Manager TCP — X

AUS TCP X —

Syslog Common Services 514 UDP X —

Remote Copy Protocol Common Services TCP X X

VisiBroker IIOP port for gatekeeper Common Services 1683/ 1684

TCP X X

HTTP Common Services 1741 TCP X —

Security Manager TCP X —

MySQL2 Security Manager 3306, 5501 MySQL X X

Cisco IPS Event Viewer3 Security Manager server 60002, 60003 TCP X X

Security Manager client 5001 TCP X X

HIPO port for CiscoWorks gatekeeper Common Services 8088 TCP X X


OL-15627-01

Chapter 2 Requirements and Dependencies Server Requirements

Server Requirements

Note See Required Services and Ports, page 2-2, for a complete list of the service ports that you must enable in order to use your Security Manager server.

Tip We recommend that you install Security Manager on a dedicated server in a controlled environment. For additional best practices and related guidance, see Chapter 3, “Preparing a Server for Installation.”

Tomcat shutdown Common Services 9007 TCP X —

Tomcat Ajp13 connector Common Services 9009 TCP X —

Database Security Manager 10033 TCP X —

License Server Common Services 40401 TCP X —

Daemon Manager Common Services 42340 TCP X X

Osagent Common Services 42342 UDP X X

Database Common Services 43441 TCP X —

DCR and OGS Common Services 40050 – 40070 TCP X —

Event Services Software Service 42350/ 44350

UDP X X

Software Listening 42351/ 44351

TCP X X

Software HTTP 42352/ 44352

TCP X X

Software Routing 42353/ 44353

TCP X X

Transport Mechanism (CSTM) Common Services 50000 – 50020 TCP X —

1. To share and exchange information with a Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) appliance, Security Manager uses HTTPS over port 443 by default. You can choose whether to use a different port for this purpose.

2. Do not delete or move the C:\my.cnf file, which the MySQL server requires.

3. The Cisco IPS Event Viewer service depends on MySQL services. If you want to stop retrieving and storing IPS event alerts, you can stop the Cisco IPS Event Viewer service. Later you can restart the Cisco IPS Event Viewer service to resume retrieving and storing alerts.

Table 2-1 Required Ports and Services (continued)

Service Used For, or Used ByPort Number/ Range of Ports Pr

otoc

ol

Inbo

und

Out

boun

d


OL-15627-01

Chapter 2 Requirements and Dependencies Server Requirements

You can install Security Manager on a Windows-based server that uses one CPU or multiple CPUs. Table 2-2 describes server requirements and restrictions.

Table 2-2 Server Requirements and Restrictions

Component Requirement

System hardware • IBM PC-compatible with a 2 GHz or faster processor.

• Color monitor with at least 1024 x 768 resolution and a video card capable of 16-bit colors.

• DVD-ROM drive.

• 100BaseT (100 Mbps) or faster network connection; single interface only.

• Keyboard.

• Mouse.

System software Microsoft Windows 2003:1, 2

• Enterprise Edition with SP1 and SP2.

• Standard Edition with SP1 and SP2.

• R2 Enterprise Edition with SP1 and SP2.

• R2 Standard Edition with SP1 and SP2.

Security Manager supports only the US-English and Japanese versions of Windows. From the Start Menu, open the Control Panel for Windows3, open the panel where you configure region and language settings4, then set the default locale. (We do not support English as the language in any Japanese version of Windows.)

Microsoft ODBC Driver Manager 3.510 or later is also required, so your server can work with Sybase database files. To confirm the installed ODBC version, find and right-click ODBC32.DLL, then select Properties from the shortcut menu. The file version is listed under the Version tab.5

1. To confirm the installed Windows version from the Start menu, select Run, then enter either ver or winver.

Memory (RAM) 2 GB.

File system NTFS.

Browser One of the following:

• Microsoft Internet Explorer 6.0 Service Pack 2.

• Internet Explorer 7.0

• Firefox 2.0.

Compression software WinZip 9.0 or compatible.

Hard Drive Space 20 GB.

IP Address One static IP address.

The Security Manager installer displays a warning if it detects any dynamic IP addresses on the target server. Dynamic addresses are not supported.

If the server has more than one IP address, you do not need to disable any of the multiple network interface cards before installation. However, after you complete the server installation, you must perform the steps outlined in the Server Tasks To Complete Immediately, page 8-1 if you plan to use multiple network interface cards on your Security Manager server.


OL-15627-01

Chapter 2 Requirements and Dependencies Client Requirements

Caution Do not install this product on a primary or backup domain controller. We do not support any use of Common Services on a Windows domain controller. Do not install this product in an encrypted directory. Common Services does not support directory encryption. Do not install this product if Terminal Services is enabled in Application mode. In such a case, you must disable Terminal Services, then restart the server before you install. Common Services supports only the Remote Administration mode for Terminal Services.

Client RequirementsTable 2-3 describes Security Manager Client requirements and restrictions.

2. Security Manager is not supported on 64-bit Windows operating systems or on virtual machines such as VMware.

3. To open the Control Panel for Windows from the Start Menu, you follow a path that varies according to your Windows version and configuration.

4. The panel where you specify region and language settings for Windows has a name that varies according to your Windows version and configuration.

5. Alternatively after you install Security Manager, select Server > Admin from the Common Services desktop, click Selftest, then click Create. When the table is refreshed, click the newest entry in the SelfTest Server Information column. When the “Server Info” window opens, scroll to the odbc.pl section to see the installed ODBC version.

Table 2-3 Client Requirements and Restrictions


System hardware • IBM PC-compatible with a 1 Ghz or faster processor.

• Color monitor with video card set to 24-bit color depth.

Tip An older video (graphics) card might fail to display the Security Manager GUI correctly until you upgrade its driver software. To test whether this problem might affect your client system, right-click My Computer, select Properties, select Hardware, click Device Manager, then expand the Display adapters entry. Double-click the entry for your adapter to learn what driver version it uses. You can then do one of the following:

– If your client system uses an ATI MOBILITY FireGL video card, you might have to obtain a video driver other than the driver that came with your card. The driver that you use must be one that allows you to configure Direct 3D settings manually. Any driver lacking that capability might stop your client system from displaying elements in the Security Manager GUI.

– For any video card, go to the web sites of the PC manufacturer and the card manufacturer to check for incompatibilities with the display of modern Java2 graphics libraries. In most cases where a known incompatibility exists, at least one of the two manufacturers provides a method for obtaining and installing a compatible driver.

• Keyboard.

• Mouse.


OL-15627-01


System software One of the following:

• Microsoft Windows XP Professional with SP1 or SP2.1

• Microsoft Windows 20031:

– Server Edition with SP1 and SP2.

– Enterprise Edition with SP1 and SP2.

– R2 Enterprise Edition with SP1 and SP2.

– R2 Standard Edition with SP1 and SP2.

• Microsoft Windows Vista Business Edition or Enterprise Edition

Note Security Manager supports only the US-English and Japanese versions of Windows. From the Start Menu, open the Control Panel for Windows2, open the panel where you configure region and language settings3, then set the default locale. (We do not support English as the language in any Japanese version of Windows.)

Memory (RAM) 1 GB.

Virtual Memory/ Swap Space

512 MB.

Hard Drive Space 10 GB.

Browser One of the following:

• Microsoft Internet Explorer 6.0 Service Pack 2.

• Internet Explorer 7.0.

• Firefox 2.0.

Table 2-3 Client Requirements and Restrictions (continued)



OL-15627-01


Java Security Manager Client includes an embedded and completely isolated version of Java. This Java version does not interfere with your browser settings or with other Java-based applications.

Note To verify the installed versions of JVM and the Java plug-in, do one of the following: • (Internet Explorer) Select Tools > Sun Java Console. • (Firefox) Select Tools > Web Development > Java Console. • (From a prompt) Enter java -version.

1. Security Manager is not supported on 64-bit Windows operating systems.

2. To open the Control Panel for Windows from the Start Menu, you follow a path that varies according to your Windows version and configuration.

3. The panel where you specify region and language settings for Windows has a name that varies according to your Windows version and configuration.

Table 2-3 Client Requirements and Restrictions (continued)



OL-15627-01



OL-15627-01

OL-15627-01

C H A P T E R 3
Preparing a Server for Installation
After you verify that the target server meets the requirements described in Chapter 2, “Requirements and Dependencies,” you can use these checklists to prepare and optimize your server for installation:

• Best Practices for Enhanced Server Performance, page 3-1

• Readiness Checklist for Installation, page 3-4

Best Practices for Enhanced Server PerformanceA framework of best practices, recommendations, and other preparatory tasks can enable your Security Manager server to run faster and more reliably than it might do otherwise.

Caution We do not make any assurances that completing the tasks in this checklist improves the performance of every server. Nonetheless, if you choose not to complete these tasks, Security Manager might not operate as designed.

You can use this checklist to track your progress while you complete the recommended tasks.

Task

1. Find and organize the installer applications for any recommended updates, patches, service packs, hot fixes, and security software to install on the server.

2. Upgrade the server BIOS, if an upgrade is available.

3. If you plan to install Security Manager on a server that you have used for any other purpose, first back up all important server data, then use a boot CD or DVD to wipe all data from the server.

We do not support installation or coexistence on one server of Security Manager 3.2 and any release of Common Services earlier than 3.1. Nor do we support coexistence with any third-party software or other Cisco software, unless we state explicitly otherwise in this guide or at http://www.cisco.com/go/csmanager.

Note If you are upgrading your Cisco Security Manager server, you also need to make a backup of your current database after committing or discarding any pending data. For instructions, see Uninstalling and Reinstalling Server Applications, page 4-6.

4. Perform a clean installation of only the baseline server OS, without any manufacturer customizations for server management.


http://www.cisco.com/go/csmanager

Chapter 3 Preparing a Server for Installation Best Practices for Enhanced Server Performance

5. Install any required OS service packs and OS patches on the target server. To check which service packs or updates are required for the version of Windows that you use, select Start > Run, then enter wupdmgr.

6. Install any recommended updates for drivers and firmware on the target server.

7. Scan the system for malware. To secure the target server and its OS, scan the system for viruses, Trojan horses, spyware, key-loggers, and other malware, then mitigate all related problems that you find.

8. Resolve security product conflicts. Study and work to resolve any known incompatibilities or limitations among your security tools, such as popup blockers, antivirus scanners, and Cisco Security Agent or similar products from other companies. When you understand the conflicts and interactions among those products, decide which of them to install, uninstall, or disable temporarily, and consider whether you must follow a sequence. For example:

• If your organization uses any host-based intrusion prevention utility from a company other than Cisco, you must not install that utility on the target server until after you install Security Manager. Otherwise, it might interfere with the installation of Cisco Security Agent, which is installed automatically in most cases as part of the Security Manager installation.

• If any version of Cisco Security Agent is installed on a Security Manager server, the server relies on a set of agent policies specific to Security Manager servers. However, the customized, standalone agent that includes those policies is installed only if the target server has no preexisting installation of the full version of Cisco Security Agent. The full agent version does not include the specific policies that a Security Manager server requires. If you prefer the full agent to the standalone agent, you must import into your full agent all the exported agent policies that you find on the Security Manager installation DVD (in its \csm3_2_0_win_server\CSA subfolder). We recommend that you do not uninstall the standalone agent until or unless you obtain equivalent server security through another method that you trust. If you import policies from the file on the DVD, you must reconcile those imported policies with any conflicting policies that your organization has configured generally for its managed agents.

9. “Harden” user accounts. To protect the target server against brute force attacks, disable the guest user account, rename the administrator user account, and remove as many other user accounts as is practical in your administrative environment.

10. Use a strong password for the administrator user account and any other user accounts that remain. A strong password has at least eight characters and contains numbers, letters (both uppercase and lowercase), and symbols. To learn more about strong passwords, see Recommendations for Creating Strong Passwords, page C-2.

Tip You can use the Local Security Settings tool to require strong passwords. Select Start > Settings > Control Panel > Administrative Tools > Local Security Policy.

11. Secure the Registry by disabling or limiting remote access to it. The method that you use to disable or limit remote Registry access varies according to your OS and the tool or technique by which access is gained.

Task


OL-15627-01

Chapter 3 Preparing a Server for Installation Best Practices for Enhanced Server Performance

12. Remove unused, unneeded, and incompatible applications. For example:

• Microsoft Internet Information Server (IIS) is not compatible with Security Manager. If IIS is installed, you must uninstall it before you install Security Manager.

• We do not support the coexistence of Security Manager with any third-party software or other Cisco software (including any CiscoWorks-branded “solution” or “bundle,” such as the LAN Management Solution [LMS] or the VPN/Security Management Solution [VMS]), unless we state explicitly otherwise in this guide or at http://www.cisco.com/go/csmanager

• We do not support the installation or coexistence of Security Manager on a server with any release of Common Services earlier than 3.1.

• We do not support the coexistence of Security Manager on a server with any CD-ONE components (including CiscoView Device Manager) that you do not receive when you purchase Security Manager.

• We do not support the coexistence of Security Manager on the same server with Cisco Secure ACS for Windows.

• We do not support the coexistence of Security Manager on the same server with Cisco IPS Event Viewer.

13. Disable unused and unneeded services. At a minimum, Windows requires the following services to run: DNS Client, Event Log, Plug & Play, Protected Storage, and Security Accounts Manager.

Check your software and server hardware documentation to learn if your particular server requires any other services.

14. Disable all network protocols except TCP and UDP. Any protocol can be used to gain access to your server. Limiting the network protocols limits the access points to your server.

15. Avoid creating network shares. If you must create a network share, secure the shared resources with strong passwords.

Note We strongly discourage network shares. We recommend that you disable NETBIOS completely.

16. Configure server boot settings. Set a zero-second startup time, set Windows to load by default, and enable automatic reboot in cases of system failure.

Task


OL-15627-01


Chapter 3 Preparing a Server for Installation Readiness Checklist for Installation

Readiness Checklist for InstallationYou must complete the following tasks before you install Security Manager.

Readiness Factor

Caution A server can be vulnerable to attack when you uninstall or disable security applications.

1. Disable security applications temporarily. For example, you must temporarily disable any antivirus software on the target server before you install Security Manager. Installation cannot run while these programs are active.

Caution You will invalidate the SSL certificate on your server if you set the server date and time outside the range of time in which the SSL certificate is valid. If the server SSL certificate is invalid, the DCRServer process cannot start.

2. Carefully consider the date and time settings that you apply to your server. Ideally, use an NTP server to synchronize the server date and time settings with those of the devices you expect to manage. Also, if you use Security Manager in conjunction with a Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) appliance, the NTP server that you use should be the same one that your Cisco Security MARS appliance uses. Synchronized times are especially important in Cisco Security MARS because timestamp information is essential to accurately reconstruct what transpires on your network.

Tip If a change to the date and time settings on your server invalidates the SSL certificate, a “java.security.cert.CertificateNotYetValidException” error is visible in your NMSROOT\log\DCRServer.log file, where NMSROOT is the path to the Security Manager installation directory. The default is C:\Program Files\CSCOpx.

3. Confirm that required services and ports are enabled and available for use by Security Manager. See Required Services and Ports, page 2-2.

4. If Terminal Services is enabled in Application Mode, then disable Terminal Services and reboot the server. Installation of Security Manager on a system with Terminal Services enabled in Application Mode is not supported. Terminal Services enabled in Remote Administration Mode is supported.

If Terminal Services is enabled on the target server in Application mode when you try to install Security Manager, an error will stop the installation.

5. Disable any domain controller service (primary or backup) that is running.

6. Confirm that the target directory for installation is not encrypted. Any attempt to install Security Manager in an encrypted directory will fail.

7. If you are performing a fresh install, you should place your license file on the target server prior to installation. You will be prompted to select this file during installation.

8. If you have not done so already, uninstall IIS. It is not compatible with Security Manager.

9. Disable every active instance of Sybase on your server, including Cisco Secure ACS for Windows if it is present. You can choose whether to reenable or restart Sybase after you install Security Manager, but remember we do not support the coexistence of Security Manager on the same server with Cisco Secure ACS for Windows.


OL-15627-01


10. If you are upgrading from a previous version of Security Manager, commit or discard all uncommitted changes and then backup your database before upgrading. You must make sure that the Security Manager database does not contain any pending data. For instructions, see Uninstalling and Reinstalling Server Applications, page 4-6.

11. You can upgrade to Security Manager 3.2 from the following previous versions:

3.0.2, 3.0.2 SP1, 3.1, 3.1.1, 3.1.1 SP1 and SP2

Readiness Factor


OL-15627-01



OL-15627-01

OL-15627-01

C H A P T E R 4
Installing, Uninstalling, and Reinstalling Server Applications
This chapter describes the tasks that you must perform to install, uninstall, or reinstall Security Manager applications. It contains these major sections:

• Installing Server Applications, page 4-1

• Uninstalling and Reinstalling Server Applications, page 4-6

Note The installation details in this chapter apply only if you are performing a fresh installation of Security Manager 3.2. If you are upgrading from an earlier version of Security Manager to 3.2, see Chapter 5, “Upgrading and Downgrading Server Applications”.

Installing Server Applications

Tip To learn how to uninstall or reinstall Security Manager, see Uninstalling and Reinstalling Server Applications, page 4-6.

You can install Security Manager 3.2 server software directly, or you can use the installation utility to upgrade the software on a server where an earlier Security Manager version is installed. For detailed information about upgrades, see Uninstalling and Reinstalling Server Applications, page 4-6.

Before You Begin

• Read the Readiness Checklist for Installation, page 3-4.

• For supported OS versions, see Server Requirements, page 2-3.

• We recommend that you install Security Manager on a dedicated server in a controlled environment. Installing other software applications can interfere with the normal operation of Security Manager and is not supported.

• Security Manager 3.2 requires that you use Common Services 3.1. Therefore, if you upgrade from an earlier Security Manager version, the installed Common Services version is also upgraded.

• Although Common Services enables you to configure Security Manager server to run in normal mode, we recommend that you enable browser-server security mode or SSL on your Security Manager server so that communication between the server and the client is secure.


Chapter 4 Installing, Uninstalling, and Reinstalling Server Applications Installing Server Applications

• If you obtained a base license for Security Manager (see Effects of Licensing on Installation, page 1-6), move a copy of the license file to your server. Security Manager sees only the local volumes, not the mapped drives, when you browse directories on your server.

Step 1 Follow the instructions that apply to your installation:

Tip If you reinstall any applications, or install applications in addition to applications that you installed previously, or if you upgrade your installed applications, the Security Manager server performs a full, mandatory backup before you can advance beyond this step.

Step 2 Click Next in the Welcome screen of the wizard. The Sofware License Agreement screen is displayed.

Step 3 Click Yes to agree to the License Agreement. If you decline the terms of the license, setup stops and installation does not occur. The installation program checks the name lookup and Dynamic Host Configuration Protocol (DHCP).

Step 4 The Security Manager installer displays a warning if it detects any dynamic IP addresses on the target server. Click Yes to continue installation. Alternatively, click No to stop the setup, assign a static IP address and then restart the server.

Note If the server has more than one IP address, you do not need to disable any of the multiple network interface cards before installation. Dynamic addresses are not supported.

Installing from the DVD: Installing from Cisco.com:

Insert the Security Manager installation DVD in the Windows server DVD drive:

• If autorun is enabled, the installer opens automatically.

• If autorun is not enabled, open the csm3_2_0_win_server folder, double-click Setup.exe, and then click Yes to confirm that you are installing or upgrading Security Manager.

a. Go to http://www.cisco.com/go/csmanager, then click Download Software.

b. Download both the documentation and the self-extracting software installation utility for Cisco Security Manager 3.2.

Note Save the installation utility on a disk that is local to your server. Installation cannot succeed over a network connection to a remote volume, even if installation seems to succeed.

c. Print and read the documentation to learn what important considerations might affect your installation.

d. Follow the instructions in the documentation for decompressing and starting the installation utility.

The InstallShield Wizard extracts files to a temporary directory and checks their integrity while it constructs the Cisco Security Manager Setup application, which starts automatically.

Tip If an error message says the file contents cannot be unpacked, we recommend that you empty the Temp directory, scan for viruses, delete the C:\Program Files\Common Files\InstallShield directory, then reboot and retry. See also Changing the Default Location for Temporary Files, page C-3.


OL-15627-01



Step 5 The Backup Data screen is displayed only if you are not performing a fresh install of Security Manager on the server. Enter the full folder pathname in which to save the backup.

Alternatively, click Browse to navigate to a folder other than default. The Select Backup Folder dialog box is displayed.

Note If this screen appears, the backup is mandatory. You cannot complete the installation, reinstallation, or upgrade until you create a server backup.

Step 6 From the hierarchical tree, select a folder in which to save the backup. If you want a choose a different drive from what is displayed, select a local drive from the drop-down list or click Network to select a volume on the network.

The full pathname of the selected folder in the Directories tree is displayed in the Path field. Click OK to continue.

Step 7 The Choose Destination folder screen is displayed if you are performing a first-time installation or if Common Services is not already installed on your server. If you want to navigate to a folder other than the default, click Browse to make your selection and then click OK to confirm. Click Next to continue.

Note We recommend that you use the default folder location. If a reinstallation fails because files remain in the folder that you use, you can manually back up and delete all such files, then delete all subfolders from the folder so that it is empty when you retry the reinstallation. If you specify a folder other than the default folder, make sure that it does not contain any files and has fewer than 256 characters in its pathname.

Step 8 If the folder you selected is not empty, an error message is displayed.

If you select Choose another folder to install Cisco Security Manager and click Next, setup returns to the Choose Destination Folder screen. Alternatively, if you select Use selected folder to install Cisco Security Manager and click Next, setup continues.

Step 9 The Select Components screen is displayed. Select the check boxes next to the applications that you want to install on the server. Click Next to continue.

Note If you do not choose to install the client from this screen, you can download and install the client software installer later from the server home page. If you want to run RME on a different server than the one in which you want to run Security Manager server, you need to select only Common Services in addition to RME from the component selection screen of the server installation wizard.

Step 10 The System Requirements screen is displayed with the system requirements, available space in the drive and Temp Directory (%TEMP%), and available memory. Click Next to continue.

Step 11 If you are installing Security Manager (rather than upgrading it), the Licensing Information screen is displayed.


OL-15627-01


Select one of the following:

• License File Location—Enter the full pathname of the license file or click Browse to find it. If you have more than one license file, specify the base license. You can specify the permanent license file if you have previously staged it on the server.

• Evaluation Only—Enables the free 90-day evaluation period.

Note If you use the Professional Edition of Security Manager (see Effects of Licensing on Installation, page 1-6), see the Installing Security Manager License Files topic in the User Guide for Cisco Security Manager 3.2 for information about installing any additional device license increments that you buy.

Click Next to continue. If you are not installing Common Services, go to Step 12. Otherwise, the following screens are displayed to enable you configure the admin, System Identity, and casuser accounts.

a. The Change Admin Password screen is displayed. Enter the password to associate with the admin username and confirm it. Click Next to continue.

Note The admin account can see everything in the Security Manager GUI and has full read/write privileges for all tasks and options.

Tip Passwords must be at least 5 characters long, but longer passwords are more secure.

b. The Change System Identity Account Password screen is displayed. Enter a password to associate with the System Identity account username and confirm it. Click Next to continue the setup. Click Yes when prompted to confirm your creation of the System Identity account. If you are installing Common Services on the system for the first time, the Create casuser screen is displayed.

Note In a multi-server environment, you must configure all systems part of your multi-server setup with the same System Identity Account password. The System Identity account can see everything in the Security Manager GUI and has full read/write privileges for all tasks and options.

c. Click No to exit the installation and create casuser yourself and rerun the installation. Alternatively, click Yes to allow the installation program to create the local user casuser.

Note The casuser account can see everything in the Security Manager GUI and has full read/write privileges for all tasks and options.

Step 12 The Summary screen is displayed, showing the summary of settings for the installation. If you want to view passwords and other security sensitive data, click Show Details.

If you click Show Details, the Security Alert dialog box appears.

• Click Yes in the Security Alert dialog box to view the Summary page with the passwords and other security sensitive data in cleartext. You can select and copy the data from the Summary page.


OL-15627-01


• Click Hide Details to hide the details.

Click Next to continue the setup. Click Yes when prompted to confirm your creation of the casuser account.

Tip After you click Next, an error message might tell you that files are running in another process and cannot be stopped automatically, but must be stopped before the installation can succeed. In this case, stop all applications, close all browsers, close all CLI prompts, then try again. If the message persists, restart the server and try again.

Step 13 Click Finish.

Setup installs and configures the selected components.

Step 14 Restart the server.

Your S ecurity Manager server is now:

• Available as a source from which to download the dedicated Security Manager client application. See Chapter 6, “Installing or Uninstalling Security Manager Client.”

• Protected by the standalone version of Cisco Security Agent. See Cisco Security Agent, page 1-5, and see Appendix B, “Cisco Security Agent: Standalone Agent Overview.”

If you expect to import data from a preexisting installation of IPS MC, first see Importing IPS MC 2.2 Data, page C-4.

Note If you perform a fresh installation of Security manager 3.2 server, a bundle name might appear as “nu” with the version as “l.l” in the Bundles Installed table of the Software Updates page in the Common Services 3.1 GUI. You can ignore this entry as it does not refer to any valid bundle installed on your system.

Caution If McAfee VirusScan is installed on your server and if you will install RME, now that Security Manager is installed, you must first: 1. Confirm that VirusScan is running. 2. Confirm that the VirusScan feature called “On-Access Scan” is running. If VirusScan is installed but turned off, or if its On-Access Scan feature has been turned off, problems might prevent you from installing RME. In addition, any RME installations that fail for this reason might prevent Security Manager from operating correctly on your server. To work around these problems: 1. Reinstall Security Manager. 2. Start the VirusScan software. 3. Start the On-Access Scan feature in VirusScan. 4. Reinstall RME.

For information about the files that are installed on your server and the locations to which they are saved, see Locations of Installed Files on Servers, page 1-7.


OL-15627-01

Chapter 4 Installing, Uninstalling, and Reinstalling Server Applications Uninstalling and Reinstalling Server Applications

Uninstalling and Reinstalling Server Applications

Note • To learn which data files are essential to Common Services operation and understand how to create archives of that data, see the Common Services documentation on Cisco.com.

• If you reinstall any applications, the Security Manager server performs a full, mandatory backup before you can continue.

To uninstall or reinstall applications on your server, see:

• Uninstalling Server Applications, page 4-6

• Reinstalling Server Applications, page 4-8

Uninstalling Server ApplicationsThis section describes how you can uninstall Security Manager and its related applications from your server. If you want to upgrade your server to Security Manager 3.2 from an earlier release using the backup and restore method, you must uninstall the previous release before installing 3.2 to restore the database.

Note The standalone version of Cisco Security Agent is not affected in any way if you uninstall Common Services, Security Manager, or AUS. You must uninstall the standalone agent separately. See Uninstalling the Standalone Agent, page B-3.

Before You Begin

• We recommend that you back up copies of all essential data files from your server before you uninstall Security Manager. See the “Backing up and Restoring the Security Manager Database” section in the “Managing the Security Manager Server” chapter of the User Guide for Security Manager 3.2.

• If any version of Windows Defender (which was known in its public beta test versions as both Microsoft AntiSpyware and Giant AntiSpyware) is installed, you must disable it before you try to uninstall Security Manager. Otherwise, the uninstallation application cannot run.

Step 1 Select Start > Programs > Cisco Security Manager > Uninstall Cisco Security Manager.

Step 2 From the list of applications, select one or more applications to uninstall.

Step 3 Click Next twice.

The uninstaller removes the applications that you selected.

Note If a Windows command line prompt window is open in \CSCOpx\bin when you uninstall server applications, the uninstaller cannot delete \CSCOpx\bin. In this case, you can choose whether and how to delete the directory.


OL-15627-01


Step 4 Only after you uninstall Security Manager, Common Services, and all their related applications, assuming that you choose to uninstall all server applications:

a. If a folder exists at C:\Program Files\CSCOpx, either delete, move, or rename the folder.

b. If the C:\CMFLOCK.TXT file exists, delete it.

c. Use a Registry editor to delete these Registry entries before you try to reinstall Security Manager or any of its related applications:

• My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\Resource Manager

• My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\MDC

Tip Although no reboot is required, we recommend that you reboot the server after an uninstallation so that Registry entries and running processes on the server are in a suitable state for a future reinstallation.

Note If the uninstallation causes an error, see Problems During Uninstallation, page A-5. For additional information about uninstallation error messages, see the “Troubleshooting and FAQs” chapter in Installing and Getting Started With CiscoWorks LAN Management Solution 3.0: http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/3.0/install/guide/IGSG.html.

Step 5 (Optional) If you disabled Windows Defender before uninstalling Security Manager, you can choose now whether to reenable it.

Tip If you uninstalled Performance Monitor or any other supported CiscoWorks application that was not installed automatically when you installed Security Manager, you might see that a Windows shortcut for it is still visible in your Start > Programs menu. In this case, you can right-click the shortcut and select Delete from the shortcut menu.


OL-15627-01

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/3.0/install/guide/IGSG.html


Reinstalling Server ApplicationsYour server will perform a full and mandatory backup when you select the required options to reinstall any Security Manager-related applications.

If you install Common Services and Security Manager on a server, then reinstall Common Services later, you must also reinstall Security Manager.

Note During reinstallation, you might see a warning message that says:

The application that you are installing requires new tasks to be registered with ACS. If you have already registered this application with ACS from another server, you do not need to register it again. However if you re-register the application, you will lose any custom roles that you had created earlier for this application in ACS.

In this case, log in to your Cisco.com account and see “Impact of Installing CiscoWorks Applications in ACS Mode” in Installing and Getting Started With CiscoWorks LAN Management Solution 3.0, at http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/3.0/install/guide/IGSG.html.

Step 1 If you are reinstalling because a problem on your server corrupted your Security Manager database, you must run restorebackup.pl.

Step 2 To reinstall one or more Security Manager server applications, see Installing Server Applications, page 4-1.


OL-15627-01



OL-15627-01

C H A P T E R 5
Upgrading and Downgrading Server Applications
This chapter describes how to upgrade and downgrade Security Manager applications. It contains these major sections:

• Upgrading Server Applications, page 5-1

• Retrieving Certificates After Upgrading from 3.0.2 to 3.2 Using Perl Scripts, page 5-6

• Migrating AUS and Configuration Engines, page 5-8

• Migrating Catalyst 6500 and Cisco 7600 Chassis, page 5-9

• Migrating IPS Sensors, page 5-10

• Upgrading IPS Manager 3.0.2 Data, page 5-11

• Obtaining Service Packs and Point Patches, page 5-12

• Downgrading Server Applications, page 5-12

Upgrading Server ApplicationsSecurity Manager supports two types of upgrades, namely, inline and backing up and restoring of data. Inline upgrade refers to running the installation for the version to which you want to upgrade without uninstalling the previous version of Security Manager from a server. Upgrade using backup and restore refers to backing up the database from the server running a previous version of Security Manager and restoring the backed up data on the server you want to upgrade after installing the later version of Security Manager. If you are performing an upgrade using the backup and restore method on the same server, you must uninstall the previous version after backing up the data and then perform restoration of the database after installing the new version.

Note Security Manager 3.2 requires that you use Common Services 3.1. Therefore, if you upgrade from an earlier Security Manager version, the installed Common Services version is also upgraded. You can upgrade to Security Manager 3.2 from any of the following previous versions: 3.0.2, 3.0.2 SP1, 3.1, 3.1.1, 3.1.1 SP1 and SP2


Chapter 5 Upgrading and Downgrading Server Applications Upgrading Server Applications

The following sections describe the procedure to upgrade to Security Manager 3.2 using inline and backup and restore methods:

• Upgrading to Security Manager 3.2 Using Inline Method, page 5-2

• Upgrading to Security Manager 3.2 by Backing Up and Restoring the Database, page 5-4

Upgrading to Security Manager 3.2 Using Inline MethodThe following procedure describes how to use the inline method to upgrade to Security Manager 3.2 on a server where Security Manager 3.0.2, 3.1, or 3.1.1 is installed.

Step 1 Before you can successfully upgrade to Security Manager 3.2, you must make sure that the existing Security Manager database does not contain any pending data, meaning data that has not been committed to the database. If the existing Security Manager database contains pending data, you must commit or discard all uncommitted changes before upgrading:

a. In non-Workflow mode:

– To commit changes, select File > Submit.

– To discard uncommitted changes, select File > Discard.

Note If there are multiple users with pending data, the changes for those users must also be committed or discarded. If you need to commit or discard changes for another user, you can take over that user’s session. To take over a session, select Tools > Security Manager Administration > Take Over User Session, select the session, and click Take Over Session.

b. In Workflow mode:

– To commit changes, select Tools > Activity Manager. From the Activity Manager window, select an activity, then click Submit.

Note If you have enabled the activity approval requirement, you must also approve all activities after submitting. To approve an activity, select Tools > Activity Manager. From the Activity Manager window, select an activity and click Approve.

– To discard uncommitted changes, select Tools > Activity Manager. From the Activity Manager window, select an activity, then click Discard. Only an activity in the Edit or Edit Open state can be discarded.

Step 2 To upgrade in place, simply run the installer for Security Manager 3.2. For step-by-step instructions, see Installing Server Applications, page 4-1.

Perform one or all of the following, depending on the Security Manager version from which you upgraded and the types of devices that you are managing.

• If you have used Security Manager 3.0.2 or 3.0.2 SP1 to manage Catalyst 6500 Series switches or Cisco 7600 Series routers, see Migrating Catalyst 6500 and Cisco 7600 Chassis, page 5-9, for important steps that we recommend you to complete after upgrade.

• If you have used Security Manager 3.0.2 or 3.0.2 SP1 to manage IPS sensors, see Migrating IPS Sensors, page 5-10 to retrieve the inventory information for such sensors to the Security Manager database.


OL-15627-01


• If you have used an earlier version of Security Manager to manage devices that were configured to receive configuration updates from AUS and Configuration Engines, see Migrating AUS and Configuration Engines, page 5-8 to import these servers into Security Manager after upgrade.

Step 3 After you upgrade Security Manager, overwrite the existing version of the Security Manager client on your client system by running the 3.2 version of the client installation software. For instructions, see Chapter 6, “Installing or Uninstalling Security Manager Client.”

If you selected the option to install the client software from the component selection screen of the server installation wizard, the 3.2 version of the client is already available on your system.

Known ProblemThis section contains information about a problem known to exist in Cisco Security Manager 3.2.

Identifier: CSCso48972

Headline: Upgrade:3.0.2SP1 to 3.2 - Client Installer link on CSMS homepage fails

Symptom: HTTP “403 Forbidden” error when user tries to download Cisco Security Manager Client Installer from Cisco Security Management Suite (CSMS) Web page.

Conditions: Upon Cisco Security Manager 3.0.2 SP1 upgrade to Cisco Security Manager 3.2

Workaround:

Please use one of the following three workarounds.

Workaround No. 1—Server-side workaround (a permanent fix for all remote Cisco Security Manager clients—recommended)

Step 1 Login to CiscoWorks using link “https://SERVER-IP” as “admin”

Step 2 Browse to CSMSHomePage > Server > Security, and then click on “Browser-Server Security Mode Setup” in the TOC

Step 3 Click Apply.

Step 4 Restart the Cisco Security Manager Daemon Manager or restart the server

Step 5 Login to CiscoWorks, which is running in http mode now, using link “http://SERVER-IP:1741” as “admin”

Step 6 Browse to CSMS HomePage > Server > Security, and then click on “Browser-Server Security Mode Setup” in the TOC

Step 7 Click Apply.

Step 8 Restart the Cisco Security Manager Daemon Manager or restart the server

Step 9 Log in to CiscoWorks, which is running in https mode now, using link “https://SERVER-IP” as “admin”

Step 10 Click on CSM Client Installer on the CSMS home page, and then proceed with Save.

Workaround No. 2—Client-Side Workaround with DVD available (a per-client fix)

Step 1 Using the Cisco Security Manager 3.2 DVD, choose the Install option.


OL-15627-01


Step 2 Select the option to install the Cisco Security Manager 3.2 Client and proceed

Workaround No. 3—Client-Side Workaround without DVD available (a per-client fix)

Step 1 In the browser with the “403 Forbidden” error, change the address bar link as follows: Replace the protocol “http” with “https” and remove the “:1741” port number after which the link would look similar to “https://SERVER-IP/desktop/CSMClientSetup.exe”

Step 2 Press Enter, after which a popup appears prompting to save or run the installer

Upgrading to Security Manager 3.2 by Backing Up and Restoring the DatabaseThe following procedure describes how to back up the database on a server where Security Manager 3.0.2, 3.1, or 3.1.1 (or any of its related applications) is installed and restore it after installing Security Manager 3.2 on the server.

Step 1 Before you can successfully upgrade to Security Manager 3.2, you must make sure that the existing Security Manager database does not contain any pending data, meaning data that has not been committed to the database. If the existing Security Manager database contains pending data, you must commit or discard all uncommitted changes before upgrading:

a. In non-Workflow mode:

– To commit changes, select File > Submit.

– To discard uncommitted changes, select File > Discard.

Note If there are multiple users with pending data, the changes for those users must also be committed or discarded. If you need to commit or discard changes for another user, you can take over that user’s session. To take over a session, select Tools > Security Manager Administration > Take Over User Session, select the session, and click Take Over Session.

b. In Workflow mode:

– To commit changes, select Tools > Activity Manager. From the Activity Manager window, select an activity, then click Submit.

Note If you have enabled the activity approval requirement, you must also approve all activities after submitting. To approve an activity, select Tools > Activity Manager. From the Activity Manager window, select an activity and click Approve.

– To discard uncommitted changes, select Tools > Activity Manager. From the Activity Manager window, select an activity, then click Discard. Only an activity in the Edit or Edit Open state can be discarded.


OL-15627-01


Step 2 Create a backup of the database for Security Manager 3.0.2, 3.1, or 3.1.1 by selecting Tools > Backup.

Note If network management applications, such as Tivoli, were used to install Cygwin on the same system where a Security Manager server was installed, backup of the Security Manager database fails. You cannot perform a backup of the database on Security Manager servers placed across sites or locations by using a mapped network drive.

Step 3 Uninstall Security Manager 3.0.2, 3.1, or 3.1.1. See Uninstalling and Reinstalling Server Applications, page 4-6.

If you want to restore the backed up database on a different server than the one running Security Manager 3.0.2, 3.1, or 3.1.1, skip this step and proceed to Step 4.

A version of Cisco Security Agent is installed on your Security Manager server. When you explicitly uninstall Security Manager, the Cisco Security Agent software remains on your server.

• If Cisco Security Agent is the fully configurable, commercial version, it will never be overwritten by a Security Manager installation or uninstallation.

• If Cisco Security Agent is the customized and standalone version, with predefined policies that you cannot change, it will be overwritten only when you install a new Security Manager version.

• You can uninstall Cisco Security Agent manually, but we recommend that you do not. See Uninstalling the Standalone Agent, page B-3.

Step 4 Install Security Manager 3.2. See Installing Server Applications, page 4-1.

Step 5 Restore the database from the backup corresponding to the version to which you want to upgrade. See Restoring the Security Manager Database, page 5-5.

Perform one or all of the following, depending on the Security Manager version from which you upgraded and the types of devices that you are managing.

• If you have used Security Manager 3.0.2 or 3.0.2 SP1 to manage Catalyst 6500 Series switches or Cisco 7600 Series routers, see Migrating Catalyst 6500 and Cisco 7600 Chassis, page 5-9, for important steps that we recommend you to complete after upgrade.

• If you have used Security Manager 3.0.2 or 3.0.2 SP1 to manage IPS sensors, see Migrating IPS Sensors, page 5-10 to retrieve the inventory information for such sensors to the Security Manager database.

• If you have used an earlier version of Security Manager to manage devices that were configured to receive configuration updates from AUS and Configuration Engines, see Migrating AUS and Configuration Engines, page 5-8 to import these servers into Security Manager after upgrade.

Restoring the Security Manager DatabaseYou can restore your database by running a script from the command line. You have to shut down and restart CiscoWorks while restoring data. This procedure describes how you can restore the backed up Security Manager database on your server. make sure you have the correct permissions, and do the following:


OL-15627-01

Chapter 5 Upgrading and Downgrading Server Applications Retrieving Certificates After Upgrading from 3.0.2 to 3.2 Using Perl Scripts

Step 1 Stop all processes by entering the following at the command line:

net stop crmdmgtd

Step 2 Restore the database by entering:

NMSROOT\bin\perl NMSROOT\bin\restorebackup.pl [-t temporary directory] [-gen generationNumber] [-d backup directory] [-h]

where:

• NMSROOT—(Required) Environment variable containing full pathname of the Common Services installation directory (by default, C:\Program Files\CSCOpx, where C: is the System Drive).

• -t temporary_directory—(Optional) This is the directory or folder used by the restore program to store its temporary files. By default this directory is NMSROOT/tempBackupData. You can customize this by specifying your own temporary directory to avoid overloading NMSROOT.

• -d BKP—(Required) The backup directory to use.

• -h—(Optional) Provides help. When used with -d BackupDirectory, show s correct syntax along with available suites and generations.

To restore the most recent version, enter the following command:

NMSROOT\bin\perl NMSROOT\bin\restorebackup.pl -d backup directory

For example, -d drive:\var\backup\

Step 3 Examine the log file in the following location to verify that the database was restored by entering:

NMSROOT\log\restorebackup.log

Step 4 Restart the system by entering:

net start crmdmgtd

Retrieving Certificates After Upgrading from 3.0.2 to 3.2 Using Perl Scripts

When you upgrade a Security Manager 3.0.2 server to 3.2 by backing up and restoring the database, the certificate thumbprints of the devices added to the Security Manager inventory are preserved in the 3.2 certificate data store if certificate authentication was enabled in 3.0.2. However, if did not enable certificate authentication in the 3.0.2 server, certificate validation for devices using SSL is disabled in 3.2 and device certificate thumbprints are not saved in the 3.2 certificate data store.

If you disabled certificate authentication for devices in 3.0.2 and want to enable certificate authentication for those devices after upgrading to 3.2, you can run perl scripts from the Security Manager server CLI to retrieve device certificates to the Security Manager certificate data store. You can either choose to retrieve certificate thumbprints and add them to Security Manager in a single step, or perform this operation using two separate scripts. The following two scripts enable you to add certificates to Security Manager quickly in bulk without having to manually retrieve them for each device.

• getCerts.pl—Exports device credentials to a .csv file from DCR and saves it at the specified location on the Security Manager server. You can use this script with the [-a] argument to add the exported credentials to the Security Manager certificate store, or add the certificates to Security Manager as a separate step by running the loadCerts.pl script.


OL-15627-01

Chapter 5 Upgrading and Downgrading Server Applications Retrieving Certificates After Upgrading from 3.0.2 to 3.2 Using Perl Scripts

Note Use the [-a] argument only if you trust the validity of the certificates retrieved from the devices.

• loadCerts.pl—Loads certificates to Security Manager from the CSV file generated using the getCerts.pl script.

After running these scripts to load certificates to the Security Manager certificate store, you can enable certificate authentication for the devices for which it is disabled from the Device Communication settings window.

To retrieve device certificates from live devices and add them to the Security Manager database after you upgrade to 3.2, follow these steps.

Before You Begin

• You must be logged in to Security Manager as an administrator, to run this script.

• To export device credentials using DCR, from the CiscoWorks home page, select Common Services > Device and Credentials > Device Management. You must select CSV as your output file format while exporting credential details. For more information, see the User Guide for CiscoWorks Common Services 3.1.

• Before you add the device certificate to Security Manager, check whether the certificate is authentic by verifying its attributes such as the validity period, end-host identity information, encryption keys that will be used for secure communications, and the signature of the issuing Certificate Authority. If you run the getCerts.pl script with the [-a] argument, you might want to verify the validity of the certificates before running the script because the certificates are automatically added to Security Manager at the end of running of the script.

Step 1 Open the Windows command prompt on the Security Manager server.

Step 2 Navigate to the directory NMSROOT\CSCOpx\bin, where NMSROOT is the Security Manager installation directory. For example, enter cd C:\Progra~1\CSCOpx\bin if C:\Progra~1\CSCOpx\ is the directory where you installed Security Manager.

Step 3 Enter getCerts.pl [-h] [-v] [-a] <input_csv_file> <output_cert_file>

where:

• [-h]—(Optional) Displays the help associated with this utility, along with usage guidelines.

• [-v]—(Optional) Specifies verbose mode.

• [-a]—(Optional) Enables Security Manager to automatically obtain device certificates from live devices and load the thumbprints into the Security Manager certificate data store.

• <input_csv_file>—(Required) Specifies the name of the file to which a list of devices is exported from DCR in CSV format.

• <output_cert_file>—(Required) Specifies the location and name of the file in which device certificate details are saved.

If you run the getCerts.pl script without specifying the [-a] argument, you can view and modify the output file to remove certificate details for any device.

To load device certificates to Security Manager from the file to which they were exported from DCR using the getCerts.pl script, follow these steps.


OL-15627-01

Chapter 5 Upgrading and Downgrading Server Applications Migrating AUS and Configuration Engines

Before You Begin

• If you ran the getCerts.pl script with the optional [-a] argument, the following procedure is not required because the certificates would have been already added to the certificate data store.

• If the Security Manager server in running when you execute the following script, the script tries to refresh the certificate cache.

• You must be logged in to Security Manager as an administrator, to run this script.

Step 1 Open the Windows command prompt on the Security Manager server.

Step 2 Navigate to the directory NMSROOT\CSCOpx\bin, where NMSROOT is the Security Manager installation directory. For example, enter cd C:\Progra~1\CSCOpx\bin if C:\Progra~1\CSCOpx\ is the directory where you installed Security Manager.

Step 3 Enter loadCerts.pl [-h] [-v] [-a] <input_file>

where:

• [-h]—(Optional) Displays the help associated with this utility, along with usage guidelines.

• [-v]—(Optional) Specifies verbose mode.

• [-a]—(Optional) Enables Security Manager to automatically obtain device certificates from DCR and load the thumbprints into the certificate data store.

• <input_file>—(Required) Specifies the name of the file generated by the getCerts.pl script and that contains device certificates. You must specify the same filename you entered in the <output_cert_file> argument while running the getCerts.pl script.

If a device cannot be reached from Security Manager, the certificate for that device is not retrieved when you run the getCerts.pl script. If you ran the script in verbose mode, the action performed by the script when connectivity to a device fails is displayed.

Migrating AUS and Configuration Engines When you upgrade from a previous version of Security Manager to 3.2, the Auto Update Servers (AUS) and Configuration Engines that are configured in the earlier versions of Security Manager are not available in the 3.2 database. Although devices managed by AUS and CNS are migrated after the upgrade to 3.2, AUS and Configuration Engines are not migrated. As a result, the association of these devices with the AUS and Configuration Engines that manage them is removed. Devices managed by AUS and CNS are displayed with a red X icon partially covering the device icon in the device selection tree. You can either manually create and assign AUS and Configuration Engines to these devices or you can also add these servers by importing them from an inventory file exported from CiscoWorks Common Services Device Credential Repository (DCR).

The following procedure describes how you can create and assign AUS and Configuration Engines to devices managed by AUS and CNS after upgrading from a previous version of Security Manager.

Note If you import the servers into Security Manager from an export file, you bypass the procedure described in this section.


OL-15627-01

Chapter 5 Upgrading and Downgrading Server Applications Migrating Catalyst 6500 and Cisco 7600 Chassis

Step 1 Install the new Security Manager Client software version on a client system (see Installing Security Manager Client, page 6-8), then use that client system to log in to your upgraded Security Manager server.

Step 2 Click the Device View button on the toolbar. The Devices page appears.

In the device selection tree, a red X partially covers each icon that represents your security appliances and routers to which assignment of AUS and Configuration Engines has been removed after the upgrade.

Step 3 Click any red X icon in the device selection tree. A warning message is displayed stating that AUS and Configuration Engine information was not migrated after the upgrade process. You are prompted to manually reconfigure these servers or use the Add Device from File option in the New Device wizard to import these servers from DCR. Click Yes to add these servers manually. The Device Server Assignment dialog box is displayed.

Alternatively, right-click any red X icon in the device selection tree, then select the Update Server Info option to display the Device Server Assignment dialog box.

Step 4 From the Available Device pane, select a device, or devices from different device groups, or select an entire group, then click >>. The individual device or devices in the selected device group move to the Selected Devices pane.

Step 5 To add a new AUS or Configuration Engine server, select Add Server from the Server drop-down list to open the Server Properties dialog box.

Step 6 After you specify the properties of an Auto Update Server or Configuration Engine, click OK to save the settings and close the Server Properties dialog box.

Step 7 Click OK to save the settings in the Device Server Assignment dialog box. The devices in the Selected Devices pane are assigned to the AUS or Configuration Engine that you added.

Migrating Catalyst 6500 and Cisco 7600 ChassisSecurity Manager 3.1 and later differ significantly from earlier releases in its features for managing Catalyst 6500 Series switches and Cisco 7600 Series routers, as well as their associated services modules (blades) and security contexts. Earlier Security Manager versions in the 3.0.x train used features from an embedded variant of CiscoView Device Manager, which versions 3.1 and later does not include. This version offers greater integration with, and consistency with, other Security Manager features.

The installation utility for Security Manager automatically detects if an older Security Manager version is present on your server. In most cases, information from the older Security Manager database is added automatically to the new database as part of the process of upgrading to the newer Security Manager version. However, the new methods for managing 6500 Series and 7600 Series devices are different enough from the old methods that you must do more than simply install the newer Security Manager version, in order to manage these devices in your network.


OL-15627-01

Chapter 5 Upgrading and Downgrading Server Applications Migrating IPS Sensors

Step 1 Upgrade from the older Security Manager version to the newer version. See Upgrading Server Applications, page 5-1.

Catalyst 6500 Series switches, Cisco 7600 Series routers, their services modules, and their security contexts are migrated automatically, along with all associated VPN policies and firewall policies. However, old inventory information from earlier Security Manager versions is discarded — including, for example, the records of described interfaces and configured VLANs.

When the installation utility reaches its “Important Instructions” page, it specifies a location on your server from which to access a migration report file. In most cases, the location will be NMSROOT\MDC\log\readme.txt, where NMSROOT is the path to the Security Manager installation directory. The default is C:\Program Files\CSCOpx.

Step 2 Open and print the migration report; it contains important information that you should read.

Step 3 Install the new Security Manager Client software version on a client system (see Installing Security Manager Client, page 6-8), then use that client system to log in to your upgraded Security Manager server.

Step 4 To use Device view, click the Device View button on the main toolbar.

You must use Device view, not Policy view.

In the device selection tree, a red X partially covers each of the icons that represent your 6500 Series and 7600 Series chassis, as well as the services modules and security contexts associated with those chassis, as a visual cue to indicate that inventory information is not yet available for them.

Note • Until you complete this procedure, do not deploy any chassis, services module, or security context that uses a red X icon. If you try, the deployment will fail. • Other device lists in the Security Manager GUI (such as the lists for deployment and policy assignment) do not include any icons for these chassis, services modules, or security contexts.

Step 5 Click any red X icon in the device selection tree.

Security Manager contacts the live device and automatically retrieves its inventory information. The red X is cleared from the icon. The chassis, services module, or security context is now available to you for deployments from Security Manager.

Migrating IPS SensorsSecurity Manager 3.1 and later differ significantly from earlier releases in the features for managing:

• Cisco Intrusion Prevention System (IPS) sensors:

– Appliances

– Switch modules

– Network modules

– Security Service modules (SSMs)


OL-15627-01

Chapter 5 Upgrading and Downgrading Server Applications Upgrading IPS Manager 3.0.2 Data

• Cisco IOS IPS devices:

– Cisco IOS routers with IPS-enabled images

– Cisco Integrated Services Routers (ISRs)

Earlier Security Manager versions used features from a helper application called IPS Manager, which this version does not provide. Instead, this Security Manager version has fully integrated IPS management features.

The installation utility for Security Manager automatically detects if an older Security Manager version is present on your server. In most cases, information from the older Security Manager database is added automatically to the new database as part of the process of upgrading to the newer Security Manager version. However, the new methods for managing Cisco IPS sensors and Cisco IOS IPS devices are different enough from the old methods that migration of IPS sensors is not supported when upgrading from a version earlier than 3.1 to 3.1 or later.

Upgrading IPS Manager 3.0.2 DataTo transfer IPS Manager 3.0.2 data to Security Manager 3.2:

Step 1 Before you upgrade to Security Manager 3.2, log in to your system running IPS Manager 3.0.2.

Step 2 Navigate to the Common Services panel from the CiscoWorks or Cisco Security Management Suite home page.

Step 3 Export your IPS devices from the Device Credential Repository (DCR). For detailed instructions on how to export devices from DCR, see the User Guide for CiscoWorks Common Services 3.1 at the following URL:

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.1/user/guide/dcr.html#wp1378454.

Step 4 Upgrade your server running IPS Manager 3.0.2 to Security Manager 3.2. See Upgrading Server Applications, page 5-1 for more information.

Step 5 After the upgrade is complete, add your IPS devices to Security Manager 3.2 from the file you exported from DCR by using the “Add Device From File” option in the New Device wizard.

a. Copy the CSV file from Security Manager 3.0.2 to the Security Manager 3.2 server file directory, e.g., C:\temp.

b. Open the Security Manager client and from the Security Manager client, click on File > New Device...

c. On step 1 in the panel, choose the last radio button: "Add Device From File"; then click Next.

d. On Step 2, click on the "Browse" button on the top of the panel to open a Server side file browser.

e. On the file chooser, select the location of the CSV file that just copied over to the server, e.g. C:\temp, and then pick the CSV file, make sure the "Files of type" is "Device Credentials Repository (*.csv)".

f. Click OK to dispose of the file chooser.

g. The device(s) should be imported and discoverable in Security Manager 3.2.


OL-15627-01

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.1/user/guide/dcr.html#wp1378454


Chapter 5 Upgrading and Downgrading Server Applications Obtaining Service Packs and Point Patches

Obtaining Service Packs and Point Patches

Caution Do not download or open any file that claims to be a service pack or point patch for Security Manager unless you obtain it from Cisco. Third-party service packs and point patches are not supported.

After you install Security Manager, you might install a service pack or point patch from Cisco Systems to fix bugs, support new device types, or otherwise enhance Security Manager.

• To learn when Cisco has prepared a new, regularly scheduled service pack, and to download any service pack that matters to you, open Security Manager, then select Help > Security Manager Online. Alternatively, point your browser to: http://www.cisco.com/go/csmanager.

• If your organization submits a Cisco TAC service request, TAC will tell you if an unscheduled point patch exists that might solve the problem you have described. Cisco does not distribute Security Manager point patches in any other way.

Service packs and point patches provide server support for client software updates and detect version level mismatches between a client and its server.

Downgrading Server ApplicationsSecurity Manager supports downgrading from release 3.2 to release 3.0.2, 3.1, or 3.1.1 (including downgrades to IPS Manager and AUS), but only when you meet all of these conditions:

• You upgraded previously from the relevant release to release 3.2.

• You kept a copy of the backup that Security Manager created when you upgraded.

• You have the installation DVDs for both the old version and the new version.

To downgrade:

Step 1 Uninstall Security Manager 3.2 and AUS 3.2. See Uninstalling and Reinstalling Server Applications, page 4-6.

Step 2 Install Security Manager 3.0.2, 3.1, or 3.1.1 and (optionally) AUS 3.0.2 or 3.1. See Installation Guide for Cisco Security Manager 3.1 or 3.0.2 on Cisco.com.

Step 3 (Optional) If you have an installation DVD for Security Manager 3.1 but not for 3.1.1, obtain the upgrade utility from http://www.cisco.com/go/csmanager, then upgrade from 3.1 to 3.1.1.

Step 4 Restore your database from the backup corresponding to the version to which you want to downgrade. See Restoring the Security Manager Database, page 5-5.


OL-15627-01





Chapter 5 Upgrading and Downgrading Server Applications Downgrading Server Applications

Note Your downgraded copy of Security Manager 3.0.x or 3.1.x includes only the information that you saved before you upgraded to release 3.2. You must ensure that applications that reside with Security Manager on the same server, such as Common Services and RME, are running a version that is compatible with the version to which Security Manager is downgraded. If any of the devices restored from the backed-up database are running a software version that is not supported by the downgraded version of Security Manager, you must revert them to a version supported by Security Manager. Otherwise, such devices are treated as unmanaged devices.


OL-15627-01

Chapter 5 Upgrading and Downgrading Server Applications Downgrading Server Applications


OL-15627-01

OL-15627-01

C H A P T E R 6
Installing or Uninstalling Security Manager Client
You u se S ecurity Manager Client to manage security in your network through an encrypted connection to your Security Manager server, without regard to the physical location of your server.

The topics in this chapter are:

• Client System Browser Best Practices, page 6-1

• Configuring Required Client Settings To Open Browser Windows, page 6-2

• Installing Security Manager Client, page 6-8

• Patching a Client, page 6-11

• Uninstalling Security Manager Client, page 6-12

• Using Security Manager Client To Log In to a Server, page 6-13

Client System Browser Best PracticesComplete the following checklist to avoid problems with the client system browser that you use to:

• Download software installers from your server.

• Open certain applications on your server.

Task

1. Make sure the browser cache is not set to zero. See your browser documentation for instructions.

2. Disable popup blockers. The method varies according to your installed popup blocker. See Configuring Required Client Settings To Open Browser Windows, page 6-2, see your popup blocker documentation for more information, or contact the manufacturer for technical support.


Chapter 6 Installing or Uninstalling Security Manager Client Configuring Required Client Settings To Open Browser Windows

Configuring Required Client Settings To Open Browser Windows

You must manage popup windows carefully on your client system when you access a Security Manager server, or some Security Manager product features might be unavailable to you — including the windows in which you configure server settings or view online help topics. You might have to change browser settings on a client system, and you might have to change settings in third-party utilities.

The topics in this section are our recommendations for managing browser settings and the settings for utilities that can affect popup windows on systems where you use Security Manager Client:

• Configuring Internet Explorer Settings, page 6-2

• Configuring Firefox Settings, page 6-3

• Accessing Online Help Using Internet Explorer, page 6-5

• Enabling and Configuring Exceptions in Third-party Tools, page 6-8

Configuring Internet Explorer SettingsTable 6-1 describes the required Internet Explorer tasks for the different versions of Windows.

Table 6-1 Internet Explorer Configuration Tasks on Client Systems

Windows Server 2003, Windows XP, or Windows Vista

You must allow active content, as follows:

1. Select Tools > Internet Options, then click the Advanced tab.

2. Scroll to the Security section, then select Allow active content to run in files on My Computer.

3. Click OK.

Confirm if the browser security settings enable you to save encrypted pages to disk. If you cannot save encrypted pages, you cannot download the client software installer. To verify that you enabled the required setting, do the following:

1. Select Tools > Internet Options, then click the Advanced tab.

2. Scroll to the Security area, then deselect the Do not save encrypted Pages to Disk check box.

3. Click OK.

Confirm that the size of the disk cache for temporary files is greater than the size of the client software installer that you expect to download. If the cache allocation is too small, you cannot download the installer. To change the cache size, do the following:

1. Select Tools > Internet Options, then click Settings under the General tab.

2. Reserve more space for the cache if the setting is too small, then click OK twice.

We recommend that you manually delete the Temp files on your client system before you download the client software installer. Deleting such files increases the chances that you have enough available space.


OL-15627-01


Configuring Firefox SettingsThe following topics describe the Firefox configuration tasks required to display popup windows when you access the server from your Security Manager client or view the online help:

• Editing the Preferences File, page 6-3

• Editing the Size of the Disk Cache, page 6-3

• Disabling the Popup Blocker or Creating a White List, page 6-3

• Enabling JavaScript, page 6-4

• Displaying Online Help on a New Tab in the Most Recent Window and Reusing Existing Windows on Subsequent Requests, page 6-4

Editing the Preferences File

To edit the preferences file, do the following:

Step 1 From the \Mozilla Firefox\defaults\pref subdirectory, open firefox.js in a text editor, such as Notepad.

Step 2 Add the following: pref("dom.allow_scripts_to_close_windows", true);

Step 3 Save, then close, the edited file.

Editing the Size of the Disk Cache

Confirm that the size of the disk cache for temporary files is greater than the size of the client software installer that you expect to download. If the cache allocation is too small, you cannot download the installer. To change the cache size, do the following:

Step 1 Select Tools > Options, then click Advanced.

Step 2 Reserve more space for the cache if the setting is too small, then click OK.

Disabling the Popup Blocker or Creating a White List

To disable popup blockers, do the following:

Step 1 Select Tools > Options, then click the Contents icon.

Step 2 Deselect the Block pop-up windows check box.

Alternatively, to create a white list of trustworthy sources from which to accept popups, select the Block pop-up windows check box, then click Exceptions and in the Allowed Sites - Popups dialog box:

• Enter http://<SERVER_NAME> (where SERVER_NAME is the IP address or DNS-routable name of your Security Manager server) in the Address of web site field, then click Allow.


OL-15627-01


• Enter file:///C:/Documents%20and%20Settings/<USER_NAME>/Local%20Settings/ Temp/ (where C: is the client system disk drive on which you installed Windows and USER_NAME is your Windows username on the client system), then click Allow.

• Click Close.

Step 3 Click OK.

Enabling JavaScript

To enable JavaScript, do the following:

Step 1 Select Tools > Options, then click the Contents icon.

Step 2 Select the Enable JavaScript check box.

Step 3 Click Advanced, and in the Advanced JavaScript Settings dialog box, select every check box in the Allow scripts to area.

Step 4 Click OK.

Displaying Online Help on a New Tab in the Most Recent Window and Reusing Existing Windows on Subsequent Requests

When you access online help the first time, two new browser windows might be opened: a blank page and a page with help contents. Also, existing browser windows might not be reused during subsequent attempts to access online help. To configure Firefox to display online help on a new tab in the most recently opened browser window and to reuse existing windows on later occasions, follow these steps:

Step 1 In the address bar, enter about:config and press Enter. The list of user preferences is displayed.

Step 2 Double-click browser.link.open_external and enter 3 in the resulting dialog box. This value denotes that links from an external application are opened in a new tab in the browser window that was last opened.

Step 3 Double-click browser.link.open_newwindow and set it to 1. This value denotes that links are opened in the active tab or window.

Step 4 Double-click browser.link.open_newwindow.restriction and set it to 0. This value causes all new windows to be opened as tabs.

Step 5 Close the about:config page.

Note A blank page might be displayed when you open context-sensitive help, even after the browser status bar displays the status as Done. If this problem occurs, wait for a few minutes to allow the content to be downloaded and displayed.


OL-15627-01


Note When you access online help for the first time, the Website Certified by an Unknown Authority dialog box might appear prompting you to examine and accept the certificate presented by Security Manager if it is not trusted by the browser. You can either accept the certificate for the remainder of the web browsing session or add the issuer identified in the certificate to the list of trusted CAs of the web browser and trust the certificate until it expires.

Accessing Online Help Using Internet ExplorerIf you are using Internet Explorer 6.0 or 7.0, online help does not load right away and you are prompted to respond to a series of warning or error messages before it can be displayed. These messages are displayed because of the default security settings of your browser. The following sections describe the actions to take when you access online help for the first time with default browser settings and to import the Security Manager certificate to the root certificate store in your browser:

• Internet Explorer 6.0 Certificate Support for Online Help, page 6-5

• Internet Explorer 7.0 Certificate Support for Online Help, page 6-6

Internet Explorer 6.0 Certificate Support for Online Help

This procedure describes how to load online help for the first time. It also explains how to import the Security Manager certificate to the Internet Explorer 6.0 security store for secure access, without having to reload the certificate every time that you restart the browser.

Note This procedure assumes that your browser is configured with default settings. If you cannot load the online help with the customized browser settings, you can restore them to their defaults and follow this procedure.

Step 1 When you access online help from the application the first time, the following error message appears on the browser information bar:

To help protect your security, Internet Explorer has restricted this file from showing active content that could access your computer. Click here for options...

Step 2 To set the browser to allow blocked content, click the here for options link on the Internet Explorer information bar and choose Allow Blocked Content.

Step 3 Select Yes when the Security Warning dialog box displays the following message. This message is not displayed if you already configured Internet Explorer to allow active content. See Configuring Internet Explorer Settings, page 6-2 for more information.

Allowing active content such as script and ActiveX controls can be useful, but active content might also harm your computer. Are you sure you want to let this file run active content?

Step 4 Another warning window appears stating that the security certificate is not fully valid and is not from a known source. Click Yes to accept the certificate presented by the Security Manager server.

Alternatively, click View Certificate to accept the certificate before proceeding. Go to Step 7.

Step 5 On some systems, a warning dialog box prompts you with the following message:


OL-15627-01


A script on this page is causing Internet Explorer to run slowly. If it continues to run, your computer may become unresponsive. Do you want to abort the script?

Click Yes to allow the page to continue downloading. This message is displayed because the default time that Internet Explorer waits before prompting the user to decide whether they want scripts that take excessive time to run. For more information on how to prevent this warning message from appearing, see the “Security Manager Client” chapter in the FAQs and Troubleshooting Guide for Cisco Security Manager 3.2.

The help page is displayed with the table of contents on the left pane and context-sensitive help on the right pane.

Step 6 Double-click the lock icon on the status bar of the browser. The Certificate window is displayed with the General tab selected.

Step 7 Click Install Certificate. The Microsoft Windows Certificate Import Wizard appears.

Step 8 Click Next. The Certificate Store screen of the wizard appears, asking where you want to store the certificate.

Step 9 By default, the Automatic option, which allows the wizard to select the certificate store for this certificate type, is selected. If you want to choose the location to store the certificate or if storing the certificate using the automatically selected folder option fails, click the Place all certificates in the following store radio button and click Browse to select the folder. Click Next. A window appears that states that you successfully imported the certificate.

Step 10 Verify the setting and click Finish. A security warning displays for the import operation.

Step 11 To install the certificate, click Yes. The Import Wizard displays “The import was successful.”

Step 12 Click OK. The next time that you click the View certificates link, the Certification Path tab in the Certificate window displays “This certificate is OK.”

Step 13 Click OK in the Certificate window, which is still displayed.

Step 14 (Optional) If you viewed and accepted the certificate from the Security Alert dialog box, click Yes to close it.

Step 15 To verify that the trust store contains the imported certificate, click Tools > Internet Options in the Internet Explorer toolbar and select the Content tab. Click Certificates and select the Trusted Root Certifications Authorities tab. Scroll to find the imported certificate in the list.

After importing the certificate, the browser continues to display the address bar and a Certificate Error status in red. The status persists even if you reenter the hostname, localhost, or IP address or refresh or relaunch the browser.

Internet Explorer 7.0 Certificate Support for Online Help

This procedure describes how to load online help for the first time. It also explains how to import the Security Manager certificate to the Internet Explorer 7.0 security store for secure access, without having to reload the certificate every time that you restart the browser.

Note This procedure assumes that your browser is configured with default settings. If you cannot load the online help with the customized browser settings, you can restore them to their defaults and follow this procedure.


OL-15627-01


Step 1 When you access online help from the application, the following error message appears on the browser information bar:

To help protect your security, Internet Explorer has restricted this file from showing active content that could access your computer. Click here for options...

Step 2 To set the browser to allow blocked content, click the here for options link on the Internet Explorer information bar and choose Allow Blocked Content.

Step 3 Select Yes when the Security Warning dialog box displays the following message. This message is not displayed if you already configured Internet Explorer to allow active content. See Configuring Internet Explorer Settings, page 6-2 for more information.

Allowing active content such as script and ActiveX controls can be useful, but active content might also harm your computer. Are you sure you want to let this file run active content?

Step 4 The browser displays a Certificate Error: Navigation Blocked page to indicate this website is untrusted. To access the server, click Continue to this website (not recommended). The browser displays the address bar and a Certificate Error status in red.

Step 5 On some systems, a warning dialog box prompts you with the following message:

A script on this page is causing Internet Explorer to run slowly. If it continues to run, your computer may become unresponsive. Do you want to abort the script?

Click Yes to allow the page to continue downloading. This message is displayed because the default time that Internet Explorer waits before prompting the user to decide whether they want scripts that take excessive time to run. For more information on how to prevent this warning message from appearing, see the “Security Manager Client” chapter in the FAQs and Troubleshooting Guide for Cisco Security Manager 3.2.

The help page is displayed with the table of contents on the left pane and context-sensitive help on the right pane.

Step 6 Click the Certificate Error link at the top of the window. The Untrusted Certificate dialog box is displayed stating that the security certificate presented by this website was not issued by a trusted certificate authority.

Step 7 Click View Certificates. The Certificate window is displayed with the General tab selected.

Step 8 Click Install Certificate. The Microsoft Windows Certificate Import Wizard appears.

Step 9 Click Next. The Certificate Store screen of the wizard appears, asking where you want to store the certificate.

Step 10 By default, the Automatic option, which allows the wizard to select the certificate store for this certificate type, is selected. If you want to choose the location to store the certificate or if storing the certificate using the automatically selected folder option fails, click the Place all certificates in the following store radio button and click Browse to select the folder. Click Next. A window appears that states that you successfully imported the certificate.

Step 11 Verify the setting and click Finish. A security warning displays for the import operation.

Step 12 To install the certificate, click Yes. The Import Wizard displays “The import was successful.”

Step 13 Click OK. The next time that you click the View certificates link, the Certification Path tab in the Certificate window displays “This certificate is OK.”

Step 14 Click OK in the Certificate window, which is still displayed.


OL-15627-01

Chapter 6 Installing or Uninstalling Security Manager Client Installing Security Manager Client

Step 15 To verify that the trust store contains the imported certificate, click Tools > Internet Options in the Internet Explorer toolbar and select the Content tab. Click Certificates and select the Trusted Root Certifications Authorities tab. Scroll to find the imported certificate in the list.

After importing the certificate, the browser continues to display the address bar and a Certificate Error status in red. The status persists even if you reenter the hostname, localhost, or IP address or refresh or relaunch the browser.

Enabling and Configuring Exceptions in Third-party ToolsSome third-party popup blockers enable you to allow popups from a specific site or server without allowing popups universally. If your popup blocker does not allow you to configure exceptions to include in a white list, or if that option fails to meet your requirements, you must set your utility to allow all popups. The method for allowing popups from a trusted site varies according to the utility that you use. Please refer to the third-party product’s documentation for more information.

Installing Security Manager ClientYou can install Security Manager Client during installation of Security Manager server by selecting the client software from the component selection screen of the server installation wizard. Otherwise, you can install the client software by logging in to the Security Manager server using a browser after you install the server software.

For supported OS versions on client systems, see Client Requirements, page 2-5.

Before You Begin

• (Windows XP) Select Start > All Programs > Accessories > System Tools > System Restore, then create a system restore point.

• (Windows 2003 or Windows XP) Internet Explorer Enhanced Security default settings might stop you from downloading the installation utility from your server. In this case, a message tells you that:

Internet Explorer cannot download CSMClientSetup.exe from <server>. Internet Explorer was not able to open this Internet site. The requested site is either unavailable or

cannot be found. Please try again later.

To work around this problem, select Start > Settings > Control Panel > Add or Remove Programs, then click Add/Remove Windows Components. From the Windows Component Wizard window, deselect the Internet Explorer Enhanced Security Configuration check box, click Next, then click Finish.

• (Windows Vista) The system displays the User Account Control popup window to indicate that an unidentified program wants access to your computer. This occurs because of a limitation in the InstallAnywhere software. This one-time popup displays only when installing the client software. Select Allow to continue.

• (Windows XP SP2 and Vista) Increased security features might cause the following message to be displayed:

Security Warning Message. The publisher could not be verified. Are you sure you want to run this software?


OL-15627-01


When you see this message, click Yes to continue.

• (Windows Vista) When you download the client software from your server, a File Download - Security Warning dialog box appears asking, “Do you want to run or save this file?” Click Save to continue.

• Cisco Security Agent needs to be disabled, either before or during the process of installing the client. If the client installer is unable to disable the Cisco Security Agent during the installation process, the process aborts and you are prompted to manually disable it before restarting the client installation.

• Although Common Services enables you to configure Security Manager server to run in normal mode, we recommend that you enable browser-server security mode or SSL on your Security Manager server so that communication between the server and the client is secure.

Note We recommend that you do not install both the Security Manager server software and Cisco Security Manager Client on the same system.

This procedure tells you how to install Security Manager Client without the server installer.

Step 1 Log in to the client system from a user account that has Windows administrator privileges.

Step 2 Use a browser on the client system to log in to the Security Manager server at: http://<server_name>:1741.

To learn which browsers and browser versions are supported, see Client Requirements, page 2-5.

Step 3 After you log in, click Cisco Security Manager Client Installer.

Step 4 Do one of the following. (The button names that your browser displays while you complete this step are determined by the browser, not by Security Manager.)

• Open — To run the installer from the server without downloading a local copy, click the correct button (most likely Open).

• Save — To save a local copy of the CSMClientSetup.exe file, click the correct button (most likely Save), then double-click the local file to start the installation.

The InstallAnyWhere Wizard progress bar appears and prepares the system for installation. After a few seconds, the Introduction window appears.

Tip If Cisco Security Agent is installed on the client system and opens the “A problem was detected” dialog box, select Yes, then click Apply. The dialog box closes, then the Installer window opens.

Step 5 Click Next.

Step 6 If Cisco Security Agent is installed and enabled on the client system, an error message is displayed that it must be disabled to proceed with the installation of the client software. Click Yes to disable the Cisco Security Agent. Alternatively, click No if you want to abort the installation and change the Cisco Security Agent settings yourself.

Note If the client installer is unable to stop the Cisco Security Agent, an error message is displayed that the installation would be aborted and you need to manualy disable it before restarting the installation.


OL-15627-01


Step 7 (Optional) If a version of Security Manager client is already installed on the system, the wizard displays a message that the existing Security Manager client will be uinstalled. Click Next to continue.

A dialog box appears, indicating the uninstallation process, until the operation is complete. The Cisco Security Manager Server Information screen is then displayed.

Step 8 Do all of the following, in any order:

• Specify the IP address or the DNS-resolvable hostname of a Security Manager server to which you will establish future connections.

• Ensure HTTPS is selected as the communications protocol. You cannot use HTTP.

Step 9 Click Next. The Choose Shortcut Options screen is displayed.

Step 10 Select one of the following options to configure the users for which a shortcut to the Security Manager client needs to be created:

• Create Shortcuts for Current User Only—Creates a desktop shortcut and a shortcut on the Programs menu only for the user who is currently installing the client software. This option is selected by default.

Note When you install Security Manager client as part of the server installation in silent mode, the shortcut to the client is created only for the user performing the installation by default.

• Create Desktop Shortcut for All Users—Creates a desktop shortcut and an option in the program listings in the Start menu for all user accounts configured on the system in which you are installing the client software. If the physical location of your client system is in the network operations center or security operations center for your organization, you might prefer to allow more than one Windows user to run the Security Manager Client application.

• Do Not Create Desktop Shortcut—Does not create a shortcut, either on the desktop or on the Programs menu for any user of the client system.

Step 11 To specify the target directory for installation (the default is C:\Program Files\Cisco Systems\Cisco Security Manager Client), do one of the following in the Choose Installation Location screen:

• To use the default directory, click Restore Default Folder and click Next.

• To open a dialog box from which you can specify a different directory for installation, click Browse, then select a directory and click Next.

Step 12 Review your selections, then click Install in the Pre-Installation Summary screen to confirm and proceed with the installation. In the event of an error, click Back, make any necessary corrections, then try again.

The Installing Cisco Security Manager Client screen appears with a dynamic indicator bar, which moves across the window. This bar indicates the progress of the installation process. When completed, a final screen displays indicating that the installation is completed.

Step 13 Choose whether you want to start the Security Manager client after the installation is complete. Otherwise, you can start the client anytime after you complete the installation.

Step 14 Click Finish to close the installer.

Note Apply the client software service pack or point patch, if you know that one is available. See Patching a Client, page 6-11.

Step 15 If you disabled an antivirus application temporarily, such as McAfee Antivirus or Norton Internet Security 2005, reenable it.


OL-15627-01

Chapter 6 Installing or Uninstalling Security Manager Client Patching a Client

If the Cisco Security Agent was stopped by the client installer, it is restarted at the end of the installation. However if you manually disabled the Cisco Security Agent on your system, you need to enable it after client installation is complete.

Step 16 (Optional) To start the client for Security Manager, do one of the following:

• If you let the installer create a desktop shortcut, double-click that shortcut.

• Select Start > Programs > Cisco Security Manager > Cisco Security Manager Client.

Note If you changed the HTTP or HTTPS port number on your Security Manager server to a any port number other than the default value, connection to the server from the Security Manager client fails because the client tries to contact the server using the default port values. In Security Manager 3.2, two properties, HTTP_PORT and HTTPS_PORT, can be added to the the client.info file located in the ..\Cisco Systems\Cisco Security Manager Client\jars folder on your client system to configure the port numbers you configured on your server. Add the following lines to the client.info file after opening it in a text editor such as Notepad and save the changes: HTTP_PORT=<port_number> HTTPS_PORT=<port_number> When you start the client the next time, it uses the updated port numbers, based on the protocol selected, to communicate with the server.

Tip If the Create Shortcuts for Current User Only option was selected during client installation, only the user who installs Security Manager Client can see (from the program listings in the Start menu) that the application is installed. Nonetheless, if the physical location of your client system is in the network operations center or security operations center for your organization, you might prefer to allow more than one Windows user to run the Security Manager Client application. To make Security Manager Client visible in the Start menu for every user of the client station, copy the Cisco Security Manager Client folder from: Documents and Settings\<user>\Start Menu\Programs\Cisco Security Manager to: Documents and Settings\All Users\Start Menu\Programs\Cisco Security Manager.

Patching a ClientAfter you apply a service pack or a point patch to your Security Manager server, each client system will prompt you to apply an update to your installed copies of Security Manager Client. The version number of the client software must be the same as the version number of the server software. When a client prompts you to download and apply a required software update, do the following.

Note If the size of the disk cache for temporary files is lesser than the size of the client software update that you expect to download, see Table 6-1 on page 6-2 for details on how to increase your disk cache space.


OL-15627-01

Chapter 6 Installing or Uninstalling Security Manager Client Uninstalling Security Manager Client

Step 1 Do one of the following. (The button names that your browser displays while you complete this step are determined by the browser, not by Security Manager.)

• If an error message says that the URL cannot be retrieved or that the connection timed out:

a. Uninstall the client software instead of patching it. See Uninstalling Security Manager Client, page 6-12.

b. Download and install the new version of Security Manager Client. See Installing Security Manager Client, page 6-8.

• Open — To run the installer from the server without downloading a local copy, click the correct button (most likely Open).

• Save — To save a local copy of the update installer, click the correct button (most likely Save), then double-click the local file to start the installation.

The InstallAnyWhere Wizard prepares to install.

Tip If Cisco Security Agent is installed on the client system and opens the “A problem was detected” dialog box, select Yes, then click Apply. The dialog box closes, then the Installer window opens.

Step 2 When the update installer prompts you to specify an installation directory, specify the exact directory into which you installed Security Manager Client.

The default location is: C:\Program Files\Cisco Systems\Cisco Security Manager Client.

Step 3 If you are prompted to overwrite any existing files, click Yes to All.

Uninstalling Security Manager ClientIf you installed Security Manager client on the same system as the Security Manager server software, you can uninstall the client using the server uninstaller. Alternatively, you can uninstall the client separately using the client uninstaller.

Note When you install a Security Manager 3.2 client on a system in which a previous version of the client software exists, the installation wizard provides you with an option to uninstall the existing client before preparing the system for installing the 3.2 version.

This procedure tells you how to uninstall Security Manager Client outside of the server installation wizard.

Step 1 Select Start > Programs > Cisco Security Manager > Uninstall Cisco Security Manager Client.

The InstallAnyWhere Wizard prepares to uninstall, then the Uninstaller window opens.

Step 2 To confirm that you have chosen to uninstall the client application, click Next.



OL-15627-01

Chapter 6 Installing or Uninstalling Security Manager Client Using Security Manager Client To Log In to a Server

Tip Even if the uninstaller does not prompt you specifically to restart your computer after you uninstall Security Manager Client, we recommend that you restart your computer.

Using Security Manager Client To Log In to a ServerTo connect to the Security Manager server from a system on which you have installed Security Manager Client:

Step 1 Double-click the Cisco Security Manager Client icon on your Windows desktop or select Start > Programs > Cisco Security Manager > Cisco Security Manager Client.

Note The Security Manager Client GUI appears after a short delay, during which no progress indicator is visible. The delay might last a few seconds.

Step 2 Verify that your entries and selections are correct in the Cisco Security Manager Enterprise Edition window:

• Server Name — Contains the IP address or DNS-resolvable hostname of the server to which you will connect. You can edit the text to specify a different server or you can select an option from the list of server names.

• HTTPS check box — Is required so that the server can use SSL to communicate with the client software. You must not deselect the HTTPS check box.

• User ID — Contains the correct username for an account on the Security Manager server. To learn how to create a user account, see the Common Services documentation on Cisco.com.

• Password — Contains the correct password for the account that you specified.

Step 3 Click a button:

• To log in to the server with the specified credentials, click Login.

• To exit the client without connecting to the server, click Cancel.

• To understand how to log in, click Help.

Note • If the server prompts you to download and install a client software update, see Patching a Client, page 6-11.

• The client software automatically remembers the names of all servers to which you have logged in successfully. Each of those server names is added to the list of server names.


OL-15627-01

Chapter 6 Installing or Uninstalling Security Manager Client Using Security Manager Client To Log In to a Server


OL-15627-01

OL-15627-01

C H A P T E R 7
Installing and Upgrading RME
This chapter describes the tasks that you must perform to install Resource Manager Essentials (RME) 4.1. It also describes upgrading and migrating older versions of RME to RME 4.1 on a Windows system. The following are the major sections in this chapter:

• Performing a Fresh Installation of RME, page 7-1

• Defining Upgrade and Migration for RME 4.0.5, page 7-7

• Upgrade From RME 4.0.x to RME 4.1, page 7-7

• Backing Up and Restoring RME Data to RME 4.1, page 7-9

Performing a Fresh Installation of RMEThis section describes how to perform a fresh installation of RME 4.1:

• Installation Notes

• Installation Modes

• Performing a Fresh Installation—Typical

• Performing a Fresh Installation—Custom

Installation NotesBefore you begin your installation, note the following:

• You must install Common Services 3.1 before you can install RME 4.1.

• The installation program install RME 4.1 in the same location as Common Services directory (By default, SystemDrive:\Program Files\CSCOpx). This location is referred to as NMSROOT in this document.

Where, SystemDrive is the Windows operating system installed directory.

• Restart the system after installing CiscoWorks Common Services and before installing RME 4.1. The Common Services installation might fail if you do not restart your system.

• Run the installation from a local DVD or a local hard drive to avoid errors due to network inconsistencies.

• Close all applications before running installation. Do not run any other programs while installation is in progress.


Chapter 7 Installing and Upgrading RME Performing a Fresh Installation of RME

• If you are running virus scanner or mail client while installing Common Services, the installation might take longer to complete.

• You can press click Cancel at any time to end the installation. However, any changes to your system will not be undone.

For example, if any new files were installed or if they were any changes to the system files, you need to manually cleanup the installation directories.

Note We recommend that you do not terminate the installation while it is running.

• The Common Services installation takes approximately 30 minutes.

If you running the installation from a remote DVD drive or a remote hard drive, the installation time will vary based on your network connection.

Caution Do not change the system time after installing Common Services. Such changes may affect the working of some time-dependent features.

Installation ModesYou can install RME 4.1 either using Typical or Custom mode:

• If you choose the Typical installation mode, the Common Services database password is randomly generated for you. You can view the password at the end of installation.

See Performing a Fresh Installation—Typical

• If you choose the Custom installation mode, you will be prompted to enter the Common Services database password.

Use a minimum of five characters and a maximum of 15 characters. Do not start the password with a number and do not insert spaces between characters.

This password is also used while restoring or troubleshooting the RME database.

See Performing a Fresh Installation—Custom

Performing a Fresh Installation—Typical

To install RME using the Typical mode:

Step 1 Log in as the local administrator on the system on which you installed Common Services.

Step 2 Insert the Security Manager 3.2 DVD into the drive.

If autorun is enabled, the installer opens automatically. If autorun is not enabled, open the rme4_1 folder, double-click setup.exe, and then click Yes to confirm that you are installing RME.

Step 3 If the WMI service is up and running, the following message appears when installation starts:

Windows Management Instrumentation (WMI) is running. This locks processes and impedes installation. To avoid WMI conflicts, this Setup program will stop and immediately restart the WMI service.

Click Yes to continue. The Welcome window appears.


OL-15627-01


Step 4 Click Next to continue.

The Software License Agreement window appears.

Step 5 Click Yes to accept the license agreement and proceed with the installation.

The Licensing Information dialog box appears.

Step 6 Do either of the following:

• If you have a license file for CiscoWorks, select the Licence File Location radio button, and browse to the file location.

• If you do not have a license, enter the serial number and the Product Identification Number (PIN) from the product package.

• For an evaluation copy of Resource Manager Essentials 4.1, licensing details are not required. Select the Evaluation only radio button to get an evaluation copy of RME 4.1.

Note A message appears at the end of the installation prompting you to obtain a valid license key from Cisco.com within 90 days.


The Setup Type dialog box appears displaying two installation modes, Typical installation and Custom installation.

Step 8 Select Typical from the Setup dialog box and click Next.

The following message appears only if you have configured Common Services in ACS mode (Common Services > Server > Security > AAA Mode Setup):

The application that you are installing requires new tasks to be registered with ACS. If you have already registered this applicationwith ACS from another server, you do not need to register it again.However if you re-register the application, you will lose any customroles that you had created earlier for this application in ACS.

Step 9 Do one of the following:

• If you click Yes, RME 4.1 gets register with ACS server.

• If you click No, RME 4.1 does not register with ACS server.

After the installation, you can register RME 4.1 with ACS server, using the script, AcsRegCli.pl:

NMSROOT\bin\perl NMSROOT\bin\AcsRegCli.pl -register rme

For example:

C:\Program Files\CSCOpx\bin\perl C:\Program Files\CSCOpx\bin\AcsRegCli.pl -register rme

• If you click Cancel, RME 4.1 installation is aborted.

The installation program checks dependencies and system requirements.

The System Requirements window appears.

Step 10 Click Next.

The Daemons Restart Option window appears.

Step 11 Click either Yes to restart CiscoWorks daemons.

The Summary window appears.


OL-15627-01


Step 12 Click Show Details, to view all settings including those selected automatically.

A Security Alert dialog box appears.

Step 13 Click Yes to view details.

The summary details view displays the randomly generated Essentials database password in clear text. The Summary window displays installation details.

Note Memorize your password displayed on the console. We recommend you do not write it down.

Step 14 Click Install.

The Setup screen appears, displaying installation progress while files are copied and applications are configured.


The following message appears:

To ensure that you retain the latest device support, please install the latest Device Packages from CCO @http://www.cisco.com/cgi-bin/tablebuild.pl/cw2000-rmePlease refer to the Installation and Setup Guide for details.

Step 15 Click OK.

The Setup Complete dialog box appears.


You have completed the Common Services installation.

If you had any errors during installation, check the installation log in the root directory on the drive where the operating system is installed. Each installation creates a new log file.

For example, the Common Services installation creates SystemDrive:\CiscoWorks_setupxxx.log, where xxx is the log file for the last CiscoWorks application installed. If you request for assistance, the Technical Assistance Center (TAC) might ask you to send them the installation log.

Performing a Fresh Installation—Custom

To install RME using the Custom mode:

Step 1 Log in as the local administrator on the system on which you installed Common Services.

Step 2 Insert the Security Manager 3.2 DVD into the drive.

If autorun is enabled, the installer opens automatically. If autorun is not enabled, open the rme4_1 folder, double-click setup.exe, and then click Yes to confirm that you are installing RME.

Step 3 If the WMI service is up and running, the following message appears when installation starts:

Windows Management Instrumentation (WMI) is running. This locks processes and impedes installation. To avoid WMI conflicts, this Setup program will stop and immediately restart the WMI service.

Click Yes to continue. The Welcome window appears.



OL-15627-01


The Software License Agreement window appears.

Step 5 Click Accept to accept the license agreement and proceed with the installation.

The Licensing Information dialog box appears.


• If you have a license file for CiscoWorks, select the Licence File Location radio button, and browse to the file location.

• If you do not have a license, enter the serial number and the Product Identification Number (PIN) from the product package.

• For an evaluation copy of Resource Manager Essentials 4.1, licensing details are not required. Select the Evaluation only radio button to get an evaluation copy of RME 4.1.

Note A message appears at the end of the installation prompting you to obtain a valid license key from Cisco.com within 90 days.


The Setup Type dialog box appears displaying two installation modes, Typical installation and Custom installation.

Step 8 Select Custom from the Setup dialog box and click Next.

The following message appears only if you have configured Common Services in ACS mode (Common Services > Server > Security > AAA Mode Setup):

The application that you are installing requires new tasks to be registered with ACS. If you have already registered this applicationwith ACS from another server, you do not need to register it again.However if you re-register the application, you will lose any customroles that you had created earlier for this application in ACS.

Step 9 Do one of the following:

• If you click Yes, RME 4.1 gets register with ACS server.

• If you click No, RME 4.1 does not register with ACS server.

After the installation, you can register RME 4.1 with ACS server, using the script, AcsRegCli.pl:

NMSROOT\bin\perl NMSROOT\bin\AcsRegCli.pl -register rme

For example:

C:\Program Files\CSCOpx\bin\perl C:\Program Files\CSCOpx\bin\AcsRegCli.pl -register rme

• If you click Cancel, RME 4.1 installation is aborted.

The Change Essentials Database Password window appears.

Use a minimum of five characters and a maximum of 15 characters. Do not start the password with a number and do not insert spaces between characters:


• To create a new password:

– Enter a password of minimum five characters in the Password field.

– Re-enter the password in the Confirm Password field.


OL-15627-01


• To let Common Services generate a random password for you, leave the Password field and the Confirm Password field blank.

Note If you enter a password with less than five characters, RME automatically generates a random password.

You can view your password in clear text in the Security dialog box (Step 14).

Step 11 Click Next.

The installation program checks dependencies and system requirements.

The System Requirements window appears.

Step 12 Click Next.

The Daemons Restart Option window appears.

Step 13 Click either Yes to restart CiscoWorks daemons.

The Summary window appears.

Step 14 Click Show Details to view all settings including those selected automatically.

A Security Alert dialog appears.

Step 15 Click Yes to view details.

The Summary Details view displays the password in clear text. The Summary window displays installation details.

Step 16 Click Next.


The following message appears:

To ensure that you retain the latest device support, please install the latest Device Packages from CCO @http://www.cisco.com/cgi-bin/tablebuild.pl/cw2000-rmePlease refer to the Installation and Setup Guide for details.

Step 17 Click OK.

The Setup Complete dialog box appears.


You have completed the Common Services installation.

If you had any errors during installation, check the installation log in the root directory on the drive where the operating system is installed. Each installation creates a new log file.

For example, the Common Services installation creates SystemDrive:\CiscoWorks_setupxxx.log, where xxx is the log file for the last CiscoWorks application installed. If you request for assistance, the Technical Assistance Center (TAC) might ask you to send them the installation log.


OL-15627-01

Chapter 7 Installing and Upgrading RME Defining Upgrade and Migration for RME 4.0.5

Defining Upgrade and Migration for RME 4.0.5This section provides overview information on upgrade and migration process topics:

• Defining RME Upgrade

• Defining RME Migration

Defining RME UpgradeUpgrade involves overwriting the existing RME version with the new RME version. For versions prior to RME 4.0.3, you need to install RME 4.0.3 before upgrading to RME 4.1.

You can migrate using either of these methods:

• Local upgrade—Installing RME 4.1 on top of RME (4.0.3 or 4.0.5) on the same machine.

Or

• Remote upgrade—Installing RME 4.1 on a different machine and then restoring the data on the machine that has RME 4.1.

Defining RME MigrationMigration involves migrating data from an older version of RME to a newer version of RME. The steps for migration include:

1. Backing up the older version of RME data.

2. Installing the newer version of RME.

3. Restoring the backed up data.

You can migrate using either of these methods:

• Local migration—Installing RME 4.1 on top of RME 4.0.3 or RME 4.0.5 on the same machine.

Or

• Remote migration—Installing RME 4.1 on a different machine.

Upgrade From RME 4.0.x to RME 4.1You can upgrade from any of the previous versions of RME to RME 4.1. This section consists of:

• Local Upgrade From RME 4.0.3, or 4.0.5 to RME 4.1

• Restoring the RME 4.0.x Backup Data


OL-15627-01

Chapter 7 Installing and Upgrading RME Upgrade From RME 4.0.x to RME 4.1

Local Upgrade From RME 4.0.3, or 4.0.5 to RME 4.1Table 7-1 provides an overview of the local upgrade procedure when upgrading from RME 4.0.3, or 4.0.5 to RME 4.1.

Important Local Upgrade Notes

During local upgrade from RME 4.0.3 or RME 4.0.5 to RME 4.1,

• You have to provide the RME 4.1 license (which can be obtained with the purchase of LMS 3.0) after upgrading to RME 4.1, even if you have a licensed copy of RME 4.0.3 or 4.0.5.

• If you have a evaluation copy of RME 4.0.3 after upgrading to RME 4.1, if you want to update your evaluation license to a valid RME 4.1 license, follow the instructions on how to obtain and install the license file in the User Guide for CiscoWorks Common Services 3.1 at the following URL: http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.1/user/guide/admin.html#wp386416.

• If you have configured for ACS login module, all of the ACS settings are retained after Local and Remote upgrade.

Remote Upgrade From RME 4.0.3 or 4.0.5 to RME 4.1Table 7-2 provides an overview of the remote upgrade procedure when upgrading from RME 4.0.3, or 4.0.5 to RME 4.1.

Table 7-1 Procedure for Local Upgrade from RME 4.0.3 or 4.0.5 to RME 4.1

Task Reference

Step 1 Log in as root to the machine where RME 4.0.3 or 4.0.5 is installed

—

Step 2 Back up your RME 4.0.3 or RME 4.0.5 data. Backing Up Your RME 4.0.x Data, page 7-9

Step 3 Install RME 4.1 from the Security Manager 3.2 DVD. —

Step 4 Restore RME 4.0.3 or RME 4.0.5 data. You need not run any scripts to migrate data. All necessary data is migrated to RME 4.1 during the upgrade.

Table 7-2 Procedure for Remote Upgrade from RME 4.0.3 or 4.0.5

Task Reference

Step 1 Log in as root to the machine where RME 4.0.3 or 4.0.5 is installed

—

Step 2 Back up your RME 4.0.3 or RME 4.0.5 data. Backing Up Your RME 4.0.x Data, page 7-9

Step 3 Log in as root on the machine where you want to install RME 4.1.

—

Step 4 Verify that your operating system is supported by RME 4.1.

See the “Prerequisites” chapter in Installing and Getting Started With CiscoWorks LAN Management Solution 3.0.


OL-15627-01



Chapter 7 Installing and Upgrading RME Backing Up and Restoring RME Data to RME 4.1

Backing Up and Restoring RME Data to RME 4.1Data from the previous versions of RME, can be backed up and restored to a system, that has RME 4.1 installed. This section consists of:

• Backing Up Your RME 4.0.x Data

• Restoring the RME 4.0.x Backup Data

Backing Up Your RME 4.0.x DataYou can back up data either using CLI or GUI.

Backing Up RME 4.0.x Data Using CLI

To back up using CLI, enter:

NMSROOT\bin\perl NMSROOT\bin\backup.pl BKP num_generations

For example:

D:\Program Files\CSCOpx\bin\perl D:\Program Files\CSCOpx\bin\backup.pl D:\ciscoworks\rmebackupdata 2

where,

• NMSROOT is the CiscoWorks installed directory.

• BKP—Backup directory, the data will be stored in the directories BKP/0, BKP/1, and BKP/2 etc., where BKP/n stores the data of the (n+1)th generation.

• num_generations—Maximum backup generations to be kept in the backup directory

For more information, see Common Services 3.0.5 online help.

Backing Up RME 4.0.x Data Using GUI

To back up RME 4.0.x, select Common Services > Server > Admin > Backup.

Click Help for more information.

Step 5 Install RME 4.1 from the Security Manager 3.2 DVD.

You need not run any scripts to migrate data. All necessary data is migrated to RME 4.0.5 during the upgrade.

—

Step 6 Transfer the RME 4.0.3 or 4.0.5 backup data to the RME 4.1 machine.

—

Step 7 Restore RME 4.0.3 or RME 4.0.5 data. Restoring the RME 4.0.x Backup Data, page 7-10

Table 7-2 Procedure for Remote Upgrade from RME 4.0.3 or 4.0.5 (continued)

Task Reference


OL-15627-01

Chapter 7 Installing and Upgrading RME Backing Up and Restoring RME Data to RME 4.1

Restoring the RME 4.0.x Backup DataWe recommend that you do not cancel migration while it is running. This is to avoid errors. To restore the data:

Step 1 Log in as the local administrator on the system on which you installed Common Services 4.1.

Step 2 Shut down the Daemon Manager. To do this, enter:

net stop crmdmgtd

Step 3 Run the command:

NMSROOT\bin\perl NMSROOT\bin\restorebackup.pl -d backup location -gen version -t tempbackup dir

For example:

D:\Program Files\CSCOpx\bin\perl D:\Program Files\CSCOpx\bin\restorebackup.pl -d D:\ciscoworks\rmebackupdata -gen 2 -t D:\temp

where

• NMSROOT is the CiscoWorks installation directory

• -d backup location is the location where RME 4.0.x backup data is available. This is mandatory.

• -gen version is the version to be migrated to RME 4.1. By default, it will restore the latest backup data. If generations 1 through 5 exist, then 5 will be the latest. This is optional.

• -t tempbackup dir is used to extract files from the backup into a temporary location. These files are used by the Restore Backup script. This will be deleted after the data restoration is complete. This is optional. By default, the Restore Backup script uses NMSROOT/tempbackupdata directory.

The migration script checks the details of the applications installed in the system and applications in the backup archive.

You are prompted to migrate syslog information. The following message appears:

Do you want to migrate syslogs [y / n]? Enter y to continue.

If you wish to migrate syslog information, choose Y, otherwise choose N.

You are prompted to collect inventory data. The following message appears:

Do you want to collect Inventory [y/n]?

If you wish to collect inventory information during migration, choose Y, otherwise choose N.

We recommend that you do not perform Inventory collection during migration. This is because it takes a long time to complete inventory data collection.It depends on number of devices, network speed and device response time.

Step 4 Schedule inventory collection after migration using the user interface. From the CiscoWorks homepage, select RME > Devices > Inventory.

Step 5 Start Daemon Manager after the migration is completed. To do this, enter:

net start crmdmgtd

You have migrated to RME 4.1.


OL-15627-01

OL-15627-01

C H A P T E R 8
Post Installation Server Tasks
The following topics are tasks to complete after you install Security Manager or its related applications on a server.

• Server Tasks To Complete Immediately, page 8-1

• Verifying That Required Processes Are Running, page 8-2

• Best Practices for Ongoing Server Security, page 8-4

• Verifying an Installation or an Upgrade, page 8-4

• Where To Go Next, page 8-5

Server Tasks To Complete ImmediatelyMake sure that you complete the following tasks immediately after installation.

Task

1. Reenable or reinstall antivirus scanners and similar products. If you uninstalled or temporarily disabled any server security software, such as an antivirus tool or Cisco Security Agent, reinstall or restart that software now, then restart your server if required.

Note If you see that your antivirus software is reducing the efficiency or responsiveness of a Security Manager server, see your antivirus software documentation for recommended settings.

2. Reenable the services and server processes that you disabled for installation. Do not reenable IIS.

3. Reenable any mission-critical applications that you disabled for installation, including those that use any Sybase technology or software code.

4. On the server, add a self-signed certificate to the list of root trusted certificates. To learn how, see your browser documentation.

5. Check for updates on Cisco.com for Security Manager and its related applications. If you learn that updates are available, install the ones that are relevant to your organization and network.


Chapter 8 Post Installation Server Tasks Verifying That Required Processes Are Running

Verifying That Required Processes Are RunningYou can run the pdshow command from a Windows command prompt window to verify that all required processes are running correctly for the Cisco server applications that you choose to install. Process requirements differ among the applications.

Tip To learn more about pdshow, see the Common Services documentation.

Use Table 8-1 to understand which applications require which processes.

6. Do the following if your server has two or more network interface cards configured:

a. Select Start > Settings > Control Panel > Administrative Tools > Services, then stop Cisco Security Manager Daemon Manager.

b. Find NMSROOT\lib\vbroker\gatekeeper.cfg , where NMSROOT is the path to the Security Manager installation directory (the default is C:\Program Files\CSCOpx), then open the file in a text editor.

c. Edit these lines:

#vbroker.gatekeeper.backcompat.callback.host=external-IP-address

#vbroker.se.exterior.host=external-IP-address

#vbroker.se.iiop_tp.host=external-IP-address

#vbroker.se.interior.host=external-IP-address

so that you delete the # character in every instance and replace the IP address in every instance with the DNS-configured, external, static IP address of the Security Manager server that the client uses for communication.

d. Save your edited version of gatekeeper.cfg, then quit the text editor.

e. Select Start > Settings > Control Panel > Administrative Tools > Services, then restart Cisco Security Manager Daemon Manager.

Task


OL-15627-01

Chapter 8 Post Installation Server Tasks Verifying That Required Processes Are Running

Tip To verify that the Windows service called “Cisco Security Agent” is running on your server, select Start > Settings > Control Panel > Administrative Tools > Services.

Table 8-1 Application Process Requirements

This application: Requires these Daemon Manager processes:

Common Services 3.1 ApacheCmfDbEngineCmfDbMonitorCMFOGSServerCSRegistryServerDCRServerdiskWatcherEDSEDS-GCFEDS-TRESSEssMonitorjrmLicenseServerProxyRmeGatekeeperRmeOrbTomcatTomcatMonitor

Cisco Security Manager 3.2 AthenaOGSServerVmsBackendServervmsDbEnginevmsDbMonitor

Auto Update Server 3.2 AusDbEngineAusDbMonitorCNSEventGateway

Resource Manager Essentials 4.1 ChangeAuditConfigMgmtServerCTMJrmServerEssentialsDMICServerNCTemplateMgrNetShowMgrRMECSTMServerRMEDbEngineRMEDbMonitorRMEOGSServerSyslogAnalyzerSyslogCollector


OL-15627-01

Chapter 8 Post Installation Server Tasks Best Practices for Ongoing Server Security

Best Practices for Ongoing Server SecurityThe least secure component of a system defines how secure the system is. The steps in the following checklist can help you to secure a server and its OS after you install Security Manager:

Verifying an Installation or an UpgradeYou can use Common Services to verify that you installed or upgraded Security Manager successfully.

Step 1 Use a browser on the client system to log in to the Security Manager server at: http://<server_name>:1741. (To learn which browsers and browser versions are supported, see Client Requirements, page 2-5.)

Step 2 From the Cisco Security Management Suite page, click the CiscoWorks link in the upper right corner.

Step 3 From the Common Services home page, select Server > Admin.

The administrative GUI appears.

Step 4 To display the Process Management page, click Processes.

The resulting list names all the server processes and describes the operational status of each process. The following processes must be running normally:

• vmsDbEngine

• vmsDbMonitor

• EDS

Task

1. Monitor server security regularly. Log and review system activity. Use security tools such as the Microsoft Security Configuration Tool Set (MSCTS) and Fport to periodically review the security configuration of your server. Review the log file for the standalone version of Cisco Security Agent that is installed sometimes on a Security Manager server.

Tip You can obtain MSCTS from the Microsoft website and Fport from the Foundstone/McAfee website.

2. Limit physical access to your server. If your server contains removable media drives, set the server to boot from the hard drive first. Your data can be compromised if someone boots your server from a removable media drive. You can typically set the boot order in the system BIOS. Make sure you protect the BIOS with a strong password.

3. Do not install remote access or administration tools on the server. These tools provide a point of entry to your server and are a security risk.

4. Set a virus scanning application to run automatically and continuously on the server. Virus scanning software can prevent trojan horse applications from infecting your server. Update the virus signatures regularly.

5. Back up your server database frequently. Store all backups in a secure location with restricted access.


OL-15627-01

Chapter 8 Post Installation Server Tasks Where To Go Next

Note • To learn whether an installed application might require other processes, such as RmeOrb and RmeGatekeeper for RME, read the documentation for that application on Cisco.com. For product documentation URLs, see:

– Common Services Documentation, page xiv.

– Auto Update Server Documentation, page xiv.

– Resource Manager Essentials Documentation, page xiv.

• If you are trying to verify the installation because the Security Manager GUI does not appear or is not displayed correctly, see “Q.The Security Manager GUI does not appear, or is not displayed correctly, or certain GUI elements are missing. What happened?” in Appendix A, “Troubleshooting.”

Where To Go Next

If you want to: Do this:

Understand the basics See the interactive JumpStart guide that opens automatically when you start Security Manager.

Get up and running with the product quickly

See the “Getting Started with Security Manager” topic in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 3.2.

Complete the product configuration

See the “Completing the Initial Security Manager Configuration” topic in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 3.2.

Manage user authentication and authorization

See the following topics in the online help, or see Chapter 2 of User Guide for Cisco Security Manager 3.2.

• Setting Up User Permissions

• Integrating Security Manager with Cisco Secure ACS

Bootstrap your devices See the “Preparing Devices for Management” topic in the online help, or see Chapter 5 of User Guide for Cisco Security Manager 3.2.

Install entitlement applications

Your Security Manager license grants you the right to install certain other applications — including specific releases of RME and Performance Monitor — that are not installed when you install Security Manager. You can install these applications at any time. See Introduction to Component Applications, page 1-1.


OL-15627-01

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.2/user/guide/wfplan.html

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.2/user/guide/wfplan.html

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.2/user/guide/aduser.html

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.2/user/guide/ivprep.html

Chapter 8 Post Installation Server Tasks Where To Go Next


OL-15627-01

InstaOL-15627-01

A
P P E N D I X A Troubleshooting
Note CiscoWorks Common Services 3.1 provides Security Manager with its framework for installation, uninstallation, and reinstallation on servers. If the installation or uninstallation of Security Manager server software causes an error, see “Troubleshooting the Installation” in the Common Services online help or read it on Cisco.com: http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/3.0/install/guide/faqs.html.

These topics help you to troubleshoot problems that might occur when you install, uninstall, or reinstall Security Manager-related software applications on a client system or on a server, including the standalone version of Cisco Security Agent.

• Questions and Answers, page A-1

• Troubleshooting the Standalone Security Agent, page A-12

• Running a Server Self-Test, page A-13

• Collecting Server Troubleshooting Information, page A-14

• Viewing and Changing Server Process Status, page A-14

• Reviewing the Server Installation Log File, page A-15

Questions and AnswersTopics in this section answer questions that you might ask about installing, uninstalling, or reinstalling Security Manager and IPS Event Viewer successfully:

• Server Q&A, page A-2

• IPS Event Viewer Q&A, page A-6

• Client Q&A, page A-7

A-1llation Guide for Cisco Security Manager 3.2

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/3.0/install/guide/faqs.html

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/3.0/install/guide/faqs.html

Appendix A Troubleshooting Questions and Answers

Server Q&AThis section answers questions that you might have about:

• Problems During Installation, page A-2

• Problems After Installation, page A-3

• Problems During Uninstallation, page A-5

Problems During Installation

Q. When I install the server software, what does this installation error message mean?

A. Server software installation error messages and explanations appear in Table A-1 on page A-2, where they are sorted alphabetically by their first word.

Table A-1 Installation Error Messages (Server)

Message Reason for Message User Action

License file failed. ERROR: The file with the name c:\progra~1\CSCOpx\setup does not exist

An earlier attempt to uninstall a Common Services-dependent application failed.

1. Shut down the server, then restart it.

2. Use a Registry editor to delete this entry: $HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\Resource

Manager\CurrentVersion.

3. In the directory where you installed Security Manager, create a subdirectory named setup.

4. If it exists, delete the CMFLOCK.TXT file.

5. Reinstall Security Manager.

Corrupt License file. Please enter a valid License file.

Your license file is corrupted or the contents of the license file are invalid.

See Getting Help with Licensing, page 1-7.

Corrupt License file entered for 5 tries. Install will proceed in EVAL mode. Press OK to proceed.

You entered the pathname to an invalid license file for five consecutive attempts. After five failed attempts, installation continues in evaluation mode.

Click OK to close the license error dialog box, and installation proceeds to the next screen of the wizard.

One instance of CiscoWorks Installation is already running. If you are sure that no other instances are running, remove the file C:\CMFLOCK.TXT. This installation will now abort.

An earlier attempt to install a Common Services-dependant application failed.

Delete the C:\CMFLOCK.TXT file, then try again.

Severe

Failed on call to FileInsertLine.

Your server does not meet the requirement for hard drive space.

See Server Requirements, page 2-3.

Temporary directory used by installation has reached _istmp9x. If _istmp99 is reached, no more setups can be run on this computer, they fail with error -112.

Temporary files that are supposed to be deleted automatically during software installations have not been deleted on your server.

Search the temporary directory on your server for subdirectories with names that include the “_istmp” string. Permanently delete all such subdirectories.

A-2Installation Guide for Cisco Security Manager 3.2

OL-15627-01


Q. What should I do if the server installer suspends operation (hangs)?

A. Reboot and try again.

Q. Can I install both Cisco Security Manager and Cisco Secure Access Control Server on one system?

A. We recommend that you do not. We do not support the coexistence of Security Manager on the same server with Cisco Secure ACS for Windows.

Q. Can Security Manager 3.2 coexist on a server with any older version of Common Services than 3.1?

A. No. As of March 2008, we do not support coexistence on the same server with any Common Services version older than 3.1. See http://www.cisco.com/go/csmanager for announcements of any new features or supported configurations.

Problems After Installation

Q. The Security Manager GUI does not appear, or is not displayed correctly, or certain GUI elements are missing. What happened?

A. There are several possible explanations. Investigate the scenarios in this list to understand and work around simple problems that might affect the GUI:

• Some required services are not running on your server. Restart the server daemon manager, wait for all services to start completely, then restart Security Manager Client and try again to connect.

• Your server does not have enough free disk space. Confirm that the Security Manager partition on your server has at least 500 MB free.

• Your base license file is corrupted. See Getting Help with Licensing, page 1-7.

Windows cannot find 'C:\Documents and Settings\Administrator\WINDOWS\System32\cmd.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

You left Terminal Services enabled during installation, even though we do not support this. See Readiness Checklist for Installation, page 3-4.

1. Disable Terminal Services.

To learn how to do this, see the “Terminal Server Support for Windows 2000 and Windows 2003 Server” topic in Installing and Getting Started With CiscoWorks LAN Management Solution 3.0.

2. Try again to install Security Manager.

Setup has detected that unInstallShield is in use. Close unInstallShield and restart setup. Error 432.

The installation program checks the Windows account permissions during installation. If the Windows account that you are installing CiscoWorks Common Services under does not have local administrator privileges, InstallShield displays this error message.

1. Verify that you have appropriate permissions to write to %WINDIR%. Installation or uninstallation has to be done by a member of local administrators group.

2. Click OK to close the error message, log out of Windows, and log back into Windows using an account that has local administrator privileges.

Note For additional information about installation error messages, see the Common Services 3.1 documentation on Cisco.com.

Table A-1 Installation Error Messages (Server) (continued)



OL-15627-01





• Your server uses the wrong Windows language. Only English, on US-English versions of Windows, and Japanese, on Japanese versions of Windows, are supported. (See Server Requirements, page 2-3.) Any other language can corrupt the installed version of Security Manager, and missing GUI elements are one possible symptom. If you are using an unsupported language, you must select a supported language, then uninstall and reinstall Security Manager. See Uninstalling and Reinstalling Server Applications, page 4-6.

• Problems occurred when you installed Cisco Security Agent. You can check its installation log to learn whether problems interfered with the installation. See Troubleshooting the Standalone Security Agent, page A-12.

• You ran the Security Manager installation utility over a network connection, but we do not support this use case (see Installing Server Applications, page 4-1). You must uninstall and reinstall the server software. See:

a. Uninstalling Server Applications, page 4-6.

b. Reinstalling Server Applications, page 4-8.

• Your client system does not meet the minimum requirements. See Client Requirements, page 2-5.

• You tried to use HTTP, but the required protocol is HTTPS.

• Buttons are the only missing element. You opened the Display Properties control panel on the client system, then changed one or more settings under the Appearance tab while you were simultaneously using Security Manager Client. To work around this problem, exit Security Manager Client, then restart it.

• The wrong graphics card driver software is installed on your client system. See Client Requirements, page 2-5.

Q. Security Manager sees only the local volumes, not the mapped drives, when I use it to browse directories on my server. Why?

A. Microsoft includes this feature by design in Windows, to enhance server security. For more information, log in to your Cisco.com account, then use Bug Toolkit to learn about CSCsb43414.

Note You must store your Security Manager license files on a volume that is local to your server, due to the restricted browsing of mapped drives.

Q. Why is Security Manager missing from the Start menu in my Japanese version of Windows?

A. You might have configured the regional and language option settings on the server to use English. We do not support English as the language in any Japanese version of Windows (see Server Requirements, page 2-3). Use the Control Panel to reset the language to Japanese.

Q. My server SSL certificate is no longer valid. Also, the DCRServer process does not start. What happened?

A. You reset the server date or time so that it is outside the range in which your SSL certificate is valid. See Readiness Checklist for Installation, page 3-4. To work around this problem, reset the server date/time settings.

Q. I was not prompted for the protocol to be used for communication between the server and client. Which protocol is used by default? Do I need to configure this setting manually using any other mode?


OL-15627-01

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsb43414


A. HTTPS is used as the communication protocol between the server and client, by default, when you install the client in silent mode during the server installation. Because the communication is secure with the default protocol, you might not need to modify this setting manually.

An option to select HTTP as the protocol is available only when you run the client installer to install Security Manager client separately outside of the server installer. However, we recommend that you do not use HTTP as the communication protocol between the server and client.

Problems During Uninstallation

Q. What does this uninstallation error message mean?

A. Uninstallation error messages and explanations appear in Table A-2 on page A-5, where they are sorted alphabetically by their first word.

Table A-2 Uninstallation Error Messages


C:\NMSROOT\MDC\msfc-backend refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the Internet or your network, and then try again. If it still cannot be located, the information might have been moved to a different location.

If you dismiss the message and the uninstallation fails, try either or both of these possible workarounds, then try again to uninstall:

Simple File Sharing

1. Select Start > Settings > Control Panel > Folder Options.

2. Click the View tab.

3. Scroll to the bottom of the Advanced Settings pane.

4. Deselect the Use simple file sharing (Recommended) check box, then click OK.

Offline File Synchronization

1. Select Start > Settings > Control Panel > Folder Options.

2. Click the Offline Files tab.

3. Deselect the Enable Offline Files check box, then click OK.

C:\temp\<subdirectory>\setup.exe - Access is denied.

The process cannot access the file because it is being used by another process.

0 file(s) copied. 1 file(s) copied.

Uninstallation failed. Reboot the server, then complete the procedure described in Uninstalling Server Applications, page 4-6.


OL-15627-01


Q. What should I do if the uninstaller hangs?

A. Reboot, then try again.

Q. What should I do if the uninstaller displays a message to say that the crmdmgtd service is not responding and asks “Do you want to keep waiting?”

A. The uninstallation script includes an instruction to stop the crmdmgtd service, which did not respond to that instruction before the script timed out. Click Yes. In most cases, the crmdmgtd service then stops as expected.

IPS Event Viewer Q&A

Q. How can I confirm if IPS Event Viewer installed correctly on my server when I installed Security Manager?

A. Log in as a Windows administrator on your Security Manager server, then do the following:

1. From the NMSROOT\IEV\log subdirectory, open system.log — where NMSROOT is the directory in which you installed Common Services (C:\Program Files\CSCOpx, for example). The logfile should contain exactly this text, and nothing else: Cisco IPS Event Viewer service successfully started.

2. Select Start > Settings > Control Panel > Administrative Tools > Services, then confirm that the following Windows services have started:

• Cisco IPS Event Viewer

• MySQL

Q. Does the Windows service called “Cisco IPS Event Viewer” have any special dependencies?

Windows Management Instrumentation (WMI) is running.

The setup program has detected Windows Management Instrumentation (WMI) services running. This will lock some Cisco Security Manager processes and may abort uninstallation abruptly. To avoid this, uninstallation will stop and start the WMI services.

Do you want to proceed?

Click Yes to proceed with this uninstallation. Click No to exit uninstallation.

Either your organization uses WMI or someone enabled the WMI service accidentally on your server.

Click Yes.

Note For additional information about uninstallation error messages, see the Common Services 3.1 documentation on Cisco.com.

Table A-2 Uninstallation Error Messages (continued)



OL-15627-01


A. Yes. It cannot run successfully unless the Windows service called “MySQL” is also running.

Q. Can I uninstall IPS Event Viewer separately from Security Manager on my server?

A. If you used the Security Manager installer to install IPS Event Viewer, you cannot uninstall IPS Event Viewer without uninstalling Security Manager at the same time. Although IPS Event Viewer is displayed in the list of installed programs in the Add/Remove Programs window after installation, we recommend that you uninstall IPS Event Viewer using the Security Manager uninstaller instead of using the Add/Remove Programs control panel.

Client Q&AThis section answers questions that you might have about:

• Problems During Installation, page A-7

• Problems After Installation, page A-10

• Other Problems, page A-11

Problems During Installation

Q. When I install the client software, what does this installation error message mean?

A. Client software installation error messages and explanations appear in Table A-3, where they are sorted alphabetically by their first word.

Table A-3 Installation Error Messages (Client)


could not install engine jar Previous software installations and uninstallations caused InstallShield to run incorrectly.

1. Navigate to: C:\Program Files\ Common Files\ InstallShield\Universal\ common\Gen1.

2. Rename the Gen1 folder, then try again to install Security Manager Client.

If Gen1 is not present, rename common instead.


OL-15627-01


Error - Cannot Connect to Server

The client cannot connect to the server. This can be caused by one of the following reasons:The server name is incorrectThe protocol (http, https) is incorrectThe server is not runningNetwork access issuesPlease confirm the server name and protocol are correct the server is running and you are not experiencing network connectivity issues by loading the CS Manager home page in your browser.

Most likely, the server is misconfigured for HTTPS traffic.

1. From a browser, log in to the Cisco Security Management Suite desktop at https://<server>/CSCOnm/servlet/login/login.jsp.

2. Click Server Administration.

3. In the Admin window, select Server > Security.

4. From the TOC, select Single Server Management > Browser-Server Security Mode Setup, then confirm that the Enable radio button is selected.

If the radio button is not selected, select it now, then click Apply.

5. When prompted, restart the Cisco Security Manager Daemon Manager.

6. Wait 5 minutes, then try again to use Security Manager Client.

If you still cannot connect, consider the other possible problems that the error message describes.

Error - Cisco Security Agent Running

Installation cannot proceed while the Cisco Security Agent is running

Do you want to disable the Cisco Security Agent and continue with the installation?

Cisco Security Agent needs to be stopped during the client installation.

• Click Yes to disable the Cisco Security Agent.

• Click No to cancel the operation and stop the Cisco Security Agent manually.

• Click Help to access online help for Security Manager client.

Error - Cisco Security Agent not Stopped

The installation will be aborted because the Cisco Security Agent could not be stopped.

Please attempt to disable Cisco Security Agent before repeating the installation process.

Security Manager client was unable to stop the Cisco Security Agent.

Click OK to close this error message and abort the installation. Manually disable the Cisco Security Agent before retrying the installation.

Table A-3 Installation Error Messages (Client) (continued)



OL-15627-01


Q. What should I do if the client installer suspends operation (hangs)?

A. Try the following. Any one of them might solve the problem:

• If antivirus software is installed on your client system, disable it, then try again to run the installer.

• Reboot the client system, then try again to run the installer.

Error occurred during the installation: null.

Previous software installations and uninstallations caused InstallShield to run incorrectly.

1. Navigate to: C:\Program Files\ Common Files\ InstallShield\Universal\ common\Gen1.

2. Rename the Gen1 folder, then try again to install Security Manager Client.

If Gen1 is not present, rename common instead.

Errors occurred during the installation. • null

Only a Windows user whose login account has administrative privileges can install Security Manager Client.

Log in as a Windows administrator, then try again to install Security Manager Client.

Internet Explorer cannot download CSMClientSetup.exe from < server >. Internet Explorer was not able to open this Internet site. The requested site is either unavailable or cannot be found. Please try again later.

If the OS on your client system is Windows 2003, its Internet Explorer Enhanced Security default settings might stop you from downloading the client software installation utility from your server.

1. Select Start > Control Panel > Add or Remove Programs.

2. Click Add/Remove Windows Components.

3. When the Windows Component Wizard window opens, deselect the Internet Explorer Enhanced Security Configuration check box, click Next, then click Finish.

Please read the information below.

The following errors were generated:

• WARNING: The <drive> partition has

insufficient space to

install the items

selected.

You tried to install Security Manager Client on a drive or partition that does not have enough free space.

Click Back, then select a different location in which to install Security Manager Client.

Alternatively, see Changing the Default Location for Temporary Files, page C-3.

Unable to Get Data

A database failure prevented successful completion of this operation.

You tried to use the client to connect to the server before the server database was completely up and running.

Wait a few minutes, then try again to log in. If the problem persists, verify that all required services are running.

Table A-3 Installation Error Messages (Client) (continued)



OL-15627-01


• Use a browser on the client system to log in to the Security Manager server at: http://<server_name>:1741. If you see an error message that says “Forbidden” or “Internal Server Error,” the required Tomcat service is not running. Unless you rebooted your server recently and Tomcat has not had enough time yet to start running, you might have to review server logs or take other steps to investigate why Tomcat is not running.

Problems After Installation

Q. Why is Security Manager Client missing from the Start menu in my Japanese version of Windows?

A. You might have configured the regional and language option settings to use English on the client system. We do not support English as the language in any Japanese version of Windows. Use the Control Panel to reset the language to Japanese.

Q. What can I do if my connections from a client system to the server seem unusually slow, or if I see DNS errors when I try to log in?

A. You might have to create an entry for your Security Manager server in the hosts file on your client system. Such an entry can help you to establish connections to your server if it is not registered with the DNS server for your network. To create this helpful entry on your client system, use Notepad or any other plain text editor to open C:\WINDOWS\system32\drivers\etc\hosts. (The host file itself contains detailed instructions for how to add an entry.)

Q. What is wrong with my authentication setup if my login credentials are accepted without any error message when I try to log in with Security Manager Client, but the Security Manager desktop is blank and unusable? (Furthermore, does the same problem explain why, in my web browser, Common Services on my Security Manager server accepts my login credentials but then fails to load the Cisco Security Management Suite desktop?)

A. You did not finish all of the required steps for Cisco Secure ACS to provide login authentication services for Security Manager and Common Services. Although you entered login credentials in ACS, you did not define the Security Manager server as a AAA client. You must do so, or you cannot log in. See the ACS documentation for detailed instructions.

Q. What should I do if I cannot use Security Manager Client to log in to the server and a message says...?

... repeatedly that the server is checking its license.

Verify that your server meets the minimum hardware and software requirements. See Server Requirements, page 2-3.


OL-15627-01


Q. Why is the Activity Report not displayed when I use Internet Explorer as my default browser?

A. This problem occurs because of invalid registry key values or inaccuracies with the location of some of the dll files associated with Internet Explorer. For information on how to work around this problem, refer to the Microsoft Knwoledge Base article 281679, which is available at this URL: http://support.microsoft.com/kb/281679/EN-US.

Other Problems

Q. I am unable to install or uninstall any software on a client system. Why?

A. If you run an installation and an uninstallation simultaneously on the client system, even if they are for different applications, you corrupt the client system InstallShield database engine and are prevented from installing or uninstalling any software. For more information, log in to your Cisco.com account, then use Bug Toolkit to view CSCsd21722 and CSCsc91430.

Synchronizing with DCR.

There are two possible explanations:

• You started Security Manager Client shortly after your server restarted. If so, allow a few more minutes for the server to become fully available, then try again to use Security Manager Client.

• Your CiscoWorks administrative password contains special characters, such as ampersands (&). As a result, the Security Manager installation failed to create a comUser.dat file in the NMSROOT\lib\classpath subdirectory on your server, where NMSROOT is the directory in which you installed Common Services (the default is C:\Program Files\CSCOpx):

a. Either contact Cisco TAC for assistance in replacing comUser.dat or reinstall Security Manager.

b. Create a new Common Services password that does not use special characters.

Error - Unable to Check License on Server.

An attempt to check the license file on the CS Manager server has failed.

Please confirm that the server is running. If the server is running, please contact Cisco Technical Assistance.

At least one of the following services did not start correctly. On the server, select Start > Programs > Administrative Tools > Services, right-click each service named below, then select Restart from the shortcut menu:

• Cisco Security Manager Daemon Manager.

• Cisco Security Manager database engine.

• Cisco Security Manager Tomcat Servlet Engine.

• Cisco Security Manager VisiBroker Smart Agent.

• Cisco Security Manager Web Engine.

Wait 5 minutes, then try again to start Security Manager Client.


OL-15627-01

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd21722&Submit=Search

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsc91430&Submit=Search

http://support.microsoft.com/kb/281679/EN-US

Appendix A Troubleshooting Troubleshooting the Standalone Security Agent

Troubleshooting the Standalone Security AgentThis section answers questions that you might ask about troubleshooting the standalone version of Cisco Security Agent that is installed in most cases when you install Security Manager server software.

Q. Under what circumstances might the standalone agent block network access to and from my server?

A. In broad terms, there are only two possibilities: Either malicious software is running on your server and the agent blocked it, or legitimate software on the server tried to do something that the agent misinterpreted as malicious. Both these problems can occur only if you previously set the agent security level to high and, in so doing, enabled an agent policy that is intended to detect and block the actions of untrusted rootkits. (The default setting is medium.)

We recommend that you investigate both possibilities to determine which of them is true in your case. Reading this log file should help you to identify the application whose actions the agent deemed suspicious: C:\Program Files\Cisco Systems\CSAgent\log\csalog.txt.

If your investigation shows that malicious software is running on the server, we recommend that you identify and eliminate whatever exploited vulnerabilities allowed the dangerous installation to occur. We further recommend that you wipe the server hard drive, then use the checklists and procedures in this guide to reinstall everything.

If you discover that benign (harmless) software — such as a trustworthy antivirus tool or a known device driver that loads dynamically after a system restart — triggered the agent, you can do any of the following:

• Reset the agent security level to medium, then restart the server.

Note If you later set the agent security level again to high, the agent will again consider the trusted and reinstalled software to be untrustworthy and will again block all network traffic.

• Uninstall the trusted software.

• Uninstall the agent. We recommend that you do never do this. See Uninstalling the Standalone Agent, page B-3.

• Ask Cisco TAC to give you a revised agent. See Obtaining Documentation and Submitting a Service Request, page xv.

Another explanation is possible if the standalone agent blocks network access from your server. The Cisco Security Agent baseline policy for Windows users will not allow you to use Windows File Explorer to access any web page through HTTP.

Q. Why is Cisco Security Agent missing from the Start menu in my Japanese version of Windows?

A. You might have configured the regional and language option settings on the server to use English. We do not support English as the language in any Japanese version of Windows (see Server Requirements, page 2-3). Use the Control Panel to reset the language to Japanese.

Q. How can I verify that any Windows services that my standalone Cisco Security Agent might require are actually running on my server?

A. The standalone agent requires only one Windows service. Select Start > Settings > Control Panel > Administrative Tools > Services. You should see a running service called “Cisco Security Agent.”


OL-15627-01

Appendix A Troubleshooting Running a Server Self-Test

Q. The red flag icon for Cisco Security Agent changed in my Windows system tray. The icon now has a red circle partially superimposed over it. What does it mean?

A. Something has disabled the agent (for example, you turned it off) or it is broken. Restarting your server might cause the standalone agent to reset itself, or you can check whether a message in the log tells you exactly what happened. See C:\Program Files\Cisco Systems\CSAgent\log\csalog.txt.

Q. The agent has blocked a valid operation. What can I do?

A. You can choose any of these possible workarounds:

• Right-click the agent icon in the Windows system tray, then select the off option to disable the agent temporarily. When you complete the task, reenable the agent.

• Uninstall the agent, even though we recommend that you do not uninstall it. See Uninstalling the Standalone Agent, page B-3.

• Select Start > Programs > Cisco Systems > Cisco Security Agent > Cisco Security Agent Diagnostics to run the diagnostic utility.

If none of the workarounds is sufficient, you can open a case with Cisco TAC (see Obtaining Documentation and Submitting a Service Request, page xv).

Running a Server Self-TestTo run a self-test that confirms whether your Security Manager server is operating correctly:

Step 1 From a system on which Security Manager Client is connected to your Security Manager server, select Tools > Security Manager Administration.

Step 2 In the Administration window, click Server Security, then click any button. A new browser opens, displaying one of the security settings pages in the Common Services GUI, corresponding to the button you clicked.

Note If an error message is displayed when a new browser window opens, see Configuring Required Client Settings To Open Browser Windows, page 6-2 for information on settings that can affect popup windows on systems where you use Security Manager Client.

Step 3 From the Common Services page, select Admin under the Server tab.

Step 4 In the Admin page TOC, click Selftest.

Step 5 Click Create.

Step 6 Click the SelfTest Information at <MM-DD-YYYY HH:MM:SS> link, where:

• MM-DD-YYYY is the current month, day, and year.

• HH:MM:SS is a timestamp that specifies the hour, minute, and second when you clicked Selftest.

Step 7 Read the entries in the Server Info page.


OL-15627-01

Appendix A Troubleshooting Collecting Server Troubleshooting Information

Collecting Server Troubleshooting InformationThe Security Manager Diagnostics utility collects server diagnostic information in a ZIP file, CSMDiagnostics.zip. You overwrite the file with new information each time you run Security Manager Diagnostics, unless you rename the file. The information in your CSMDiagnostics.zip file can help a Cisco technical support engineer to troubleshoot any problems that you might have with Security Manager or its related applications on your server.

You can run Security Manager Diagnostics in either of two ways.

Note There is no requirement to submit a CSMDiagnostics.zip file when you first submit a problem report. In a case where we require the file, your Cisco technical support engineer tells you how to submit it.

Viewing and Changing Server Process StatusTo verify that the server processes for Security Manager are running correctly:

Step 1 From the CiscoWorks home page, select Common Services > Server > Admin.

Step 2 In the Admin page TOC, click Processes.

The Process Management table lists all server processes. Entries in the ProcessState column indicate whether a process is running normally.

Step 3 If a required process is not running, restart it. See Restarting All Processes on Your Server, page A-15.

Note Only users with local administrator privileges can start and stop the server processes.

From a Security Manager client system: From a Security Manager server:

1. After you establish a Security Manager Client session to your server, click Tools > Security Manager Diagnostics, then click OK.

The CSMDiagnostics.zip file is saved on your server in the NMSROOT\MDC\etc\ directory, where NMSROOT is the directory in which you installed Common Services (C:\Program Files\CSCOpx, for example). If you rename the file, you will not overwrite it accidentally.

2. Click Close.

1. Select Start > Run, then enter command. Alternatively, if your server keyboard includes a Windows key, press Windows-R, then enter command.

2. Enter C:\Program Files\CSCOpx\MDC\ bin\CSMDiagnostics. Alternatively, to save the ZIP file in a different location than NMSROOT\MDC\etc\, enter CSMDiagnostics drive:\path. For example, CSMDiagnostics D:\temp.


OL-15627-01

Appendix A Troubleshooting Restarting All Processes on Your Server

Restarting All Processes on Your Server

Note You must stop all processes, then restart them all, or this method does not work.

Step 1 At the command prompt, enter net stop crmdmgtd to stop all processes.

Step 2 Enter net start crmdmgtd to restart all processes.

Tip Alternatively, you can select Start > Settings > Control Panel > Administrative Tools > Services, then restart Cisco Security Manager Daemon Manager.

Reviewing the Server Installation Log FileIf responses from the server differ from the responses that you expect, you can review error and warning messages in the server installation log file.

Use a text editor to open C:\Ciscoworks_install_NNN.log, where NNN is a timestamp in the format YYYYMMDD_HHMMSS.

In most cases, the log file to review is the one that has either the highest number appended to its filename or has the most recent creation date.

For example, you might see log file error and warning entries that say:

ERROR: Cannot Open C:\PROGRA~1\CSCOpx/lib/classpath/ssl.properties at C:\PROGRA~1\CSCOpx\MDC\Apache\ConfigSSL.pl line 259.INFO: Enabling SSL....WARNING: Unable to enable SSL. Please try later....

Note In the event of a severe problem, you can send the log file to Cisco TAC. See Obtaining Documentation and Submitting a Service Request, page xv.


OL-15627-01

Appendix A Troubleshooting Reviewing the Server Installation Log File


OL-15627-01

InstaOL-15627-01

A
P P E N D I X B Cisco Security Agent: Standalone Agent Overview
This appendix describes the standalone version of Cisco Security Agent that is sometimes installed on a Security Manager server.

Note • General user documentation for Cisco Security Agent is on Cisco.com at: http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html. However, the standalone agent on your server is customized for Security Manager. Because you can not configure the customized, standalone agent and because Management Center for Cisco Security Agents is not installed, some information in the documentation for Management Center for Cisco Security Agents does not apply.

• To understand and work around problems that you might have with the standalone agent, see Troubleshooting the Standalone Security Agent, page A-12.

This appendix contains the following major sections:

• The Basics, page B-1

• Understanding and Managing Security Level Settings, page B-2

• Responding to Query Challenges, page B-2

• Uninstalling the Standalone Agent, page B-3

The BasicsIf your target server is not protected by the full, commercial version of Cisco Security Agent when you start to install Security Manager, Security Manager installs a customized, standalone version of Cisco Security Agent, with predefined policies that you cannot change. See Cisco Security Agent, page 1-5.

Once installed, the standalone agent controls system operations with policies that allow or deny specific system actions. The agent checks whether an action is allowed or denied before any system resources are accessed and acted upon. The agent never interferes with your daily operations unless it detects what it considers to be a forbidden or unexpected system operation. Nonetheless, its rules are meant to protect your server from rootkits or similarly malicious software and are therefore very strict.

B-1llation Guide for Cisco Security Manager 3.2

http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html

Appendix B Cisco Security Agent: Standalone Agent Overview Understanding and Managing Security Level Settings

The standalone agent combines Security Manager-specific policies with baseline policies for Windows. To learn about the baseline policies for Windows, log in to your Cisco.com account, then go to http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/cw2000/csa/fcs-csamc-4.5.1.616-CSA-Policy-Descriptions.zip&app=Tablebuild&status=showC2A.

Note If you think that Cisco Security Agent has blocked a valid operation, you can contact Cisco TAC. See Obtaining Documentation and Submitting a Service Request, page xv.

Agent Log Files

Three log files for the standalone agent are stored in the C:\Program Files\Cisco Systems\CSAgent\log subdirectory:

Understanding and Managing Security Level SettingsYou can right-click the agent icon in the server system tray to change the security level setting at any time. The security level setting determines whether the agent imposes high, medium, or low-security restrictions on your server, or if it imposes no restrictions. The default is medium. Every level that you might select provides a distinct balance between security and convenience.

If you set the agent security level to high, it prevents your server from accepting inbound connections on any UDP or TCP ports except the specific ports that Security Manager and Common Services use. In addition, if the level is high and if the agent detects an untrusted rootkit, all connections (inbound and outbound) are blocked.

Responding to Query ChallengesWhen you right-click the agent icon and select Security Level > Off to disable your standalone agent, it displays a kind of challenge-response prompt that is commonly called a CAPTCHA (which stands for “completely automated public Turing test to tell computers and humans apart”).

Figure B-1 Challenge-Response Prompt

This method confirms that malicious software is not responsible for the request to disable your agent. To learn more, see Using Management Center for Cisco Security Agents 5.0.

CSAgent-Install.log installation log file

csalog.txt general log file

securitylog.txt security events log file

B-2Installation Guide for Cisco Security Manager 3.2

OL-15627-01

http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/cw2000/csa/fcs-csamc-4.5.1.616-CSA-Policy-Descriptions.zip&app=Tablebuild&status=showC2A

http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/cw2000/csa/fcs-csamc-4.5.1.616-CSA-Policy-Descriptions.zip&app=Tablebuild&status=showC2A

http://www.cisco.com/en/US/docs/security/csa/csa50/user_guide/csa50ug.html

Appendix B Cisco Security Agent: Standalone Agent Overview Uninstalling the Standalone Agent

Uninstalling the Standalone Agent

Caution You can uninstall the standalone agent, which removes all restrictions that the agent imposes, but your server will be significantly more vulnerable and exposed to attack than it is when the agent is installed. We recommend that you do not uninstall Cisco Security Agent. As a temporary alternative, you can right-click the agent icon in your server system tray, then select a lower security level setting or select the option that temporarily disables the standalone agent. Another alternative is to reset the standalone agent, which clears its rootkit detection status. To reset the agent, select Start > Programs > Cisco Systems > Cisco Security Agent > Reset Cisco Security Agent.

To uninstall the standalone agent (even though we recommend that you do not uninstall it), select Start > Programs > Cisco Security Agent > Uninstall Cisco Security Agent.

You must reboot.


OL-15627-01

Appendix B Cisco Security Agent: Standalone Agent Overview Uninstalling the Standalone Agent


OL-15627-01

InstaOL-15627-01

A
P P E N D I X C Helpful Reference Information
This appendix contains the following sections:

• Understanding User Accounts, page C-1

• Recommendations for Creating Strong Passwords, page C-2

• Changing the Default Location for Temporary Files, page C-3

• Exporting Data from IPS MC 2.2, page C-4

• Importing IPS MC 2.2 Data, page C-4

Understanding User Accounts Several security management and application management operations are potentially disruptive to the network or to the applications themselves, and must be protected. To prevent such operations from being used accidentally or maliciously, Common Services and Security Manager use a multilevel security system that allows access to certain features only to users who can authenticate themselves at the appropriate level. For this reason, there are three predefined kinds of login IDs.

See the Installing and Getting Started With CiscoWorks LAN Management Solution 3.0 for detailed information about these user accounts:

• admin — The admin login is equivalent to a Windows administrator and provides access to all Common Services and Security Manager tasks. You must enter the password during installation.

• casuser — The casuser login is equivalent to a Windows administrator and provides access to all Common Services and Security Manager tasks.

Do not modify casuser (the default service account) or directory permissions that are established during the installation of the product. Doing so can lead to problems with your being able to do the following:

– Logging in to the web server

– Logging in to the client

– Performing successful backups of all databases

• <System Identity> — The System Identity login is equivalent to a Windows administrator and provides access to all Common Services and Security Manager tasks.

C-1llation Guide for Cisco Security Manager 3.2


Appendix C Helpful Reference Information Recommendations for Creating Strong Passwords

Note • You can choose whether to enter the System Identity username and password after installation. Communication among your servers relies on a trust model that uses certificates and shared secrets. The System Identity login is trustworthy to other servers when you use a multiserver setup and therefore facilitates communication between servers that are part of a domain. There can be one System Identity login account on a server.

• If you use Cisco Secure Access Control Server (ACS) for user authentication, you must use it to assign all CiscoWorks privileges to the System Identity user. If you do not use ACS for user authentication, the System Identity user must be a local user with system administrator privileges.

An administrator can create additional unique login IDs for users.

Understanding User Account Security Levels You determine user security levels when you grant login access to Common Services, Security Manager, or other applications that you install. Each login account is associated with one or more roles. For detailed information about user roles and their associated permissions, see the “Default Associations Between Permissions and Roles in Security Manager” topic in the Security Manager online help or read the equivalent section on Cisco.com here:

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.2/user/guide/aduser.html#wp23997.

Understanding User PermissionsThe Security Manager server authenticates the username and password of every user who logs in. When you log in to Security Manager, the options displayed in the GUI depend on the roles assigned to your username. A user with system administrator privileges can access all features, while other users see only a subset of features.

Security Manager user authentication and authorization come from Common Services. See the Common Services online help for details.

Recommendations for Creating Strong PasswordsNever write passwords down, on paper or online. Instead, create passwords that you can remember easily but no one can guess easily. One way to do this is create a password that is based on a song title, affirmation, or other phrase. For example, the phrase could be “this may be one way to remember” and the password could be “TmB1w2R!” or “Tmb1W>r~” or some other variation.

Note Do not use either of those examples as passwords.

Characteristics of a Strong Password

Strong passwords have the following characteristics:

• Contain both upper and lower case characters (e.g., a-z, A-Z).

• Contain numerals and punctuation as well as letters (e.g., 0-9, !@#$%^&*()_+|~ =\`{}[]:";'<>?,./).

C-2Installation Guide for Cisco Security Manager 3.2

OL-15627-01

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.2/user/guide/aduser.html#wp23997

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.2/user/guide/aduser.html#wp23997

Appendix C Helpful Reference Information Changing the Default Location for Temporary Files

• Are at least five alphanumeric characters long.

• Are not a word in any language, and are not slang, dialect, or jargon.

• Are not based on personal information, such as the names of family members.

Characteristics of a Weak Password

A poor, weak password has the following characteristics:

• Contains fewer than eight characters.

• Is a word found in a dictionary (English or foreign).

• Is any other term that is easily guessed or found in common usage, such as:

– The name of family, pet, friend, coworker, or fantasy character.

– A computing term or name, such as a command, site, company, model, or application.

– Is a birthday or another kind of personal information, such as an address or telephone number.

– Is a predictable letter pattern or number pattern, such as aaabbb, qwerty, zyxwvuts, or 123321.

– Any of the above, spelled backwards.

– Any of the above, preceded or followed by a digit, such as secret1 or 1secret.

Password Security Basics

Never reveal a password.

In addition, you must:

• Never talk about a password in front of others.

• Never hint at the format of a password (such as “my family name”).

• Never share a password with family members.

• Never use characters from outside the standard ASCII character set. Some symbols, such the pound sterling symbol (£), are known to cause login problems on some systems.

Changing the Default Location for Temporary FilesThe installation utility for Security Manager uses your Windows temporary directory, which Windows associates by default with your C:\ drive. If your target server has more than one local disk drive, and if you have less free space on your C:\ drive than is specified in Server Requirements, page 2-3, you might edit the environment variables for your server so that C:\ is not the default location for temporary files.

To see the environment variables for your sever and edit their values so that you can change the default location for storing temporary files:

Step 1 Right-click My Computer, then select Properties from the shortcut menu.

Step 2 Click the Advanced tab.

Step 3 Click Environment Variables.

The Environment Variables window contains one area for variables that are associated with the active username in the current login session, and another area for variables that always apply to your server. Both of these areas can include variables (with names like TEMP, TMP, and TMPDIR) that tell Windows and other software where to store temporary files.


OL-15627-01

Appendix C Helpful Reference Information Exporting Data from IPS MC 2.2

Step 4 Select the name of a variable that you want to change.

Step 5 Click Edit, change the value for that variable, then click OK.

Exporting Data from IPS MC 2.2If you migrate data from an installation of IPS MC 2.2, and if the IPS MC server is the same server on which you install Security Manager, you must do the following before you start installing Security Manager.

Note • We do not support Security Manager coexistence on the same server with VMS 2.3, the suite of applications of which IPS MC is one component. We recommend that you follow all the guidelines in Chapter 3, “Preparing a Server for Installation.”

• Available space (on the IPS MC server disk partition where you will store your backup) must not be less than the size of the IPS MC database.

• If the IPS MC database that you import contains Security Monitor sensor alarms or syslog events, Security Manager ignores those alarms and events when it imports the database. Security Manager cannot use any records that are associated with Security Monitor.

Step 1 Back up your IPS MC server database files. See http://www.cisco.com/en/US/docs/security/security_management/vms/2.3/install/guide/windows/qsch4.html#wp1038598.

Step 2 Move the backed-up database from CSCOpx\MDC\backup to a secure volume.

Importing IPS MC 2.2 DataBefore You Begin

If you migrate data from IPS MC 2.2 to Security Manager 3.2, you can complete the following procedure successfully only after you:

1. Complete the procedure described in Exporting Data from IPS MC 2.2, page C-4.

2. Complete the Security Manager installation. See Installing Server Applications, page 4-1.

Note • If the IPS MC database that you import contains Security Monitor sensor alarms or syslog events, Security Manager ignores those alarms and events when it imports the data. Security Manager cannot use any records that are associated with Security Monitor.

• When you import IPS MC data into Security Manager:

– Do not use spaces anywhere in the path.

– Do not use a path that is longer than 67 characters, including the drive letter and any backslash characters.


OL-15627-01

http://www.cisco.com/en/US/docs/security/security_management/vms/2.3/install/guide/windows/qsch4.html#wp1038598

http://www.cisco.com/en/US/docs/security/security_management/vms/2.3/install/guide/windows/qsch4.html#wp1038598

Appendix C Helpful Reference Information Importing IPS MC 2.2 Data

– We recommend that available space on the server disk partition be at least twice the size of the database file that you import.

To transfer IPS MC 2.2 data to Security Manager 3.2:

Step 1 Move to your Security Manager server a copy of the IPS MC backup that you saved on a secure volume.

Step 2 Note the full pathname of the newly transferred copy of your backup file. Example: c:\backup_2.2\20070104135727

Step 3 Execute the perl script supplied with Cisco Security Manager to create a special file called the IpsCredentialFile. The IpsCredentialFile is an XML file with IPS credentials that CiscoWorks 3.1 can import via the Device Credentials Repository. Example: c:\progra~1\cscopx\bin> c:\progra~1\cscopx\mdc\bin\ExportIpsCredentials.pl c:\backup_2.2\20070104135727 c:\IpsCredentials.xml

Step 4 Log in to your Security Manager server and open CiscoWorks.

Step 5 Navigate to Common Services > Device and Credentials > Device Management.

Step 6 Click the Bulk Import button. The Import Devices dialog box appears.

Step 7 In the Import File Name field, enter or browse to the IpsCredentialFile that you created earlier in this procedure.

Step 8 In the Format Selection field, select XML.

Step 9 Enter Scheduling and Job Info information as desired.

Step 10 Click the Import button. The data that you exported from IPS MC 2.2 are imported into the CiscoWorks Device Credential Repository.

Step 11 Export your IPS devices from the Device Credential Repository (DCR). For detailed instructions on how to export devices from DCR, see the User Guide for CiscoWorks Common Services 3.1 at the following URL:

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.1/user/guide/dcr.html#wp1378454.

Step 12 Add your IPS devices to Security Manager 3.2 from the file you exported from DCR by using the “Add Device From File” option in the New Device wizard.

The time required to import IPS MC data varies according to the size of the database file and the percentage of its records that must be discarded because they are associated with Security Monitor.


OL-15627-01



Appendix C Helpful Reference Information Importing IPS MC 2.2 Data


OL-15627-01

OL-15627-01

I N D E X

A

antivirus utilities, requirement to disable 3-4

assigning

AUS to devices

after migration 5-8

Configuration Engines to devices

after migration 5-8

audience for this document 1-xii

AUS-managed devices

association with AUS

after migration 5-8

migrating

servers for 5-8

Auto Update Server (AUS)

assigning to devices

after migration 5-8

documentation 1-xiv

downgrading 5-12

importing from DCR

after migration 5-8

licensing 1-6

migrating

for AUS-managed devices 5-8

overview 1-3

upgrading 5-4

B

backing up

across mapped drives 5-5

before upgrade 5-5

database for downgrade 5-12

interference with network management applications 5-5

Security Manager database 5-5

backup and restore

upgrade using, definition 5-1

upgrade using, procedure 5-4

bootstrapping devices 8-5

browsers

requirements

cache 6-1

client 2-6

server 2-4

See also Firefox

See also Internet Explorer

C

C/C++ library files, where stored 1-7

Catalyst 6500 Series switches

client system

retrieval of inventory details 5-10

migrating to 3.2 5-9

migration report

after upgrading to 3.2 5-10

viewing on client systems after upgrade 5-10

cautions

regarding

system time, changing after installing RME 7-2

cautions, significance of 1-xii

CD-ONE

unsupported use 3-3

certificate authentication

disabled in previous version of Security Manager

IN-1Installation Guide for Cisco Security Manager 3.2

Index

and adding certificates 5-6

enabled in previous version of Security Manager

and certificate data store 5-6

certificates. See digital certificates

certificate thumbprints

adding to Security Manager

after upgrade from 3.0.2 5-6

from CLI 5-6

using perl scripts 5-6

checklists

client, browser best practices 6-1

server

enhancing performance 3-1

installation readiness 3-4

post-installation tasks 8-1

security best practices 8-4

Cisco 7600 Series routers

client system

retrieval of inventory details 5-10

migrating to 3.2 5-9

migration report

after upgrading to 3.2 5-10

viewing on client systems after upgrade 5-10

Cisco Marketplace 1-xv

Cisco Press 1-xv

Cisco Product Quick Reference Guide, obtaining 1-xv

Cisco product security

PSIRT 1-xv

SAFE blueprint 1-xii

vulnerability policy portal 1-xv

Cisco Security Agent

customized, standalone version

overwritten during installation 5-5

fully configurable version

not overwritten during installation 5-5

installing with Security Manager server 5-5

not uninstalled with server uninstallation 5-5


documentation B-1


installation, conditions for 1-5

IPS Event Viewer and modifying policy 1-4

modifying policy for IPS Event Viewer

automatically 1-4

manually 1-4

not installed on Security Manager server

automatically modifying policy for IPS Event Viewer 1-4

overview 1-5

policies

exported, on DVD 1-5, 3-2

imported, requirement to reconcile 3-2

standalone agent 1-5, B-1

preexisting on Security Manager server

manually modifying policy for IPS Event Viewer 1-4

security levels

changing B-2

default B-2

understanding B-2

troubleshooting A-12, B-1

uninstalling, recommendation against 3-2, A-12

Cisco Security Manager

and Performance Monitor 3.1

recommendation 1-5

basic concepts 8-5

getting started 8-5

interoperability with

Performance Monitor 3.1 1-5

late-breaking information about 1-xi

logging in 6-13

overview 1-2

Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS)

date and time synchronization 3-4

interoperation with 3-4

overview 1-xi

CiscoView Device Manager

unsupported use 3-3

CiscoWorks

OL-15627-01

Index

Common Services, overview 1-2

Monitoring Center for Security. See Security Monitor

TCP ports

Daemon Manager 2-3

HTTP 2-2

VPN/Security Management Solution (VMS)

migrating data to Security Manager 1-xiii

client software

logging in to a server 6-13

migration of Catalyst 6500/7600 switches 5-10

using 6-13

client systems

deleting Temp files 6-2

Device View

representation of Catalyst 6500/7600 switches 5-10

representing devices managed by AUS and CNS after upgrade 5-9

file locations on 1-7, 6-11

recommendation to delete Temp files 6-2

video (graphics) card drivers

confirming installed versions 2-5

upgrading 2-5

CMFLOCK.TXT file, deleting 4-7

CNS-managed devices

association with Configuration Engines

after migration 5-8

migrating

Configuration Engines for 5-8

Common Services

documentation 2-1

installing 2-1

licensing 1-6

required version 1-2

requirement to use 2-1

upgrading 5-1

Configuration Engines

assigning to devices

after migration 5-8

OL-15627-01

importing from DCR

after migration 5-8

migrating

for devices managed by 5-8

CSTM TCP port 2-3

D

database TCP port 2-3

date and time settings

caution against changing 3-4

recommendation to synchronize 2-1, 3-4

use of NTP servers 2-1

device bootstrapping 8-5

device certificates

before adding to Security Manager

checking validity 5-7

validating encryption keys 5-7

verifying end-host identity 5-7

verifying signature 5-7

device credentials

exporting from DCR as a .csv file

before adding certificates to Security Manager 5-7

before running getCerts.pl 5-7

device credentials repository (DCR)

exporting certificates from

using getCerts.pl 5-7

inventory file exported from

for adding AUS and Configuration Engines 5-8

server process 3-4

TCP port 2-3

troubleshooting 3-4

Device View

migrated Catalyst 6500/7600 switches

retrieving inventory details 5-10

red X icon

representing Cisco 7600 Series routers 5-10


Index

representing devices managed by AUS and CNS 5-8

digital certificates

adding to Security Manager

using getCerts.pl 5-6

using loadCerts.pl 5-6

adding to Security Manager in bulk in one step 5-6

confirming validity

before using getCerts.pl 5-6

refreshing cache

and using loadCerts.pl 5-8

requirement to create 8-1

retrieving

after upgrade from 3.0.2 5-6

from devices in bulk 5-6

using perl scripts 5-6

retrieving for unreachable devices 5-8

troubleshooting 3-4

directory encryption, restriction against 2-5, 3-4

documentation

audience for this 1-xii

on Cisco.com 1-xv

ordering 1-xv

reviewing updated 1-xiii

typographical conventions in 1-xii

documentation, obtaining

Auto Update Server 1-xiv

Cisco Security Agent B-1

Cisco Security Manager 1-xiii

Common Services 1-xiv

Resource Manager Essentials (RME) 1-xiv

documentation feedback, sending to Cisco 1-xi, 1-xv

domain controllers (primary or backup), unsupported use 2-5

downgrading

related applications 5-12

requirements to be met 5-12

restoring backed up data 5-12

to earlier supported versions


from 3.2 5-12

E

encrypted directories, restriction against 2-5, 3-4

evaluation license

upgrading to permanent license 1-6

Event Services software TCP port requirements

HTTP 2-3

listening 2-3

routing 2-3

services 2-3

F

FAQs, in the troubleshooting guide 1-xiii

files, where stored


logs B-2

policies 1-5, 3-2

on client systems 1-7

on servers 1-7

file system recommendations 2-4

Firefox

cache size requirement 6-3

confirming the installed Java version 2-7

versions supported 2-4, 2-6

G

gatekeeper HIPO TCP port 2-2

getCerts.pl

access permissions for running 5-7

adding certificates to Security Manager 5-6

confirming validity of certificates

before using -a argument 5-6

device credentials, exporting to .csv file 5-6

syntax, description 5-7

OL-15627-01

Index

using in conjunction with loadCerts.pl 5-6

getting started with Cisco Security Manager 8-5

H

HTTP TCP port 2-2

I

inline upgrade

See also in place upgrade

in place upgrade

definition 5-1

error during 5-2

from an earlier version with pending data 5-2

procedure 5-2

running the installer 5-2

installation

migrating Catalyst 6500/7600 switches 5-9

planning and preparation 1-xi

servers

dependencies 2-1

general requirements 2-1

post-installation tasks 8-1

preparatory tasks 3-1

starting an installation 4-2

troubleshooting 4-2

verifying 8-4

installing RME

installation notes 7-1

procedures

custom installations 7-4

typical installations 7-2

installing server software 4-1

Internet Explorer

cache size requirement 6-2

confirming the installed Java version 2-7

security settings 6-2

OL-15627-01

versions supported 2-4, 2-6

See also browsers

Internet Information Server (IIS)

conflict with Security Manager 3-3, 3-4

requirement to uninstall 3-3, 3-4

Internet Inter-ORB Protocol (IIOP) TCP port 2-2

IOS IPS devices

migrating from Security Manager 3.0.x

IP addresses

multiple network interface cards and 2-4

static address requirement 2-4

using dynamic addresses 2-4

using multiple interface cards 2-4

IPS Event Viewer client

communicating with server 1-4

IPS Event Viewer server

communicating with client

modifying firewall software policy 1-4

installing on a server with CSA 1-4

IPS Manager

downgrading 5-12

IPS Manager

importing IPS MC 2.2 data C-4

migrating from IPS MC C-4

prerequisites to import IPS MC data C-4

time required to import IPS MC data C-5

See also IPS MC

IPS MC

backing up server data C-4

exporting data C-4

migrating to IPS Manager C-4

securing the backed-up data C-4

See also IPS Manager

IPS sensors

migrating from Security Manager 3.0.x 5-10

J

Java


Index

confirming the installed version 2-7

embedded version on client systems 2-7

L

language versions supported (Windows)

server 2-4, 2-6

LAN Management Solution (LMS), unsupported use 3-3

licenses

installing 1-7

Product Authorization Key (PAK) 1-6

Security Manager kit part numbers 1-6

settings 1-6

Software License Claim Certificate 1-6

understanding 1-6

upgrading 1-6

uploading new 1-6

working with 1-6

license server TCP port 2-3

loadCerts.pl

access permissions for running 5-7

adding certificates to Security Manager

using the .csv file with exported details 5-7

enabling certificate authentication

after running the script 5-7

retrieving certificates

for unreachable devices 5-8

running in verbose mode 5-8

running when Security Manager is launched

refreshing certificate cache 5-8

syntax, description 5-8

M

McAfee Antivirus

reenabling 6-10

memory (RAM)

client requirements 2-6


server requirements 2-4

migrating

Catalyst 6500/7600 switches

after upgrade 5-9

retrieving device details after upgrade 5-10

IOS IPS devices

IPS sensors

modifying firewall software policy 1-4

N

NETBIOS, recommendation to disable 3-3

Networking Professionals Connection 1-xv

network management applications

backup failure 5-5

network protocols, recommendation to disable 3-3

network shares, recommendation to avoid 3-3

Network Time Protocol (NTP) server, recommendation to use 2-1, 3-4

Norton Internet Security 2005

incompatibility 6-10

requirement to uninstall 6-10

NTFS file system, requirement to use 2-4

O

ODBC driver manager

confirming the installed version 2-4

requirements 2-4

working with Sybase files 2-4

OGS TCP port 2-3

online help, tips for viewing 6-2

operating systems

on client systems

Windows 2003 2-6

Windows Vista 2-6

Windows XP Professional 2-6

on servers

Windows 2003 Server 2-4

OL-15627-01

Index

Osagent UDP port 2-3

overview 1-1

P

passwords

security basics C-3

strong passwords

characteristics C-2

definition 3-2

how to require 3-2

recommendations C-2

peer support, Networking Professionals Connection 1-xv

pending data

and upgrading 5-2, 5-4

submitting

in non-Workflow mode 5-2, 5-4

in Workflow mode 5-2, 5-4

taking over a user’s session

before upgrading 5-2, 5-4

Performance Monitor

overview 1-5

version 3.1, interoperability with

Security Manager 3.2 1-5

version 3.1, recommendation 1-5

perl scripts

exporting certificates into a .csv file 5-6

loading certificates into Security Manager in bulk 5-6

retrieving certificates

after upgrading from 3.0.2 5-6

See alsogetCerts.pl

See also loadCerts.pl

permanent license, upgrading from evaluation license 1-6

point patches

applying to a client 6-11

caution against accepting from a third-party 5-12

default location on client systems 6-12

deleting Temp files on client systems 6-2

obtaining 5-12

OL-15627-01

version mismatch 6-11

popup blockers

configuring 6-1, 6-2

conflicting with other installed software 3-2

disabling 6-1, 6-2

requirements 6-1

troubleshooting 6-1, 6-2

ports

required for TCP 2-2

required for UDP 2-2

product registration. See licenses

PSIRT 1-xv

publications, obtaining additional 1-xv

R

red X icon

in Device View

representing devices managed by AUS and CNS 5-8

representing migrated Catalyst 6500 Series switches 5-10

reinstalling

after database corruption

using restorebackup.pl 4-8

Common Services 4-8

server software 4-8

warning message 4-8

related documentation, obtaining 1-xiv

Remote Copy Protocol TCP port 2-2

removable media drives, security implications if compromised 8-4

requirements

client system 2-5

servers

installation, general 2-1

system 2-3

Resource Manager Essentials (RME)

documentation 1-xiv


Index

entitlement to install 1-5

installing 1-5

installing on a Security Manager server

with VirusScan enabled 4-5

with VirusScan turned off 4-5

licensing 1-6

overview 1-5

restorebackup.pl

reinstalling

server software 4-8

restoring

after upgrade 5-5

database after downgrade 5-12

Security Manager database 5-5

using perl script 4-8

S

SAFE blueprint 1-xii

Secure Shell (SSH) TCP port 2-2

security

advisories 1-xv

incidents, obtaining assistance 1-xv

news from Cisco

registering to receive 1-xv

RSS feed URL 1-xv

notices 1-xv

PSIRT 1-xv

vulnerabilities, reporting 1-xv

Security Manager database

pending data

and upgrading 5-2, 5-4

Security Manager database TCP port 2-3

Security Monitor C-4

sensors

See also IPS Sensors

server

configuration

boot settings 3-3


date and time settings 3-4

downgrading from 3.2 5-12

file locations

database files 1-7

log files 1-7

miscellaneous files 1-7

installations

best practices 3-1

dependencies 2-1

procedures 4-1, 5-1

performance

best practices for enhancing 3-1

operating environment 2-3, 4-1

preparation checklists 3-1

processes, verifying status 8-4

traffic

required inbound ports 2-2

required outbound ports 2-2

upgrading 5-4

service agreement contracts 1-6

service packs

applying to a client 6-11

caution against accepting from a third-party 5-12

default location on client systems 6-12

deleting Temp files on client systems 6-2

obtaining 5-12

recommendation to delete Temp files on client systems 6-2

version mismatch 6-11

service requests

submitting 1-xv

services

minimum required for Windows 3-3

required for TCP 2-2

required for UDP 2-2

SNMP polling UDP port 2-2

SNMP trap UDP port 2-2

software updates. See point patches

SSL certificate invalidation 3-4

OL-15627-01

Index

SSL mode (for HTTP server) TCP port 2-2

support

Networking Professionals Connection 1-xv

obtaining from Cisco 1-xv

service agreement contracts 1-6

Software Application Support contracts 1-6

Sybase, requirement to disable 3-4

Sybase database files, requirement to use correct ODBC version 2-4

Syslog UDP port 2-2

T

TACACS+ TCP port 2-2

TCP

list of required ports 2-2

list of required services 2-2

technical support (TAC)

obtaining 1-xv

URL for service requests 1-xv

Telnet TCP port 2-2

Terminal Services

requirements 2-5, 3-4

unsupported configuration 2-5

Tomcat

Ajp13 connector TCP port 2-3

global library files, where stored 1-7

shutdown TCP port 2-3

training, obtaining 1-xv

Trivial File Transfer Protocol (TFTP) UDP port 2-2

troubleshooting

antivirus scanners 3-2


blocking a valid operation A-13

blocking network access A-12

diagnostic utility A-13

icon appearance changed in system tray A-13

obtaining a revised agent from TAC A-12

recognizing when the agent is disabled A-13

OL-15627-01

security level is High A-12

setting the security level to Medium A-12

untrusted rootkit detected A-12

using the log file A-12

collecting server troubleshooting information A-14

DCRServer process does not start 3-4

error messages

client installation A-7

server installation A-2

server uninstallation A-5

file contents cannot be unpacked 4-2

file corruption

executable file 4-2

host-based intrusion software 3-2

incorrect GUI 2-5, 8-5, A-3

installation

does not run A-11

hangs A-3, A-9

reviewing log files A-15

interoperation with CS-MARS 3-4

invalid SSL certificate 3-4

java.security.cert errors 3-4

mapped drives A-4

missing

GUI A-3

product features A-3

popup blockers 3-2, 6-1, 6-2

security software conflicts 3-2

server processes

changing A-14

restarting A-15

viewing A-14

server self-test A-13

time-dependent features 7-2

uninstallation

does not run A-11

hangs A-6

using MDCSupport.exe A-14

troubleshooting guide, obtaining 1-xiii


Index

typographical conventions in this document 1-xii

U

UDP

list of required ports 2-2

list of required services 2-2

uninstallation

cautions against

uninstalling from infected servers 4-6

recommendation to restart client systems 6-13

recommendation to restart servers 4-7

servers

deleting CMFLOCK.TXT 4-7

failure to delete CSCOpx/bin folder 4-6

server software 4-6

updates. See point patches

upgrading

earlier versions supported for 5-1, 5-3

migrating Catalyst 6500/7600 switches 5-9

pending data

committing 5-2, 5-4

discarding 5-2, 5-4

taking over a user’s session 5-2, 5-4

using

backup and restore 5-5

in place 5-2

upgrading from

an earlier release 4-6, 5-1

VMS 4-6, 5-1

upgrading migrating to RME 4.0.5

backing up and restoring RME data to RME 4.0.5 7-9

upgrading from RME 4.0.x to RME 4.0.5

local upgrade 7-8

remote upgrade 7-8

user accounts

admin C-1

casuser C-1

System Identity C-1


understanding C-1

user permissions, understanding C-2

V

verifying an installation 8-4

VirusScan

disabled on a Security Manager server

stopping Performance Monitor installation 4-5

stopping RME installation 4-5

failed installation of

RME and Performance Monitor 4-5

installed on a Security Manager server

with Performance Monitor 4-5

with RME 4-5

On-Access Scan feature

running 4-5

turned off 4-5

workaround for

installing Performance Monitor 4-5

installing RME 4-5

W

web context files, where stored 1-7

Windows services, required 3-3

OL-15627-01

Installation Guide for Cisco Security Manager 3 › en › US › docs › security ›...

Documents

Transcript of Installation Guide for Cisco Security Manager 3 › en › US › docs › security ›...