Versions Compared

Old Version 7

changes.mady.by.user Nick Day

Saved on

compared with

New Version 8

changes.mady.by.user Nick Day

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • CREDENTIAL SETS:

    • Credential sets are a combination of usernames, passwords, access protocols (ssh, telnet), privilege modes etc. allowing access to the devices CLI.
    • Once the credential set has been used to create a working CLI access then "commands" can be issued and the results recorded.

  • COMMANDS:

    • Commands are normally command line constructs which will be executed on the node in question. 

      • (Some are "passive commands" like "audit-import" which are not actually run on the node but the result is associated with node.

      • Commands can be grouped and collected into what opConfig calls a "command set". Command sets can be configured to apply only to particular platforms or OS versions.

    • The command output is captured and stored by opConfig.

    •  Command outputs are compared against the previous revision, and if different it's saved as a new revision in opConfig.  e.g.a one-shot command which is not analyzed in great detail (e.g. a process listing or some other diagnostic command)

    • A command can be marked for change detection in which case more detailed analysis occurs for changes.

  • CHANGES / REVISIONS:

    • Command outputs can be maked for change detection (e.g. a listing of installed software), in which case opConfig creates detailed records of what the changes are - again only if there are differences between the current command output and the most recent revision for this command.

    • Revisions are  the time series of the command outputs and there changes.

Adding or Modifying Nodes

To tell opConfig to run commands for a node it needs to be told about the node's existence and what properties the node has (e.g. what platform, what OS, what credential set (ssh telnet) to use to contact the node ). Adding a node for opConfig can be done using the GUI or the command line tools opconfig-cli.pl and opnode_admin.pl. You can add node information manually to opConfig, or you can import node's info from NMIS or OpenAudit.

opConfig can connect to any node (and run commands for it) as long as it has valid connection settings for it (and as long as it is note disabled for opConfig).

Add a node Using the GUI

  • System menu
    • Edit Nodes.
      Image Removed
      • "Import new Nodes from NMIS" or  "Add Node"   -  These let you create new node records either automatically or manually.  
        • If you successfully import the node you should only need to add the credential set and the transport protocol.  See below about config problems.

The following is a breakdown on the information opConfig uses about the device, which you might need to edit manually if certain information was not already known

...

  1.  Personality this is the CLI Parsing to use to enable the issuing of commands -The Personality is also required to tell opConfig what kind of commands this node understands, e.g. whether it's a Unix-like system with a real shell or whether it's a Cisco IOS device and so on. The Personality includes information about the prompts, line-ending conventions etc. a node is subject to; for example, the 'ios' personality works only on Cisco IOS devices, while the 'bash' personality covers just about all Unix systems with the bash shell.
  2.  CredentialSet - NOT automatic is the credentials to use
  3. NOT automatic is what Transport to use (Telnet or SSH).

...

Managing Credential Sets

Credentials for all connections made by opConfig are configurable from the opConfig GUI ONLY.

Select the menu "System", then "Edit Credential Sets". Credential sets can be shared by any number of nodes.

Each credential set has to have a unique name, by which it is referenced in the nodes' connection settings. The description field is self-explanatory and optional.

A credential set has to specify a User Name property, which is used when logging in to the nodes the set applies to. At this time, opConfig supports only password-based authentication at the node, and the Password property of the credential  set establishes the primary password for this user name. Future versions will support SSH Key-based authentication, as well as other mechanisms.

Some commands cannot be performed by an unprivileged user, which is why opConfig also supports elevating the privileges on demand. To control this, a credential set can optionally include a Superuser/Privileged/Enable Password. Depending on the node's platform and personality, different mechanisms will be used to gain increased privileges:

  • On Cisco IOS devices, this password  is used with the enable command.
  • With personality bash (the default for Unix-like systems), the command sudo is used to become the superuser. Sudo therefore needs to be installed and configured on such nodes, and the User Name in question needs to be authorized for sudo.

Naturally not all commands require elevated privileges; see the section on Command Sets for how to determine and configure those.

Please note that the Credential  Set editing dialogs do never show existing passwords (or their legth or existence); You can only overwrite password entries. All credential sets are stored in the database in encrypted form.

Adding or Modifying Nodes

To tell opConfig to run commands for a node it needs to be told about the node's existence and what properties the node has (e.g. what platform, what OS, what credential set (ssh telnet) to use to contact the node ). Adding a node for opConfig can be done using the GUI or the command line tools opconfig-cli.pl and opnode_admin.pl. You can add node information manually to opConfig, or you can import node's info from NMIS or OpenAudit.

opConfig can connect to any node (and run commands for it) as long as it has valid connection settings for it (and as long as it is note disabled for opConfig).

Add a node Using the GUI

  • System menu
    • Edit Nodes.
      Image Added
      • "Import new Nodes from NMIS" or  "Add Node"   -  These let you create new node records either automatically or manually.  
        • If you successfully import the node you should only need to add the credential set and the transport protocol.  See below about config problems.

The following is a breakdown on the information opConfig uses about the device, which you might need to edit manually if certain information was not already known

  1. General TAB - This is generic information about the device and is the information imported from NMIS / OpenAudit.
  2. Connection TAB -  To connect to a node, opConfig needs to know some information about it,  a lot of this is automatically added based on NMIS or OpenAudit information
    1.  Personality this is the CLI Parsing to use to enable the issuing of commands -The Personality is also required to tell opConfig what kind of commands this node understands, e.g. whether it's a Unix-like system with a real shell or whether it's a Cisco IOS device and so on. The Personality includes information about the prompts, line-ending conventions etc. a node is subject to; for example, the 'ios' personality works only on Cisco IOS devices, while the 'bash' personality covers just about all Unix systems with the bash shell.
    2.  CredentialSet - NOT automatic is the credentials to use
    3. NOT automatic is what Transport to use (Telnet or SSH).
  3. OS TAB - opConfig needs to know about your new node's OS  - this is because the default command sets that opConfig uses are associated to the Operating System name.  
    1. These fields should be automatically populated if your device was discovered by NMIS or OpenAudit

    • Most entries on these editing pages have tooltips with explanations. If you edit or add a node you will likely see some entries in the red "Configuration Problems" tab. Here is an example:
      • Image Added
        The problem reports are fairly self-explanatory (and clickable), but let's go over them quickly:
      • At this point in time, opConfig supports only Telnet and SSH, and for SSH only password-based authentication is supported.
      • If a node is imported from NMIS (or Open-AudIT Enterprise) then the OS Info is prefilled as much as possible (but can be modified by you, of course). If there is no or incorrect OS information, then opConfig will not run any or the right command sets on your node.
      • And, last but not least: interactive connections to nodes clearly require authentication and authorization in the form of access credentials, hence you must tell opConfig which Credential Set should apply to your new node.

Import (and discovery) from the Command Line

opConfig CLI tools are found in /usr/local/omk/bin

opconfig-cli.pl can import nodes from NMIS, and offers a credential set and transport discovery option. Simply run opconfig-cli.pl without options to see a brief usage help.

To import you'd run opconfig-cli.pl act=import_from_nmis (optionally limited to the names of known nodes with an argument of nodes=nodeX,nodeY). If you have already setup credential sets, then you can let opConfig guess which to use for your node using opconfig-cli.pl act=discover node=TheNewNodeName - if none of the Transport+Credential Set combinations work for the node, opconfig-cli.pl will print an error message.

General Node management from the Command Line

The tool opnode_admin.pl lets you list, export, create, modify or delete nodes from the command line. Editing operations involve an export to a JSON file, which you then modify using an editor or other tool of choice, followed by an update of the node using that JSON file. The opnode_admin.pl tool is pretty self-explanatory, and behaves almost identically to the NMIS node_admin.pl tool which is documented extensively here

  • Most entries on these editing pages have tooltips with explanations. If you edit or add a node you will likely see some entries in the red "Configuration Problems" tab. Here is an example:
    • Image Removed
      The problem reports are fairly self-explanatory (and clickable), but let's go over them quickly:
    • At this point in time, opConfig supports only Telnet and SSH, and for SSH only password-based authentication is supported.
    • If a node is imported from NMIS (or Open-AudIT Enterprise) then the OS Info is prefilled as much as possible (but can be modified by you, of course). If there is no or incorrect OS information, then opConfig will not run any or the right command sets on your node.
    • And, last but not least: interactive connections to nodes clearly require authentication and authorization in the form of access credentials, hence you must tell opConfig which Credential Set should apply to your new node.

Import (and discovery) from the Command Line

opConfig CLI tools are found in /usr/local/omk/bin

opconfig-cli.pl can import nodes from NMIS, and offers a credential set and transport discovery option. Simply run opconfig-cli.pl without options to see a brief usage help.

To import you'd run opconfig-cli.pl act=import_from_nmis (optionally limited to the names of known nodes with an argument of nodes=nodeX,nodeY). If you have already setup credential sets, then you can let opConfig guess which to use for your node using opconfig-cli.pl act=discover node=TheNewNodeName - if none of the Transport+Credential Set combinations work for the node, opconfig-cli.pl will print an error message.

General Node management from the Command Line

The tool opnode_admin.pl lets you list, export, create, modify or delete nodes from the command line. Editing operations involve an export to a JSON file, which you then modify using an editor or other tool of choice, followed by an update of the node using that JSON file. The opnode_admin.pl tool is pretty self-explanatory, and behaves almost identically to the NMIS node_admin.pl tool which is documented extensively here.

Managing Credential Sets

Credentials for all connections made by opConfig are configurable from the opConfig GUI (only): Select the menu System, then Edit Credential Sets. Credential sets can be shared by any number of nodes.

Each credential set has to have a unique name, by which it is referenced in the nodes' connection settings. The description field is self-explanatory and optional.

A credential set has to specify a User Name property, which is used when logging in to the nodes the set applies to. At this time, opConfig supports only password-based authentication at the node, and the Password property of the credential  set establishes the primary password for this user name. Future versions will support SSH Key-based authentication, as well as other mechanisms.

Some commands cannot be performed by an unprivileged user, which is why opConfig also supports elevating the privileges on demand. To control this, a credential set can optionally include a Superuser/Privileged/Enable Password. Depending on the node's platform and personality, different mechanisms will be used to gain increased privileges:

  • On Cisco IOS devices, this password  is used with the enable command.
  • With personality bash (the default for Unix-like systems), the command sudo is used to become the superuser. Sudo therefore needs to be installed and configured on such nodes, and the User Name in question needs to be authorized for sudo.

Naturally not all commands require elevated privileges; see the section on Command Sets for how to determine and configure those.

Please note that the Credential  Set editing dialogs do never show existing passwords (or their legth or existence); You can only overwrite password entries. All credential sets are stored in the database in encrypted form.

Managing Command Sets

As mentioned above opConfig lets you organize whatever commands you'd like it to run into an arbitrary number of groups which we call command sets.

...